From owner-svn-ports-head@freebsd.org Tue Jan 24 22:50:19 2017 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80D91CC03AA; Tue, 24 Jan 2017 22:50:19 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 42231E6B; Tue, 24 Jan 2017 22:50:19 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0OMoIMx063459; Tue, 24 Jan 2017 22:50:18 GMT (envelope-from jbeich@FreeBSD.org) Received: (from jbeich@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0OMoIki063457; Tue, 24 Jan 2017 22:50:18 GMT (envelope-from jbeich@FreeBSD.org) Message-Id: <201701242250.v0OMoIki063457@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jbeich set sender to jbeich@FreeBSD.org using -f From: Jan Beich Date: Tue, 24 Jan 2017 22:50:18 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r432403 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2017 22:50:19 -0000 Author: jbeich Date: Tue Jan 24 22:50:17 2017 New Revision: 432403 URL: https://svnweb.freebsd.org/changeset/ports/432403 Log: security/vuxml: mark Gecko < 51.0/45.7esr as vulnerable Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jan 24 22:38:07 2017 (r432402) +++ head/security/vuxml/vuln.xml Tue Jan 24 22:50:17 2017 (r432403) @@ -58,6 +58,98 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + mozilla -- multiple vulnerabilities + + + firefox + 51.0_1,1 + + + seamonkey + linux-seamonkey + 2.48 + + + firefox-esr + 45.7.0,1 + + + linux-firefox + 45.7.0,2 + + + libxul + thunderbird + linux-thunderbird + 45.7.0 + + + + +

Mozilla Foundation reports:

+
CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
+
CVE-2017-5374: Memory safety bugs fixed in Firefox 51
+
CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
+
CVE-2017-5376: Use-after-free in XSL
+
CVE-2017-5377: Memory corruption with transforms to create gradients in Skia
+
CVE-2017-5378: Pointer and frame data leakage of Javascript objects
+
CVE-2017-5379: Use-after-free in Web Animations
+
CVE-2017-5380: Potential use-after-free during DOM manipulations
+
CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations
+
CVE-2017-5382: Feed preview can expose privileged content errors and exceptions
+
CVE-2017-5383: Location bar spoofing with unicode characters
+
CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
+
CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers
+
CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
+
CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages
+
CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks
+
CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests
+
CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
+
CVE-2017-5391: Content about: pages can load privileged about: pages
+
CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage
+
CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager
+
CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events
+
CVE-2017-5395: Android location bar spoofing during scrolling
+
CVE-2017-5396: Use-after-free with Media Decoder
+

+ + + + CVE-2017-5373 + CVE-2017-5374 + CVE-2017-5375 + CVE-2017-5376 + CVE-2017-5377 + CVE-2017-5378 + CVE-2017-5379 + CVE-2017-5380 + CVE-2017-5381 + CVE-2017-5382 + CVE-2017-5383 + CVE-2017-5384 + CVE-2017-5385 + CVE-2017-5386 + CVE-2017-5387 + CVE-2017-5388 + CVE-2017-5389 + CVE-2017-5390 + CVE-2017-5391 + CVE-2017-5392 + CVE-2017-5393 + CVE-2017-5394 + CVE-2017-5395 + CVE-2017-5396 + https://www.mozilla.org/security/advisories/mfsa2017-01/ + https://www.mozilla.org/security/advisories/mfsa2017-02/ + + + 2017-01-24 + 2017-01-24 + + + phpMyAdmin -- Multiple vulnerabilities