Updated firefox & thunderbird packages fix multiple vulnerabilities
Publication date: 02 May 2014Modification date: 02 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1518 , CVE-2014-1523 , CVE-2014-1524 , CVE-2014-1529 , CVE-2014-1530 , CVE-2014-1531 , CVE-2014-1532
Description
Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1518, CVE-2014-1524, CVE-2014-1529, CVE-2014-1531). A use-after-free flaw was found in the way Firefox and Thunderbird resolved hosts in certain circumstances. An attacker could use this flaw to crash Firefox or Thunderbird or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1532). An out-of-bounds read flaw was found in the way Firefox and Thunderbird decoded JPEG images. Loading a web page containing a specially crafted JPEG image could cause Firefox or Thunderbird to crash (CVE-2014-1523). A flaw was found in the way Firefox and Thunderbird handled browser navigations through history. An attacker could possibly use this flaw to cause the address bar of the browser to display a web page name while loading content from an entirely different web page, which could allow for cross-site scripting (XSS) attacks (CVE-2014-1530).
References
- http://www.mozilla.org/security/announce/2014/mfsa2014-34.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-37.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-38.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-42.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-43.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-44.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-46.html
- http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
- http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
- https://rhn.redhat.com/errata/RHSA-2014-0448.html
- https://rhn.redhat.com/errata/RHSA-2014-0449.html
- https://bugs.mageia.org/show_bug.cgi?id=13293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1518
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1523
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1524
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1529
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1530
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1531
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1532
SRPMS
3/core
- firefox-24.5.0-1.mga3
- firefox-l10n-24.5.0-1.mga3
- thunderbird-24.5.0-1.mga3
- thunderbird-l10n-24.5.0-1.mga3
4/core
- firefox-24.5.0-1.mga4
- firefox-l10n-24.5.0-1.mga4
- thunderbird-24.5.0-1.mga4
- thunderbird-l10n-24.5.0-1.mga4