[ GLSA 201811-04 ] Mozilla Firefox: Multiple vulnerabilities


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–yksW1g33woPgSwatJPWgFGROjtDLgidhB

protected-headers=”v1″
From: Thomas Deutschmann
Reply-To: security@gentoo.org
To: gentoo-announce@lists.gentoo.org
Message-ID:
Subject: [ GLSA 201811-04 ] Mozilla Firefox: Multiple vulnerabilities

–JC2dtyCYvGyAuKGTbe95uzIxIEg78kRo6

Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201811-04
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Mozilla Firefox: Multiple vulnerabilities
Date: November 09, 2018
Bugs: #669430
ID: 201811-04

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis

Multiple vulnerabilities have been found in Mozilla Firefox, the worst
of which may allow execution of arbitrary code.

Background

Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.

Affected packages

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 www-client/firefox 60.3.0
2 www-client/firefox-bin 60.3.0
——————————————————————-
2 affected packages

Description

Multiple vulnerabilities have been discovered in Mozilla Firefox.
Please review the CVE identifiers referenced below for details.

Impact

A remote attacker could entice a user to view a specially crafted web
page, possibly resulting in the execution of arbitrary code with the
privileges of the process, cause a Denial of Service condition, bypass
access restriction, access otherwise protected information.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Firefox users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>www-client/firefox-60.3.0”

All Mozilla Firefox binary users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>www-client/firefox-bin-60.3.0″

References

[ 1 ] CVE-2018-12389
https://nvd.nist.gov/vuln/detail/CVE-2018-12389
[ 2 ] CVE-2018-12390
https://nvd.nist.gov/vuln/detail/CVE-2018-12390
[ 3 ] CVE-2018-12392
https://nvd.nist.gov/vuln/detail/CVE-2018-12392
[ 4 ] CVE-2018-12393
https://nvd.nist.gov/vuln/detail/CVE-2018-12393
[ 5 ] CVE-2018-12395
https://nvd.nist.gov/vuln/detail/CVE-2018-12395
[ 6 ] CVE-2018-12396
https://nvd.nist.gov/vuln/detail/CVE-2018-12396
[ 7 ] CVE-2018-12397
https://nvd.nist.gov/vuln/detail/CVE-2018-12397
[ 8 ] Mozilla Foundation Security Advisory 2018-27
https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201811-04

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

–JC2dtyCYvGyAuKGTbe95uzIxIEg78kRo6–

–yksW1g33woPgSwatJPWgFGROjtDLgidhB

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQGTBAEBCgB9FiEEExKRzo+LDXJgXHuURObr3Jv2BVkFAlvk1fNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDEz
MTI5MUNFOEY4QjBENzI2MDVDN0I5NDQ0RTZFQkRDOUJGNjA1NTkACgkQRObr3Jv2
BVmp/Qf8CeSjEnPZzKtUyu1Puc1V9n9WvfmPqJBpwL8Xb8zRFDEFyd8nawlnHz6k
LGd5oaIz8G2jiOUPGlhnKpLXA7pGPGvmtb35LN8Xk6FEfp4wOSiIOAOR55EuOsVJ
l8HOD3Rw3tyq5SGulwWkXSKu3kLjvYd5f9B4vrjZ3jA5SefGnFaJTFf/wZbb3Uyw
f3MAi1uhnGsls2AnRDcGuRwtdZoAswfgEY1kab4dM7XeN1U1zTYTDVbcmTuBtN7Z
bQIs8bDNF1buqTRfWH3VSHg3AcwKeORHoSTG3TVFUXFv8QmbF6D2NheF0MwlmVgp
E/fDMGz2pnN+gtiV4Ulu9uq4O4Cghg==
=t7SW
—–END PGP SIGNATURE—–

–yksW1g33woPgSwatJPWgFGROjtDLgidhB–