Univention Bugzilla – Bug 48366
firefox-esr: Multiple issues (4.2)
Last modified: 2018-12-19 14:15:10 CET
New Debian firefox-esr 60.4.0esr-1~deb8u1 fixes: This update addresses the following issues: * Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 (CVE-2018-12405) * Memory corruption in Angle (CVE-2018-17466) * Use-after-free with select element (CVE-2018-18492) * Buffer overflow in accelerated 2D canvas with Skia (CVE-2018-18493) * Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs (CVE-2018-18494) * Integer overflow when calculating buffer sizes for images (CVE-2018-18498)
--- mirror/ftp/4.2/unmaintained/component/4.2-5-errata/source/firefox-esr_60.3.0esr-1~deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/firefox-esr_60.4.0esr-1~deb8u1.dsc @@ -1,10 +1,37 @@ -60.3.0esr-1~deb8u1 [Wed, 31 Oct 2018 10:24:02 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: +60.4.0esr-1~deb8u1 [Wed, 12 Dec 2018 10:43:12 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: - * Backport to jessie. + * Non-maintainer upload by the LTS team. * Build against the embedded jsoncpp, jessie's one is too old. - * Disable elf hack. -60.3.0esr-1~deb9u1 [Wed, 24 Oct 2018 07:17:22 +0900] Mike Hommey <glandium@debian.org>: +60.4.0esr-1 [Wed, 12 Dec 2018 08:29:04 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2018-30, also known as: + CVE-2018-17466, CVE-2018-18492, CVE-2018-18493, CVE-2018-18494, + CVE-2018-18498, CVE-2018-12405. + +60.3.0esr-3 [Wed, 28 Nov 2018 14:28:56 +0900] Mike Hommey <glandium@debian.org>: + + * debian/browser.install.in, debian/rules: Properly copy the watermark to + /usr/share/icons/hicolor/symbolic/apps. + * debian/rules: Pass compiler and compiler flags environment variables + down to ICU configure. That will make it use GCC instead of defaulting + to clang now it's in PATH, avoiding the failing to build the ICU data + file on big endian platforms because clang doesn't know some of the GCC + flags it somehow got from the environment. + +60.3.0esr-2 [Mon, 26 Nov 2018 10:42:42 +0900] Mike Hommey <glandium@debian.org>: + + * debian/control*: Build depend on unversioned clang/llvm. + Closes: #912804. + * debian/rules: Use embedded libevent in backports. Closes: #910397. + + * build/unix/elfhack/test.c: Try to ensure the bss section of the + elfhack testcase stays large enough. bz#1505608. + * memory/build/mozjemalloc.cpp: Fix run sizes for size classes >= 16KB + on systems with large pages. bz#1507035. Closes: #911898. + +60.3.0esr-1 [Wed, 24 Oct 2018 07:08:43 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-27, also known as: @@ -14,7 +41,7 @@ * debian/rules: Work around armel FTBFS from conflicting __sync_* symbols between libgcc and rust's compiler_builtins. -60.2.2esr-1~deb9u1 [Wed, 03 Oct 2018 07:28:38 +0900] Mike Hommey <glandium@debian.org>: +60.2.2esr-1 [Wed, 03 Oct 2018 07:28:38 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-24, also known as: @@ -25,13 +52,15 @@ * debian/control*, debian/browser.mozconfig.in: Build ALSA support. Closes: #864987, #900062, #908349 -60.2.1esr-1~deb9u1 [Sat, 22 Sep 2018 08:10:27 +0900] Mike Hommey <glandium@debian.org>: +60.2.1esr-1 [Sat, 22 Sep 2018 08:10:27 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-23, also known as: CVE-2018-12385, CVE-2018-12383. * debian/control*: + - Remove the sqlite and nss dependencies when not building against the + system libraries. - Enforce nss, nspr and sqlite dependencies to the same versions as build dependencies. There are subtle non-ABI differences between versions that Firefox might be relying on (be it features, behavior @@ -46,12 +75,7 @@ * gfx/2d/Swizzle.cpp: Use Swizzle fallback when SSE2 is not supported. bz#1492065. Closes: #877445. -60.2.0esr-1~deb9u2 [Fri, 07 Sep 2018 18:21:32 +0900] Mike Hommey <glandium@debian.org>: - - * debian/control*: Remove the sqlite and nss dependencies when not building - against the system libraries. - -60.2.0esr-1~deb9u1 [Thu, 06 Sep 2018 06:18:15 +0900] Mike Hommey <glandium@debian.org>: +60.2.0esr-1 [Thu, 06 Sep 2018 06:18:15 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. * Fixes for mfsa2018-21, also known as: <http://10.200.17.11/4.2-5/#6810162067911418211>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] b470e40698 Bug #48366: firefox-esr 60.4.0esr-1~deb8u1 doc/errata/staging/firefox-esr.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) [4.2-5] a20d49d47c Bug #48366: firefox-esr 60.4.0esr-1~deb8u1 doc/errata/staging/firefox-esr.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
<http://errata.software-univention.de/ucs/4.2/566.html>