|
|
Subscribe / Log in / New account

Arch Linux alert ASA-201510-10 (firefox)



From:
    	      Remi Gacogne <rgacogne@archlinux.org> 


To:
    	      arch-security@archlinux.org 


Subject:
    	      [arch-security] [ASA-201510-10] firefox: cross-origin restriction bypass 


Date:
    	      Fri, 16 Oct 2015 11:58:35 +0200


Message-ID:
    	      <5620CA4B.3000308@archlinux.org>


Arch Linux Security Advisory ASA-201510-10
==========================================

Severity: High
Date    : 2015-10-16
CVE-ID  : CVE-2015-7184
Package : firefox
Type    : cross-origin restriction bypass
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package firefox before version 41.0.2-1 is vulnerable to
cross-origin restriction bypass.

Resolution
==========

Upgrade to 41.0.2-1.

# pacman -Syu "firefox>=41.0.2-1"

The problem has been fixed upstream in version 41.0.2.

Workaround
==========

None.

Description
===========

Security researcher Abdulrahman Alqabandi reported that the fetch() API
did not correctly implement the Cross-Origin Resource Sharing (CORS)
specification, allowing a malicious page to access private data from
other origins. Mozilla developer Ben Kelly independently reported the
same issue.

Impact
======

A remote attacker can bypass the cross-origin resource sharing policy to
access sensitive information.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa201...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7184
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds