Updated firefox & thunderbird packages fix multiple vulnerabilities
Publication date: 02 May 2014Modification date: 02 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1518 , CVE-2014-1523 , CVE-2014-1524 , CVE-2014-1529 , CVE-2014-1530 , CVE-2014-1531 , CVE-2014-1532
Description
Updated firefox and thunderbird packages fix security vulnerabilities:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1518, CVE-2014-1524, CVE-2014-1529,
CVE-2014-1531).
A use-after-free flaw was found in the way Firefox and Thunderbird resolved
hosts in certain circumstances. An attacker could use this flaw to crash
Firefox or Thunderbird or, potentially, execute arbitrary code with the
privileges of the user running it (CVE-2014-1532).
An out-of-bounds read flaw was found in the way Firefox and Thunderbird
decoded JPEG images. Loading a web page containing a specially crafted JPEG
image could cause Firefox or Thunderbird to crash (CVE-2014-1523).
A flaw was found in the way Firefox and Thunderbird handled browser
navigations through history. An attacker could possibly use this flaw to
cause the address bar of the browser to display a web page name while
loading content from an entirely different web page, which could allow for
cross-site scripting (XSS) attacks (CVE-2014-1530).
References
- http://www.mozilla.org/security/announce/2014/mfsa2014-34.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-37.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-38.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-42.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-43.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-44.html
- http://www.mozilla.org/security/announce/2014/mfsa2014-46.html
- http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
- http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
- https://rhn.redhat.com/errata/RHSA-2014-0448.html
- https://rhn.redhat.com/errata/RHSA-2014-0449.html
- https://bugs.mageia.org/show_bug.cgi?id=13293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1518
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1523
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1524
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1529
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1530
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1531
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1532
SRPMS
4/core
- firefox-24.5.0-1.mga4
- firefox-l10n-24.5.0-1.mga4
- thunderbird-24.5.0-1.mga4
- thunderbird-l10n-24.5.0-1.mga4
3/core
- firefox-24.5.0-1.mga3
- firefox-l10n-24.5.0-1.mga3
- thunderbird-24.5.0-1.mga3
- thunderbird-l10n-24.5.0-1.mga3