3204 – The mozilla firefox packages have released a security update [UPDATE REQUEST]

Bug 3204 - The mozilla firefox packages have released a security update [UPDATE REQUEST]

Summary: The mozilla firefox packages have released a security update [UPDATE REQUEST]

Status:	RESOLVED DUPLICATE of bug 3849

Alias:	None

Product:	ROSA Fresh
Classification:	ROSA-based products
Component:	Packages from Main (show other bugs)
Version:	Marathon
Hardware:	All Linux

Importance:	Normal normal
Target Milestone:	---
Assignee:	Private ROSA Bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-11-24 02:51 MSK by Zombie Ryushu
Modified:	2014-03-24 20:02 MSK (History)
CC List:	1 user (show)

See Also:
Platform:	---
ROSA Vulnerability identifier:
RPM Package:	firefox
Upstream:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Zombie Ryushu 2013-11-24 02:51:52 MSK

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger a decryption failure
(CVE-2013-1739).

Integer overflow in Mozilla Network Security Services (NSS) 3.15 before
3.15.3 allows remote attackers to cause a denial of service or possibly
have unspecified other impact via a large size value (CVE-2013-1741).

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
many single-byte biases, which makes it easier for remote attackers
to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number of sessions that use the same plaintext
(CVE-2013-2566).

Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15
before 3.15.3 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via invalid handshake packets
(CVE-2013-5605).

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla
Network Security Services (NSS) 3.15 before 3.15.3 provides an
unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted
certificate (CVE-2013-5606).

Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape
Portable Runtime (NSPR) before 4.10.2, as used in Firefox before
25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and
SeaMonkey before 2.22.1, allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact
via a crafted X.509 certificate, a related issue to CVE-2013-1741
(CVE-2013-5607).

The mozilla firefox packages has been upgraded to the latest ESR
version (17.0.11), the NSPR packages has been upgraded to the 4.10.2
version and the NSS packages has been upgraded to the 3.15.3 version
which is unaffected by these security flaws.Description of problem:

Comment 1 Denis Silakov 2014-03-24 20:02:20 MSK


*** This bug has been marked as a duplicate of bug 3849 ***