Updated firefox, nspr, nss packages fix security vulnerability
Publication date: 04 Nov 2015Modification date: 04 Nov 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-4513 , CVE-2015-7181 , CVE-2015-7182 , CVE-2015-7183 , CVE-2015-7188 , CVE-2015-7189 , CVE-2015-7193 , CVE-2015-7194 , CVE-2015-7196 , CVE-2015-7197 , CVE-2015-7198
Description
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196,
CVE-2015-7198, CVE-2015-7197)
A same-origin policy bypass flaw was found in the way Firefox handled
certain cross-origin resource sharing (CORS) requests. A web page
containing malicious content could cause Firefox to disclose sensitive
information. (CVE-2015-7193)
A same-origin policy bypass flaw was found in the way Firefox handled URLs
containing IP addresses with white-space characters. This could lead to
cross-site scripting attacks. (CVE-2015-7188)
A use-after-poison flaw and a heap-based buffer overflow flaw were found in
the way NSS parsed certain ASN.1 structures. An attacker could use these
flaws to cause NSS to crash or execute arbitrary code with the permissions
of the user running an application compiled against the NSS library.
(CVE-2015-7181, CVE-2015-7182)
A heap-based buffer overflow was found in NSPR. An attacker could use this
flaw to cause NSPR to crash or execute arbitrary code with the permissions
of the user running an application compiled against the NSPR library.
(CVE-2015-7183)
Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE,
PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuilt against the fixed
nspr packages to completely resolve the CVE-2015-7183 issue.
References
- https://bugs.mageia.org/show_bug.cgi?id=17079
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-122/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-128/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-130/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
- https://rhn.redhat.com/errata/RHSA-2015-1981.html
- https://rhn.redhat.com/errata/RHSA-2015-1982.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4513
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7181
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7189
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7194
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7196
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7197
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7198
SRPMS
5/core
- firefox-38.4.0-1.mga5
- firefox-l10n-38.4.0-1.mga5
- nspr-4.10.10-1.mga5
- nss-3.20.1-1.mga5
- rootcerts-20151029.00-1.mga5