svn commit: r443537 - head/security/vuxml

Tue Jun 13 19:56:09 UTC 2017

Author: jbeich
Date: Tue Jun 13 19:56:07 2017
New Revision: 443537
URL: https://svnweb.freebsd.org/changeset/ports/443537

Log:
  security/vuxml: mark firefox < 54 as vulnerable

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================

--- head/security/vuxml/vuln.xml	Tue Jun 13 19:55:46 2017	(r443536)
+++ head/security/vuxml/vuln.xml	Tue Jun 13 19:56:07 2017	(r443537)
@@ -58,6 +58,96 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="6cec1b0a-da15-467d-8691-1dea392d4c8d">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>54.0,1</lt></range>
+      </package>
+      <package>
+	<name>seamonkey</name>
+	<name>linux-seamonkey</name>
+	<range><lt>2.51</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>52.2.0,1</lt></range>
+      </package>
+      <package>
+	<name>linux-firefox</name>
+	<range><lt>52.2.0,2</lt></range>
+      </package>
+      <package>
+	<name>libxul</name>
+	<name>thunderbird</name>
+	<name>linux-thunderbird</name>
+	<range><lt>52.2.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Mozilla Foundation reports:</p>
+	<blockquote cite="https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/">
+	  <p>CVE-2017-5472: Use-after-free using destroyed node when regenerating trees</p>
+	  <p>CVE-2017-7749: Use-after-free during docshell reloading</p>
+	  <p>CVE-2017-7750: Use-after-free with track elements</p>
+	  <p>CVE-2017-7751: Use-after-free with content viewer listeners</p>
+	  <p>CVE-2017-7752: Use-after-free with IME input</p>
+	  <p>CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object</p>
+	  <p>CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files</p>
+	  <p>CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors</p>
+	  <p>CVE-2017-7757: Use-after-free in IndexedDB</p>
+	  <p>CVE-2017-7778: Vulnerabilities in the Graphite 2 library</p>
+	  <p>CVE-2017-7758: Out-of-bounds read in Opus encoder</p>
+	  <p>CVE-2017-7759: Android intent URLs can cause navigation to local file system</p>
+	  <p>CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service</p>
+	  <p>CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application</p>
+	  <p>CVE-2017-7762: Addressbar spoofing in Reader mode</p>
+	  <p>CVE-2017-7763: Mac fonts render some unicode characters as spaces</p>
+	  <p>CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks</p>
+	  <p>CVE-2017-7765: Mark of the Web bypass when saving executable files</p>
+	  <p>CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service</p>
+	  <p>CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service</p>
+	  <p>CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service</p>
+	  <p>CVE-2017-5471: Memory safety bugs fixed in Firefox 54</p>
+	  <p>CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2017-5470</cvename>
+      <cvename>CVE-2017-5471</cvename>
+      <cvename>CVE-2017-5472</cvename>
+      <cvename>CVE-2017-7749</cvename>
+      <cvename>CVE-2017-7750</cvename>
+      <cvename>CVE-2017-7751</cvename>
+      <cvename>CVE-2017-7752</cvename>
+      <cvename>CVE-2017-7754</cvename>
+      <cvename>CVE-2017-7755</cvename>
+      <cvename>CVE-2017-7756</cvename>
+      <cvename>CVE-2017-7757</cvename>
+      <cvename>CVE-2017-7758</cvename>
+      <cvename>CVE-2017-7759</cvename>
+      <cvename>CVE-2017-7760</cvename>
+      <cvename>CVE-2017-7761</cvename>
+      <cvename>CVE-2017-7762</cvename>
+      <cvename>CVE-2017-7763</cvename>
+      <cvename>CVE-2017-7764</cvename>
+      <cvename>CVE-2017-7765</cvename>
+      <cvename>CVE-2017-7766</cvename>
+      <cvename>CVE-2017-7767</cvename>
+      <cvename>CVE-2017-7768</cvename>
+      <cvename>CVE-2017-7778</cvename>
+      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/</url>
+      <url>https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/</url>
+    </references>
+    <dates>
+      <discovery>2017-06-13</discovery>
+      <entry>2017-06-13</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="bce47c89-4d3f-11e7-8080-a4badb2f4699">
     <topic>roundcube -- arbitrary password resets</topic>
     <affects>
