Mageia alert MGASA-2024-0012 (packages)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2024-0012: Updated nss and firefox packages fix security vulnerabilities
Date:
             
 
Mon, 15 Jan 2024 11:08:33 +0100
Message-ID:
             
 
<20240115100834.3A95E9FCA6@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2024-0012 - Updated nss and firefox packages fix security vulnerabilities

Publication date: 15 Jan 2024
URL: https://advisories.mageia.org/MGASA-2024-0012.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2023-6856,
     CVE-2023-6857,
     CVE-2023-6858,
     CVE-2023-6859,
     CVE-2023-6860,
     CVE-2023-6861,
     CVE-2023-6862,
     CVE-2023-6863,
     CVE-2023-6864,
     CVE-2023-6865,
     CVE-2023-6867

Description:
The updated packages fix security vulnerabilities
Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with
Mesa VM driver. (CVE-2023-6856)
Potential exposure of uninitialized data in EncryptingOutputStream.
(CVE-2023-6865)
Symlinks may resolve to smaller than expected buffers. (CVE-2023-6857)
Heap buffer overflow in nsTextFragment. (CVE-2023-6858)
Use-after-free in PR_GetIdentitiesLayer. (CVE-2023-6859)
Potential sandbox escape due to VideoBridge lack of texture validation.
(CVE-2023-6860)
Clickjacking permission prompts using the popup transition.
(CVE-2023-6867)
Heap buffer overflow affected nsWindow::PickerOpen(void) in headless
mode. (CVE-2023-6861)
Use-after-free in nsDNSService. (CVE-2023-6862)
Undefined behavior in ShutdownObserver(). (CVE-2023-6863)
Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and
Thunderbird 115.6. (CVE-2023-6864)

References:
- https://bugs.mageia.org/show_bug.cgi?id=32642
- https://www.mozilla.org/en-US/firefox/115.6.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa202...
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96_1.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6856
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6857
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6858
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6859
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6860
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6861
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6862
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6863
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6864
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6865
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6867

SRPMS:
- 9/core/nss-3.96.1-1.mga9
- 9/core/firefox-115.6.0-1.mga9
- 9/core/firefox-l10n-115.6.0-1.mga9