CVE-2021-29972: Use of out-of-date library included use-after-free vulnerability A user-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well. CVE-2021-29974: HSTS errors could be overridden when network partitioning was enabled When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically. CVE-2021-29975: Text message could be overlaid on top of another website Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion. CVE-2021-29977: Memory safety bugs fixed in Firefox 90 Mozilla developers Andrew McCreight, Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Need to stabilize 78.12.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57b2b525563f1f8ad9a15e963cae3565e2ab4332 commit 57b2b525563f1f8ad9a15e963cae3565e2ab4332 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2021-07-22 05:32:08 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-07-22 05:33:48 +0000 www-client/firefox-bin: drop vulnerable versions - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0 Bug: https://bugs.gentoo.org/802768 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-client/firefox-bin/Manifest | 485 ---------------------- www-client/firefox-bin/firefox-bin-78.11.0.ebuild | 411 ------------------ www-client/firefox-bin/firefox-bin-89.0.1.ebuild | 411 ------------------ www-client/firefox-bin/firefox-bin-89.0.2.ebuild | 411 ------------------ www-client/firefox-bin/firefox-bin-89.0.ebuild | 411 ------------------ www-client/firefox-bin/firefox-bin-90.0.ebuild | 417 ------------------- 6 files changed, 2546 deletions(-)
x86 done
amd64 done
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e8c0b609a7a5247b6b75b63e1845aa50757c628 commit 5e8c0b609a7a5247b6b75b63e1845aa50757c628 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2021-07-26 05:22:28 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-07-26 05:23:30 +0000 www-client/firefox: security cleanup - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1 Bug: https://bugs.gentoo.org/802768 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-client/firefox/Manifest | 584 -------------- www-client/firefox/firefox-78.11.0.ebuild | 1183 ----------------------------- www-client/firefox/firefox-89.0.1.ebuild | 1179 ---------------------------- www-client/firefox/firefox-89.0.2.ebuild | 1179 ---------------------------- www-client/firefox/firefox-89.0.ebuild | 1179 ---------------------------- www-client/firefox/firefox-90.0.1.ebuild | 1182 ---------------------------- www-client/firefox/firefox-90.0.ebuild | 1182 ---------------------------- 7 files changed, 7668 deletions(-)
Unable to check for sanity: > no match for package: www-client/firefox-78.12.0
These have been cleaned, but newer security bugs are open.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=57effa1a78ecfa61900fdedbc9401d0948141e99 commit 57effa1a78ecfa61900fdedbc9401d0948141e99 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-02-21 22:59:29 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-02-21 22:59:29 +0000 [ GLSA 202202-03 ] Mozilla Firefox: Multiple vulnerabilities Bug: https://bugs.gentoo.org/802768 Bug: https://bugs.gentoo.org/807947 Bug: https://bugs.gentoo.org/813498 Bug: https://bugs.gentoo.org/821385 Bug: https://bugs.gentoo.org/828538 Bug: https://bugs.gentoo.org/831039 Bug: https://bugs.gentoo.org/832992 Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202202-03.xml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+)
GLSA released, all done!
