Date: Fri, 21 Jun 2019 11:30:19 +0000 (UTC) From: Christoph Moench-Tegeder <cmt@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r504787 - head/security/vuxml Message-ID: <201906211130.x5LBUJhQ093076@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cmt Date: Fri Jun 21 11:30:18 2019 New Revision: 504787 URL: https://svnweb.freebsd.org/changeset/ports/504787 Log: document recent Mozilla advisories MFSA2019-17, MFSA2019-19, MFSA2019-20 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jun 21 11:19:40 2019 (r504786) +++ head/security/vuxml/vuln.xml Fri Jun 21 11:30:18 2019 (r504787) @@ -58,6 +58,126 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="49beb00f-a6e1-4a42-93df-9cb14b4c2bee"> + <topic>Mozilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>thunderbird</name> + <range><lt>thunderbird-60.7.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mozilla Foundation reports:</p> + <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/">; + <h1>CVE-2019-11707: Type confusion in Array.pop</h1> + <p>A type confusion vulnerability can occur when manipulating + JavaScript objects due to issues in Array.pop. This can allow + for an exploitable crash. We are aware of targeted attacks in + the wild abusing this flaw.</p> + <h1>CVE-2019-11708: sandbox escape using Prompt:Open</h1> + <p>Insufficient vetting of parameters passed with the + Prompt:Open IPC message between child and parent processes can + result in the non-sandboxed parent process opening web content + chosen by a compromised child process. When combined with + additional vulnerabilities this could result in executing + arbitrary code on the user's computer.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/</url>; + <cvename>CVE-2019-11707</cvename> + <cvename>CVE-2019-11708</cvename> + </references> + <dates> + <discovery>2019-06-20</discovery> + <entry>2019-06-21</entry> + </dates> + </vuln> + + <vuln vid="39bc2294-ff32-4972-9ecb-b9f40b4ccb74"> + <topic>Mozilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>67.0.4,1</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>60.7.2,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mozilla Foundation reports:</p> + <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/">; + <h1>CVE-2019-11708: sandbox escape using Prompt:Open</h1> + <p>Insufficient vetting of parameters passed with the + Prompt:Open IPC message between child and parent processes + can result in the non-sandboxed parent process opening web + content chosen by a compromised child process. When combined + with additional vulnerabilities this could result in executing + arbitrary code on the user's computer.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/</url>; + <cvename>CVE-2019-11708</cvename> + </references> + <dates> + <discovery>2019-06-20</discovery> + <entry>2019-06-21</entry> + </dates> + </vuln> + + <vuln vid="98f1241f-8c09-4237-ad0d-67fb4158ea7a"> + <topic>Mozilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>thunderbird</name> + <range><lt>60.7.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Mozilla Foundation reports:</p> + <blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/">; + <h1>CVE-2019-11703: Heap buffer overflow in icalparser.c</h1> + <p>A flaw in Thunderbird's implementation of iCal causes a heap + buffer overflow in parser_get_next_char when processing certain + email messages, resulting in a potentially exploitable crash.</p> + <h1>CVE-2019-11704: Heap buffer overflow in icalvalue.c</h1> + <p>A flaw in Thunderbird's implementation of iCal causes a heap + buffer overflow in icalmemory_strdup_and_dequote when processing + certain email messages, resulting in a potentially exploitable + crash.</p> + <h1>CVE-2019-11705: Stack buffer overflow in icalrecur.c</h1> + <p>A flaw in Thunderbird's implementation of iCal causes a stack + buffer overflow in icalrecur_add_bydayrules when processing + certain email messages, resulting in a potentially exploitable + crash.</p> + <h1>CVE-2019-11706: Type confusion in icalproperty.c</h1> + <p>A flaw in Thunderbird's implementation of iCal causes a type + confusion in icaltimezone_get_vtimezone_properties when + processing certain email messages, resulting in a crash.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/</url>; + <cvename>CVE-2019-11703</cvename> + <cvename>CVE-2019-11704</cvename> + <cvename>CVE-2019-11705</cvename> + <cvename>CVE-2019-11706</cvename> + </references> + <dates> + <discovery>2019-06-13</discovery> + <entry>2019-06-21</entry> + </dates> + </vuln> + <vuln vid="5b218581-9372-11e9-8fc4-5404a68ad561"> <topic>vlc -- Double free in Matroska demuxer</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906211130.x5LBUJhQ093076>