Hello. Firefox-31.5.2 was released recently with fixes for vulnerabilities disclosed at Pwn2Own contest: https://www.mozilla.org/en-US/firefox/31.5.2/releasenotes/ Also there is a security advisory regarding 31.5.3 version with additional security fixes, but no release announcement yet: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr31.5.3 Probably release announcement will follow shortly, but sources are already there: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/31.5.3esr/ Please bump straight to 31.5.3. Reproducible: Always
Update: mozilla has just posted release notes for 31.5.3: https://www.mozilla.org/en-US/firefox/31.5.3/releasenotes/
Firefox 36.0.4 released also with security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
*** Bug 544268 has been marked as a duplicate of this bug. ***
+*firefox-36.0.4 (24 Mar 2015) +*firefox-31.5.3 (24 Mar 2015) + + 24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -firefox-31.3.0.ebuild, + +firefox-31.5.3.ebuild, +firefox-36.0.4.ebuild: + Security bump (bug #544056). Removed old. + seamonkey-2.33.1 was also bumped.
Thanks, Arches, please stabilize: =www-client/firefox-31.5.3 Stable targets: amd64 arm hppa ia64 ppc ppc64 x86 =www-client/seamonkey-2.33.1 Stable targets: amd64 x86 We seem to be missing ebuilds for firefox-bin and seamonkey-bin
+*firefox-bin-36.0.4 (24 Mar 2015) +*firefox-bin-31.5.3 (24 Mar 2015) + + 24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> + -firefox-bin-31.4.0.ebuild, +firefox-bin-31.5.3.ebuild, + +firefox-bin-36.0.4.ebuild: + Security bump (bug #544056). Removed old. + +*seamonkey-bin-2.33.1 (24 Mar 2015) + + 24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> + -seamonkey-bin-2.30-r1.ebuild, -seamonkey-bin-2.32.1.ebuild, + -seamonkey-bin-2.33.ebuild, +seamonkey-bin-2.33.1.ebuild: + Security bump (bug #544056). Removed old. + Sorry guys, I always forget about the -bin packages. Arches, please stable the same versions as for the source packages for amd64 and x86. Thanks.
ia64 stable
amd64 stable
x86 stable
Stable for HPPA.
Stable for ppc/ppc64
CVE-2015-0818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0818): Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation. CVE-2015-0817 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0817): The asm.js implementation in Mozilla Firefox before 36.0.3, Firefox ESR 31.x before 31.5.2, and SeaMonkey before 2.33.1 does not properly determine the cases in which bounds checking may be safely skipped during JIT compilation and heap access, which allows remote attackers to read or write to unintended memory locations, and consequently execute arbitrary code, via crafted JavaScript.
Arm is pending stabilization. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01 by GLSA coordinator Kristian Fiskerstrand (K_F).
