Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Jan 2018 18:43:33 +0000 (UTC)
From:      Jan Beich <jbeich@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r459791 - head/security/vuxml
Message-ID:  <201801231843.w0NIhXxA001693@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jbeich
Date: Tue Jan 23 18:43:33 2018
New Revision: 459791
URL: https://svnweb.freebsd.org/changeset/ports/459791

Log:
  security/vuxml: mark firefox < 58 as vulnerable

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Jan 23 18:18:12 2018	(r459790)
+++ head/security/vuxml/vuln.xml	Tue Jan 23 18:43:33 2018	(r459791)
@@ -58,6 +58,118 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="a891c5b4-3d7a-4de9-9c71-eef3fd698c77">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>58.0_1,1</lt></range>
+      </package>
+      <package>
+	<name>waterfox</name>
+	<range><lt>56.0.3_4</lt></range>
+      </package>
+      <package>
+	<name>seamonkey</name>
+	<name>linux-seamonkey</name>
+	<range><lt>2.49.3</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>52.6.0_1,1</lt></range>
+      </package>
+      <package>
+	<name>linux-firefox</name>
+	<range><lt>52.6.0,2</lt></range>
+      </package>
+      <package>
+	<name>libxul</name>
+	<name>thunderbird</name>
+	<name>linux-thunderbird</name>
+	<range><lt>52.6.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Mozilla Foundation reports:</p>
+	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/">;
+	  <p>CVE-2018-5091: Use-after-free with DTMF timers</p>
+	  <p>CVE-2018-5092: Use-after-free in Web Workers</p>
+	  <p>CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing</p>
+	  <p>CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory</p>
+	  <p>CVE-2018-5095: Integer overflow in Skia library during edge builder allocation</p>
+	  <p>CVE-2018-5097: Use-after-free when source document is manipulated during XSLT</p>
+	  <p>CVE-2018-5098: Use-after-free while manipulating form input elements</p>
+	  <p>CVE-2018-5099: Use-after-free with widget listener</p>
+	  <p>CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory</p>
+	  <p>CVE-2018-5101: Use-after-free with floating first-letter style elements</p>
+	  <p>CVE-2018-5102: Use-after-free in HTML media elements</p>
+	  <p>CVE-2018-5103: Use-after-free during mouse event handling</p>
+	  <p>CVE-2018-5104: Use-after-free during font face manipulation</p>
+	  <p>CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts</p>
+	  <p>CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker</p>
+	  <p>CVE-2018-5107: Printing process will follow symlinks for local file access</p>
+	  <p>CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs</p>
+	  <p>CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution</p>
+	  <p>CVE-2018-5110: Cursor can be made invisible on OS X</p>
+	  <p>CVE-2018-5111: URL spoofing in addressbar through drag and drop</p>
+	  <p>CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel</p>
+	  <p>CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow</p>
+	  <p>CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts</p>
+	  <p>CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs</p>
+	  <p>CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access</p>
+	  <p>CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right</p>
+	  <p>CVE-2018-5118: Activity Stream images can attempt to load local content through file:</p>
+	  <p>CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers</p>
+	  <p>CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar</p>
+	  <p>CVE-2018-5122: Potential integer overflow in DoCrypt</p>
+	  <p>CVE-2018-5090: Memory safety bugs fixed in Firefox 58</p>
+	  <p>CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2018-5089</cvename>
+      <cvename>CVE-2018-5090</cvename>
+      <cvename>CVE-2018-5091</cvename>
+      <cvename>CVE-2018-5092</cvename>
+      <cvename>CVE-2018-5093</cvename>
+      <cvename>CVE-2018-5094</cvename>
+      <cvename>CVE-2018-5095</cvename>
+      <cvename>CVE-2018-5097</cvename>
+      <cvename>CVE-2018-5098</cvename>
+      <cvename>CVE-2018-5099</cvename>
+      <cvename>CVE-2018-5100</cvename>
+      <cvename>CVE-2018-5101</cvename>
+      <cvename>CVE-2018-5102</cvename>
+      <cvename>CVE-2018-5103</cvename>
+      <cvename>CVE-2018-5104</cvename>
+      <cvename>CVE-2018-5105</cvename>
+      <cvename>CVE-2018-5106</cvename>
+      <cvename>CVE-2018-5107</cvename>
+      <cvename>CVE-2018-5108</cvename>
+      <cvename>CVE-2018-5109</cvename>
+      <cvename>CVE-2018-5110</cvename>
+      <cvename>CVE-2018-5111</cvename>
+      <cvename>CVE-2018-5112</cvename>
+      <cvename>CVE-2018-5113</cvename>
+      <cvename>CVE-2018-5114</cvename>
+      <cvename>CVE-2018-5115</cvename>
+      <cvename>CVE-2018-5116</cvename>
+      <cvename>CVE-2018-5117</cvename>
+      <cvename>CVE-2018-5118</cvename>
+      <cvename>CVE-2018-5119</cvename>
+      <cvename>CVE-2018-5121</cvename>
+      <cvename>CVE-2018-5122</cvename>
+      <url>https://www.mozilla.org/security/advisories/mfsa2018-02/</url>;
+      <url>https://www.mozilla.org/security/advisories/mfsa2018-03/</url>;
+    </references>
+    <dates>
+      <discovery>2018-01-23</discovery>
+      <entry>2018-01-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="24a82876-002e-11e8-9a95-0cc47a02c232">
     <topic>powerdns-recursor -- insufficient validation of DNSSEC signatures</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801231843.w0NIhXxA001693>