Univention Bugzilla – Bug 50623
firefox-esr: Multiple issues (4.3)
Last modified: 2019-12-11 17:06:32 CET
New Debian firefox-esr 68.3.0esr-1~deb9u1 fixes: This update addresses the following issues: * Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68. (CVE-2019-13075) * Buffer overflow in plain text serializer (CVE-2019-17005) * Use-after-free in worker destruction (CVE-2019-17008) * Use-after-free when performing device orientation checks (CVE-2019-17010) * Use-after-free when retrieving a document in antitracking (CVE-2019-17011) * Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (CVE-2019-17012)
--- mirror/ftp/4.3/unmaintained/component/4.3-5-errata/source/firefox-esr_68.2.0esr-1~deb9u2.dsc +++ apt/ucs_4.3-0-errata4.3-5/source/firefox-esr_68.3.0esr-1~deb9u1.dsc @@ -1,3 +1,18 @@ +68.3.0esr-1~deb9u1 [Sat, 07 Dec 2019 08:58:01 +0900] Mike Hommey <glandium@debian.org>: + + * New upstream release. + * Fixes for mfsa2019-37, also known as: + CVE-2019-17008, CVE-2019-11745, CVE-2019-17010, CVE-2019-17005, + CVE-2019-17011, CVE-2019-17012. + + * debian/control.in: Bump nss build dependencies. + * intl/icu_sources_data.py: + - Revert change from 68.2.0esr-1~deb9u2. + - Don't build ICU in parallel. + * gfx/skia/skia/third_party/skcms/src/Transform_inl.h: Work around + GCC ICEs on arm. + (Thanks Emilio Pozuelo Monfort) + 68.2.0esr-1~deb9u2 [Wed, 06 Nov 2019 12:22:11 +0100] Emilio Pozuelo Monfort <pochu@debian.org>: * Don't set the NASM make variable on architectures without nasm, fixes <http://10.200.17.11/4.3-5/#4492125461518727985>
OK: yaml OK: announce_errata OK: patch FAIL: piuparts [4.3-5] 20b4da1790 Bug #50623: firefox-esr 68.3.0esr-1~deb9u1 doc/errata/staging/firefox-esr.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
<http://errata.software-univention.de/ucs/4.3/620.html>