From nobody Tue Dec 10 19:10:39 2024
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y77c017kZz5gVyK;
	Tue, 10 Dec 2024 19:10:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Y77c00fBZz4K9W;
	Tue, 10 Dec 2024 19:10:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1733857840;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=M15bL8OZyJ2RQK/8eEcIYesLD4QR+GXkEARJdfx1oVs=;
	b=etuYGGfNl7aJBBZ7ejrKSSedYCFbd6o+Em58cuomRNL67ohAKK+fDCOghqGbbL2lCB3wAf
	skUf5o4Tn4ftMZMPzfOkPcXinslxJzocaAnaGu6XbPsxXBXGbLnDpl4sQU+RT18Z+zDw+L
	UrJnFot9zlvw/HdUw6FHm2pUZ8SqgJbdVLNuCgWndp1ToCCfXGK8pP7hXy9JbxrqGWJyaK
	dwgYyCn8OQXZE1bwYdBsfE61rmUCXPTPP6sIsN/E6AEyR389NpOSc3t83UyMeaX9meTJgl
	LErvB9HdmNzkXFowvz9vApoH83nlek+dmOdKm5fn87zXNRVHoEvdyPfmoV64Xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1733857840;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=M15bL8OZyJ2RQK/8eEcIYesLD4QR+GXkEARJdfx1oVs=;
	b=oF7hM+Cdpw7mOQkVL40bKS4xwB4la4UxxAO6CuOjY3uVRUFcLJT9WFnL5CgmRg2VCsDh+x
	vmx92tNaqunpJZahiWqCGhwsnps9omxpSLbcCsCH1Vpl74c9YGp7svxsjDkTzY3spOtkPy
	qkm0b19nn47fqRnCPpHJRmErws0cwscTvEasEliZDjIPZUI5SdEj1tfEFI1ThugC4N3ArZ
	Gc3J8o540S0gu84pHA5t5FnnSP/WWylQGAa6ShoHVPavQ4sGEFuSABilj+nJ2jUMbqcc8Q
	gB076vMaADN/3TCWIdNX25dK0u+YCEsDaQQELgccGDUwqsuDrjxlCKmLStbENQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1733857840; a=rsa-sha256; cv=none;
	b=BFDw/IHlVlHGBLTM/spsAqc7fEJM6jHeQSWWtrVXc+wMXWKyla1NCluYwAileuiml74gMM
	9iQJNiDCWawc6ZgrXPM87AJ1my5y1i27xA2356sxvdjvUYek0gR3icxoVekH+DzQGv83uF
	JqLTKEBPFx7XpGSxdc3Kp1V2POrvIIZRDeU1qHTAwbb97d6SeGCSfXz12M1hvH7vv0dU6t
	0jB0vty5t0bEjLd8fjoPK7Eequ9NHLlB6E1L1NO5oWq22BMyOmptz2e41RCJCaLD/gIFGa
	j5rRh43ZE28WZUSRYrvTcw//D4zbJHNxPkVuiUCm8fXGWtGRUBcKsEu9AskHfw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Y77c002zPzbl5;
	Tue, 10 Dec 2024 19:10:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BAJAd0I027264;
	Tue, 10 Dec 2024 19:10:39 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BAJAdim027261;
	Tue, 10 Dec 2024 19:10:39 GMT
	(envelope-from git)
Date: Tue, 10 Dec 2024 19:10:39 GMT
Message-Id: <202412101910.4BAJAdim027261@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org>
Subject: git: eb66f4658087 - main - security/vuxml: Add mozilla
  vulnerabilities
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: fernape
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: eb66f4658087fd0fe83d8f5c30fa084f95c58c2b
Auto-Submitted: auto-generated

The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=eb66f4658087fd0fe83d8f5c30fa084f95c58c2b

commit eb66f4658087fd0fe83d8f5c30fa084f95c58c2b
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2024-12-10 19:09:05 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2024-12-10 19:10:23 +0000

    security/vuxml: Add mozilla vulnerabilities
    
     * CVE-2024-11692
     * CVE-2024-11696
     * CVE-2024-11697
     * CVE-2024-11699
---
 security/vuxml/vuln/2024.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index a5f7f0e3e62a..59fbd5916e2a 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,67 @@
+  <vuln vid="0e20e42c-b728-11ef-805a-b42e991fc52e">
+    <topic>firefox -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>133.0.0,2</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>128.5,1</lt></range>
+      </package>
+      <package>
+	<name>thunderbird</name>
+	<range><lt>133.0.0</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>security@mozilla.org reports:</p>
+	<blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1929600">
+	<ul>
+	<li>CVE-2024-11692: An attacker could cause a select dropdown
+	to be shown over another tab; this could have led to user
+	confusion and possible spoofing attacks.</li>
+	<li>CVE-2024-11696: The application failed to account for
+	exceptions thrown by the `loadManifestFromFile` method during
+	add-on signature verification.  This flaw, triggered by an
+	invalid or unsupported extension manifest, could have caused
+	runtime errors that disrupted the signature validation process.
+	As a result, the enforcement of signature validation for
+	unrelated add-ons may have been bypassed.  Signature validation
+	in this context is used to ensure that third-party
+	applications on the user&apos;s computer have not tampered
+	with the user&apos;s extensions, limiting the impact of this
+	issue.</li>
+	<li>CVE-2024-11697: When handling keypress events, an attacker
+	may have been able to trick a user into bypassing the &quot;
+	Open Executable File?&quot; confirmation dialog.  This could
+	have led to malicious code execution.</li>
+	<li>CVE-2024-11699: Memory safety bugs present in Firefox 132,
+	Firefox ESR 128.4, and Thunderbird 128.4.  Some of these bugs
+	showed evidence of memory corruption and we presume that with
+	enough effort some of these could have been exploited to run
+	arbitrary code.</li>
+	</ul>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-11692</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-11692</url>
+      <cvename>CVE-2024-11696</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-11696</url>
+      <cvename>CVE-2024-11697</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-11697</url>
+      <cvename>CVE-2024-11699</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-11699</url>
+    </references>
+    <dates>
+      <discovery>2024-11-26</discovery>
+      <entry>2024-12-10</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="c2fd83e4-b450-11ef-b680-4ccc6adda413">
     <topic>qt6-webengine -- Multiple vulnerabilities</topic>
     <affects>