Univention Bugzilla – Full Text Bug Listing |
Summary: | firefox-esr: Security issues from 45.9.0esr..52.3.0esr (4.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | normal | ||
Priority: | P5 | Flags: | requate:
Patch_Available+
|
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=45209 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) |
Description
Arvid Requate
2017-06-26 15:04:10 CEST
Upstream Debian package version 52.3.0esr-1~deb8u1 fixes all of the following: * Out-of-bounds read with cached style data and pseudo-elements (CVE-2017-7753) * Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 (CVE-2017-7779) * Use-after-free with image observers (CVE-2017-7784) * Buffer overflow manipulating ARIA attributes in DOM (CVE-2017-7785) * Buffer overflow while painting non-displayable SVG (CVE-2017-7786) * Same-origin policy bypass with iframes through page reloads (CVE-2017-7787) * Spoofing following page navigation with data: protocol and modal alerts (CVE-2017-7791) * Buffer overflow viewing certificates with an extremely long OID (CVE-2017-7792) * XUL injection in the style editor in devtools (CVE-2017-7798) * Use-after-free in WebSockets during disconnection (CVE-2017-7800) * Use-after-free with marquee during window resizing (CVE-2017-7801) * Use-after-free resizing image elements (CVE-2017-7802) * CSP containing 'sandbox' improperly applied (CVE-2017-7803) * Domain hijacking through AppCache fallback (CVE-2017-7807) * Use-after-free while deleting attached editor DOM node (CVE-2017-7809) I've imported Debian upstream binary package 52.2.0esr-1~deb8u1 via ========================================================================= debian_package="firefox-esr" svn_checkout=~/svn/dev/branches repong_checkout="$svn_checkout/ucs-3.2/internal/repo-ng" errata_checkout="$svn_checkout/ucs-4.2/ucs-4.2-1/doc/errata" svn up "$repong_checkout" svn up "$errata_checkout" mkdir -p "/tmp/$USER" python -m univention.repong.debmirror \ --errata "$errata_checkout" \ --sql -vvvv --work "/tmp/$USER/work.yaml" \ --overwrite \ "$repong_checkout/mirror/update_ucs42_mirror_from_debian.tsv" \ --save="/tmp/$USER/repo-debmirror.pickle" \ --process COPY \ --package "$debian_package" ========================================================================= Advisory: ucs-4.2-1/doc/errata/staging/firefox-esr.yaml Reopen: comment 1 mentions 52.3.0esr-1~deb8u1, but the imported version is 52.2.0esr-1~deb8u1 The yaml however mentions the fixes from the 52.3 version. Ok, firefox-esr has a new dependency on libjsoncpp0 which was unmaintained. I've added it to svn/triggers/ucs_4.2-0-ucs4.2-1.txt and rebuilt the maintained packages lists using the corresponding Jenkins job. For QA I've annonced the scope to the test repo. In a test-VM in can be activated by running: eval "$(ucr shell)" component="repository/online/component/${version_version}-${version_patchlevel}-errata-test" ucr set "$component"/description="Preview errata updates for UCS ${version_version}-${version_patchlevel}" \ "$component"/version="${version_version}" \ "$component"/server=apt.knut.univention.de \ "$component"=enabled Possibly repository credentials are required too. Additional Advisory: libjsoncpp.yaml OK: libjsoncpp.yaml OK: firefox-esr.yaml OK: package installation OK: system setup run (setup new master) with updated package Verified |