Mageia alert MGASA-2019-0268 (firefox)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2019-0268: Updated firefox packages fix security vulnerabilities | |
| Date: | Thu, 12 Sep 2019 21:11:01 +0200 | |
| Message-ID: | <20190912191101.7CB149F94F@duvel.mageia.org> |
MGASA-2019-0268 - Updated firefox packages fix security vulnerabilities Publication date: 12 Sep 2019 URL: https://advisories.mageia.org/MGASA-2019-0268.html Type: security Affected Mageia releases: 7 CVE: CVE-2019-9812, CVE-2019-11733, CVE-2019-11735, CVE-2019-11736, CVE-2019-11738, CVE-2019-11740, CVE-2019-11742, CVE-2019-11743, CVE-2019-11744, CVE-2019-11746, CVE-2019-11747, CVE-2019-11748, CVE-2019-11749, CVE-2019-11750, CVE-2019-11751, CVE-2019-11752, CVE-2019-11753 Description: The updated packages fix several bugs and some security issues: Sandbox escape through Firefox Sync. (CVE-2019-9812) Stored passwords in 'Saved Logins' can be copied without master password entry. (CVE-2019-11733) Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1. (CVE-2019-11735) File manipulation and privilege escalation in Mozilla Maintenance Service. (CVE-2019-11736) Content security policy bypass through hash-based sources in directives. (CVE-2019-11738) Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9. (CVE-2019-11740) Same-origin policy violation with SVG filters and canvas to steal cross-origin images. (CVE-2019-11742) Cross-origin access to unload event attributes. (CVE-2019-11743) XSS by breaking out of title and textarea elements using innerHTML. (CVE-2019-11744) Use-after-free while manipulating video. (CVE-2019-11746) 'Forget about this site' removes sites from pre-loaded HSTS list. (CVE-2019-11747) Persistence of WebRTC permissions in a third party context. (CVE-2019-11748) Camera information available without prompting using getUserMedia. (CVE-2019-11749) Type confusion in Spidermonkey. (CVE-2019-11750) Malicious code execution through command line parameters. (CVE-2019-11751) Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752) Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (CVE-2019-11753) References: - https://bugs.mageia.org/show_bug.cgi?id=25359 - https://www.mozilla.org/en-US/firefox/68.0.1/releasenotes/ - https://www.mozilla.org/en-US/firefox/68.0.2/releasenotes/ - https://www.mozilla.org/en-US/firefox/68.1.0/releasenotes/ - https://www.mozilla.org/en-US/security/advisories/mfsa201... - https://www.mozilla.org/en-US/security/advisories/mfsa201... - https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/... - https://developer.mozilla.org/en-US/docs/Mozilla/Projects... - https://groups.google.com/forum/#!topic/mozilla.dev.tech.... - https://access.redhat.com/errata/RHSA-2019:2663 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9812 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1... SRPMS: - 7/core/firefox-68.1.0-1.mga7 - 7/core/firefox-l10n-68.1.0-1.mga7 - 7/core/rootcerts-20190820.00-1.mga7 - 7/core/nspr-4.22-1.mga7 - 7/core/nss-3.46.0-1.mga7