Updated nss and firefox packages fix security vulnerabilities
Publication date: 17 Nov 2016Modification date: 17 Nov 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5290 , CVE-2016-5291 , CVE-2016-5296 , CVE-2016-5297 , CVE-2016-9064 , CVE-2016-9066 , CVE-2016-9074
Description
Multiple flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066,
CVE-2016-5291, CVE-2016-5290).
A flaw was found in the way Add-on update process was handled by Firefox.
A Man-in-the-Middle attacker could use this flaw to install a malicious
signed add-on update (CVE-2016-9064).
An existing mitigation of timing side-channel attacks in NSS before 3.26.1
is insufficient in some circumstances (CVE-2016-9074).
References
- https://bugs.mageia.org/show_bug.cgi?id=19789
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
- https://rhn.redhat.com/errata/RHSA-2016-2780.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5296
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074
SRPMS
5/core
- firefox-45.5.0-1.mga5
- firefox-l10n-45.5.0-1.mga5
- nss-3.27.1-1.mga5
- rootcerts-20160922.00-1.mga5
- nspr-4.13.1-1.mga5