Summary: | <www-client/firefox-{38.2.1,40.0.3}: Add-on notification bypass through data URLs | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Randy Barlow <randy> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Randy Barlow
2015-08-30 18:32:31 UTC
There is another security flaw that is more serious (listed as critical) that these same versions of Firefox fix: CVE-2015-4497: Use-after-free when resizing canvas element during restyling https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ Should I adjust this bug's CVE Alias and name to reflect the more serious of the two vulnerabilities since they both have the same fix (update to 38.2.1 and 40.0.3), or is this note sufficient, or should I file another bug about the other CVE? Sorry, I'm not very familiar with the Gentoo policies about this. Should we raise the importance on the bug to reflect the severity of the other issue? *** Bug 559090 has been marked as a duplicate of this bug. *** firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now. ATs, Please stabilize 38.2.1 at your leisure. www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86" www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86" Err, sorry -- s/38.2.0/38.2.1/ (In reply to Ian Stakenvicius from comment #3) > firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now. > > ATs, Please stabilize 38.2.1 at your leisure. > > > www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86" > > www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86" Err, sorry -- s/38.2.0/38.2.1/ amd64 stable x86 stable Stable for HPPA PPC64. 38.3.0 was done in 561246 Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06 by GLSA coordinator Yury German (BlueKnight). |