Advisories ยป MGASA-2015-0025

Updated firefox and thunderbird packages fixes security vulnerabilities

Publication date: 17 Jan 2015
Modification date: 17 Jan 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-8634 , CVE-2014-8638 , CVE-2014-8639 , CVE-2014-8641

Description

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-8634).

It was found that the Beacon interface implementation in Firefox and
Thunderbird did not follow the Cross-Origin Resource Sharing (CORS)
specification. A web page containing malicious content could allow a remote
attacker to conduct a Cross-Site Request Forgery (XSRF) attack
(CVE-2014-8638).

It was found that a Web Proxy returning a 407 Proxy Authentication response
with a Set-Cookie header could inject cookies into the originally requested
domain. This could be used for session-fixation attacks. This attack only
allows cookies to be written but does not allow them to be read
(CVE-2014-8639).

Security researcher Mitchell Harper discovered a read-after-free in WebRTC
due to the way tracks are handled. This results in a either a potentially
exploitable crash or incorrect WebRTC behavior. Note that this issue only
affects Firefox (CVE-2014-8641).

References

SRPMS

4/core