Updated firefox & thunderbird packages fix security vulnerabilities
Publication date: 03 Dec 2014Modification date: 03 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-1569 , CVE-2014-1587 , CVE-2014-1590 , CVE-2014-1592 , CVE-2014-1593 , CVE-2014-1594
Description
Updated nss, firefox, and thunderbird packages fix security vulnerabilities:
In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths
is too permissive, allowing undetected smuggling of arbitrary data
(CVE-2014-1569).
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592,
CVE-2014-1593).
A flaw was found in the Alarm API, which could allow applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass the same-origin policy (CVE-2014-1594).
This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails. This can prevent a forceful downgrade of
the communication to SSL 3.0, mitigating CVE-2014-3566, also known as
POODLE. SSL 3.0 support has also been disabled by default in this Firefox
and Thunderbird update, further mitigating POODLE.
References
- https://bugs.mageia.org/show_bug.cgi?id=14716
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
- https://rhn.redhat.com/errata/RHSA-2014-1948.html
- https://rhn.redhat.com/errata/RHSA-2014-1919.html
- https://rhn.redhat.com/errata/RHSA-2014-1924.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594
SRPMS
4/core
- rootcerts-20141117.00-1.mga4
- nss-3.17.3-1.mga4
- firefox-31.3.0-1.mga4
- firefox-l10n-31.3.0-1.mga4
- thunderbird-31.3.0-1.mga4
- thunderbird-l10n-31.3.0-1.mga4