From nobody Sun Jun 15 15:58:49 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bKyVL3JCwz5pdw2; Sun, 15 Jun 2025 15:58:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bKyVK66D1z3WC5; Sun, 15 Jun 2025 15:58:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750003129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=X+2CY4hAiZ3WWKXUzZEQHr8ptzbvsAtCKz113U1aZ+M=; b=UBdag2Fw/jTz9WxDNaivGsXu1CM5w1BWAify6s++h8dpVmcPx3QPdgCJnUEPCKX4PDVQp+ fUHN1l2orlATTTbFTUKSbisEGBK/H1nRzgj4GR1C45/gFRVUEFgfDKN9v3pd3okG0dMkvY eREUbmY8f4KDhDJInsZ7HzPYw+bMaTcUIoGfWO3AfrWosI2GTVuMt3WSxm1shxaLaDIWy6 b/3NlLUqDuNFfu4nF8gmocZBy3KEPIvlNLRF8KdOScrIq9fSF89e/NYELeysWFhNr4cuYN YYU+xhuRvU+YEXEs+UCppbJ3V07A1e9Nz6fL0CgdXgOgioSI12ZD3C1qe7RvKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750003129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=X+2CY4hAiZ3WWKXUzZEQHr8ptzbvsAtCKz113U1aZ+M=; b=nPnGw3uTJuAqG9IiKgXfdD0TvKkTFBxyRG1HHJzN0/bzootH6TzUMs6Pjy9CHsdtpkF8Rv CCF1SrNdbrLmM1tPj11yuB+XPXEuvuOTWE1qec4sQdaX3KW/adugfzY+jARncrTq5ZvEvg MRQLybdqa1RdRJXcs1NT/55J1TanVMXn1hfMCqBrDmU+/NDXRqJTwThaoFHZIZexcAI1Yv KiXUPuYFlxmHCwe+rJF3Wkpod9As/Fe3A+7kYMZdyHcos+exCyHMLyINR9UPEwT5sEDsW6 GXkMawDJasYiF7b2lX0aMmGCvIGPkVLmiAvnGmRxFrUX03Bjx2USwOaRvqZgkw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750003129; a=rsa-sha256; cv=none; b=jcmf1SoA7Xkjwx2PhbZBppZD8v8znkNYZB5oJorT52P8E3nnAAAqWA58oDs7OMpUocCO88 ZQNOOP5T/hLJWBr6umrdkZEGVP/XFYpDUhWBF6BOx2iqr2gc46Li/fxVy4lXnUoPhkbJNF aF00RyCTD1y80oNR+GZmL2Gd0xQg/iGl3ktzHJtPnbwb35DTwTUBaYVWjuCwFAej+nHF3r Z1A4qoTCliRHks3Y9/QT9LQFiB/WQ+O+2zjfg4JJwvzIuM+Tb9Z5RuVZXaazWIx80+/QC7 C+FIqpaj0v1P0WWWhyTUwJTUfHUcLF2RivKfC43W7BQKA43/Bqwiau/id5wUIg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bKyVK5XNzz3My; Sun, 15 Jun 2025 15:58:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55FFwnBv029827; Sun, 15 Jun 2025 15:58:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55FFwnRG029824; Sun, 15 Jun 2025 15:58:49 GMT (envelope-from git) Date: Sun, 15 Jun 2025 15:58:49 GMT Message-Id: <202506151558.55FFwnRG029824@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= Subject: git: fa2ada4b8593 - main - security/vuxml: Add Mozilla vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: fa2ada4b85935fb348d41dccc6785f625dd5c6a1 Auto-Submitted: auto-generated The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=fa2ada4b85935fb348d41dccc6785f625dd5c6a1 commit fa2ada4b85935fb348d41dccc6785f625dd5c6a1 Author: Fernando ApesteguĂ­a AuthorDate: 2025-06-15 15:57:44 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2025-06-15 15:57:44 +0000 security/vuxml: Add Mozilla vulnerabilities * CVE-2025-2817 --- security/vuxml/vuln/2025.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 8798a5c29639..bd6d63d2818f 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,44 @@ + + Mozilla -- control access bypass + + + firefox + 138.0,2 + + + firefox-esr + 128.10 + + + thunderbird + 128.0 + + + + +

security@mozilla.org reports:

+
+

Thunderbird's update mechanism allowed a medium-integrity user + process to interfere with the SYSTEM-level updater by manipulating + the file-locking behavior. By injecting code into the user-privileged + process, an attacker could bypass intended access controls, allowing + SYSTEM-level file operations on paths controlled by a non-privileged + user and enabling privilege escalation. This vulnerability affects + Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, + Thunderbird < 138, and Thunderbird < 128.10.

+
+ + + + CVE-2025-2817 + https://nvd.nist.gov/vuln/detail/CVE-2025-2817 + + + 2025-04-29 + 2025-06-15 + + + webmin -- CGI Command Injection Remote Code Execution