Univention Bugzilla – Bug 49546
firefox-esr: Multiple issues (4.3)
Last modified: 2019-05-29 13:51:30 CEST
New Debian firefox-esr 60.7.0esr-1~deb9u1 fixes: This update addresses the following issues: * Cross-origin theft of images with ImageBitmapRenderingContext (CVE-2018-18511) * Out of bounds read in Skia (CVE-2019-5798) * use-after-free in png_image_free in png.c (CVE-2019-7317) * Cross-origin theft of images with createImageBitmap (CVE-2019-9797) * Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 (CVE-2019-9800) * Type confusion with object groups and UnboxedObjects (CVE-2019-9816) * Stealing of cross-domain images using canvas (CVE-2019-9817) * Compartment mismatch with fetch API (CVE-2019-9819) * Use-after-free of ChromeEventHandler by DocShell (CVE-2019-9820) * Use-after-free in XMLHttpRequest (CVE-2019-11691) * Use-after-free removing listeners in the event listener manager (CVE-2019-11692) * Buffer overflow in WebGL bufferdata on Linux (CVE-2019-11693) * Theft of user history data through drag and drop of hyperlinks to and from bookmarks (CVE-2019-11698)
--- mirror/ftp/4.3/unmaintained/4.3-4/source/firefox-esr_60.6.1esr-1~deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-4/source/firefox-esr_60.7.0esr-1~deb9u1.dsc @@ -1,3 +1,26 @@ +60.7.0esr-1~deb9u1 [Wed, 22 May 2019 07:23:08 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-14, also known as: + CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, + CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-7317, + CVE-2019-9797, CVE-2018-18511, CVE-2019-11698, CVE-2019-5798, + CVE-2019-9800. + + * debian/rules: Avoid rust build errors with newer versions of rustc by + capping lints to warnings. + +60.6.3esr-1~deb9u1 [Thu, 09 May 2019 05:14:54 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + - Additional fixes for addon signature validation. + +60.6.2esr-1~deb9u1 [Sun, 05 May 2019 20:12:37 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + - Fixes issues with addon signature validation. Closes: #928415, #928449. + Note: this didn't affect addons installed via Debian packages. + 60.6.1esr-1~deb9u1 [Sun, 24 Mar 2019 08:15:11 +0900] Mike Hommey <glandium@debian.org>: * New upstream release. <http://10.200.17.11/4.3-4/#3443264920117155941>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-4] bde7e6d958 Bug #49546: firefox-esr 60.7.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.3-4] 308f2baea7 Bug #49546: firefox-esr 60.7.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
<http://errata.software-univention.de/ucs/4.3/509.html>