Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563230 (CVE-2015-7184) - <www-client/firefox-41.0.2 - cross-origin restriction bypass using fetch (CVE-2015-7184)
Summary: <www-client/firefox-41.0.2 - cross-origin restriction bypass using fetch (CVE...
Status: RESOLVED FIXED
Alias: CVE-2015-7184
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-16 11:05 UTC by Coacher
Modified: 2016-05-31 05:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Coacher 2015-10-16 11:05:37 UTC
Hello.

firefox-41.0.2 was released with a security fix:

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41.0.2
https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/

Please bump.
Comment 1 Agostino Sarubbo gentoo-dev 2015-10-19 14:18:25 UTC
does this affect 38.x?
Comment 2 Ian Stakenvicius (RETIRED) gentoo-dev 2015-10-19 14:29:23 UTC
Technically, yes it might be, but not in a general case.  Prior to firefox-39, the code supporting the "Fetch API" was reportedly in place but disabled, and needed to be manually enabled in about:config.

As mozilla didn't feel the risk was worthy enough for a security patch to the 38 series, I think we are probably good to exclude it here as well.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-02-29 13:37:31 UTC
@maintainers, I only see this as being applied to 41.0.2 and not backported.  Per previous comments I think we can move on here. Any objections?
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2016-02-29 15:25:17 UTC
(In reply to Aaron Bauman from comment #3)
> @maintainers, I only see this as being applied to 41.0.2 and not backported.
> Per previous comments I think we can move on here. Any objections?

No need to backport, all versions prior to firefox-39 (ie, 38.x ESR and earlier) are unaffected.  Yes, please continue.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-14 08:11:22 UTC
Added to existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 05:54:43 UTC
This issue was resolved and addressed in
 GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06
by GLSA coordinator Yury German (BlueKnight).