Описание
Security update for MozillaFirefox
Mozilla Firefox was updated to 31.6.0 ESR to fix five security issues.
The following vulnerabilities were fixed:
- Miscellaneous memory safety hazards (MFSA 2015-30/CVE-2015-0814/CVE-2015-0815)
- Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31/CVE-2015-0813)
- resource:// documents can load privileged pages (MFSA 2015-33/CVE-2015-0816)
- CORS requests should not follow 30x redirections after preflight (MFSA 2015-37/CVE-2015-0807)
- Same-origin bypass through anchor navigation (MFSA 2015-40/CVE-2015-0801)
Список пакетов
SUSE Linux Enterprise Desktop 12
Ссылки
- Link for SUSE-SU-2015:0704-2
- E-Mail link for SUSE-SU-2015:0704-2
- SUSE Security Ratings
- SUSE Bug 925368
- SUSE CVE CVE-2015-0801 page
- SUSE CVE CVE-2015-0807 page
- SUSE CVE CVE-2015-0813 page
- SUSE CVE CVE-2015-0814 page
- SUSE CVE CVE-2015-0815 page
- SUSE CVE CVE-2015-0816 page
Описание
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.
Затронутые продукты
Ссылки
- CVE-2015-0801
- SUSE Bug 925368
- SUSE Bug 925401
Описание
The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638.
Затронутые продукты
Ссылки
- CVE-2015-0807
- SUSE Bug 913068
- SUSE Bug 925368
- SUSE Bug 925398
Описание
Use-after-free vulnerability in the AppendElements function in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 on Linux, when the Fluendo MP3 plugin for GStreamer is used, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted MP3 file.
Затронутые продукты
Ссылки
- CVE-2015-0813
- SUSE Bug 925368
- SUSE Bug 925393
Описание
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Затронутые продукты
Ссылки
- CVE-2015-0814
- SUSE Bug 925368
- SUSE Bug 925392
Описание
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Затронутые продукты
Ссылки
- CVE-2015-0815
- SUSE Bug 925368
- SUSE Bug 925392
Описание
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
Затронутые продукты
Ссылки
- CVE-2015-0816
- SUSE Bug 925368
- SUSE Bug 925395