Advisories ยป MGASA-2014-0507

Updated firefox & thunderbird packages fix security vulnerabilities

Publication date: 03 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-1569 , CVE-2014-1587 , CVE-2014-1590 , CVE-2014-1592 , CVE-2014-1593 , CVE-2014-1594

Description

Updated nss, firefox, and thunderbird packages fix security vulnerabilities:

In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths
is too permissive, allowing undetected smuggling of arbitrary data
(CVE-2014-1569).

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592,
CVE-2014-1593).

A flaw was found in the Alarm API, which could allow applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass the same-origin policy (CVE-2014-1594).

This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails. This can prevent a forceful downgrade of
the communication to SSL 3.0, mitigating CVE-2014-3566, also known as
POODLE.  SSL 3.0 support has also been disabled by default in this Firefox
and Thunderbird update, further mitigating POODLE.
                

References

SRPMS

4/core