Advisories ยป MGASA-2014-0507

Updated firefox & thunderbird packages fix security vulnerabilities

Publication date: 03 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-1569 , CVE-2014-1587 , CVE-2014-1590 , CVE-2014-1592 , CVE-2014-1593 , CVE-2014-1594


Updated nss, firefox, and thunderbird packages fix security vulnerabilities:

In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths
is too permissive, allowing undetected smuggling of arbitrary data

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592,

A flaw was found in the Alarm API, which could allow applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass the same-origin policy (CVE-2014-1594).

This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails. This can prevent a forceful downgrade of
the communication to SSL 3.0, mitigating CVE-2014-3566, also known as
POODLE.  SSL 3.0 support has also been disabled by default in this Firefox
and Thunderbird update, further mitigating POODLE.