Bug 597836 (CVE-2016-5287, CVE-2016-5288)

Summary:	<www-client/{firefox,firefox-bin}-50.0: use after free and cache infoleak (CVE-2016-{5287,5288})
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	ab4bd, mozilla, phmagic, salikov.alexey
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2016-10-22 23:30:44 UTC

There are several media reports about a severe mozilla firefox vulnerability. It's a bit mysterious, because they refer to a security advisory that currently does not exist (gives 404):
https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/
It can be accessed through the google cache:
https://webcache.googleusercontent.com/search?q=cache:jXqm_dI5qI0J:https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/+&cd=1&hl=de&ct=clnk&gl=de
and mirrored here:
http://www.securitytracker.com/id/1037077

Here are some references:
https://www.us-cert.gov/ncas/current-activity/2016/10/20/Mozilla-Releases-Security-Update-Firefox
http://www.t-online.de/computer/sicherheit/id_79329446/firefox-49-0-2-mozilla-veroeffentlicht-update-ausserplanmaessig.html
http://www.scmagazine.com/mozilla-patches-two-firefox-vulnerabilities/article/567354/

Please bump.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-10 20:52:01 UTC

These bugs only affect our unstable firefox package. First version containing the fixes which landed in repository was v50.0.