Updated firefox and thunderbird packages fixes security vulnerabilitiesPublication date: 17 Jan 2015
Affected Mageia releases : 4
CVE: CVE-2014-8634 , CVE-2014-8638 , CVE-2014-8639 , CVE-2014-8641
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-8634). It was found that the Beacon interface implementation in Firefox and Thunderbird did not follow the Cross-Origin Resource Sharing (CORS) specification. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (XSRF) attack (CVE-2014-8638). It was found that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read (CVE-2014-8639). Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior. Note that this issue only affects Firefox (CVE-2014-8641).