[Triage-desktop] [Bug 3204] New: The mozilla firefox packages have released a security update [UPDATE REQUEST]

bugzilla-daemon bugzilla-daemon at rosalab.ru
Sun Nov 24 02:51:52 MSK 2013


http://bugs.rosalinux.ru/show_bug.cgi?id=3204

          Priority: Normal
            Bug ID: 3204
          Assignee: triage-desktop at lists.rosalab.ru
           Summary: The mozilla firefox packages have released a security
                    update [UPDATE REQUEST]
        QA Contact: triage-desktop at lists.rosalab.ru
          Severity: normal
    Classification: ROSA Desktop
                OS: Linux
       RPM Package: firefox
          Reporter: zombie_ryushu at yahoo.com
          Hardware: All
            Status: CONFIRMED
           Version: Marathon 2012
         Component: -Enter Bugs Here-
           Product: Desktop Bugs

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger a decryption failure
(CVE-2013-1739).

Integer overflow in Mozilla Network Security Services (NSS) 3.15 before
3.15.3 allows remote attackers to cause a denial of service or possibly
have unspecified other impact via a large size value (CVE-2013-1741).

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
many single-byte biases, which makes it easier for remote attackers
to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number of sessions that use the same plaintext
(CVE-2013-2566).

Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15
before 3.15.3 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via invalid handshake packets
(CVE-2013-5605).

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla
Network Security Services (NSS) 3.15 before 3.15.3 provides an
unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted
certificate (CVE-2013-5606).

Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape
Portable Runtime (NSPR) before 4.10.2, as used in Firefox before
25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and
SeaMonkey before 2.22.1, allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact
via a crafted X.509 certificate, a related issue to CVE-2013-1741
(CVE-2013-5607).

The mozilla firefox packages has been upgraded to the latest ESR
version (17.0.11), the NSPR packages has been upgraded to the 4.10.2
version and the NSS packages has been upgraded to the 3.15.3 version
which is unaffected by these security flaws.Description of problem:

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rosalab.ru/pipermail/triage-desktop/attachments/20131123/babd3b16/attachment.html>


More information about the Triage-desktop mailing list