MGASA-2014-0507
Vulnerability Summary
Timeline
Description
Updated firefox & thunderbird packages fix security vulnerabilities Updated nss, firefox, and thunderbird packages fix security vulnerabilities: In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (CVE-2014-1569). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593). A flaw was found in the Alarm API, which could allow applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass the same-origin policy (CVE-2014-1594). This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0, mitigating CVE-2014-3566, also known as POODLE. SSL 3.0 support has also been disabled by default in this Firefox and Thunderbird update, further mitigating POODLE.
Affected Systems
- mageia•firefox
< 31.3.0-1.mga4
- mageia•firefox-l10n
< 31.3.0-1.mga4
- mageia•nss
< 3.17.3-1.mga4
- mageia•rootcerts
< 20141117.00-1.mga4
- mageia•thunderbird
< 31.3.0-1.mga4
- mageia•thunderbird-l10n
< 31.3.0-1.mga4
References (14)
- https://advisories.mageia.org/MGASA-2014-0507.html
- https://bugs.mageia.org/show_bug.cgi?id=14716
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/
- https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
- https://rhn.redhat.com/errata/RHSA-2014-1948.html
- https://rhn.redhat.com/errata/RHSA-2014-1919.html
- https://rhn.redhat.com/errata/RHSA-2014-1924.html