[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] IceCat 31.8.0-gnu2 release
From: |
Mark H Weaver |
Subject: |
Re: [Bug-gnuzilla] IceCat 31.8.0-gnu2 release |
Date: |
Sat, 22 Aug 2015 20:08:59 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Rubén Rodríguez <address@hidden> writes:
> == Changes since v31.8.0 ==
>
> * Applied patch for CVE-2015-4473 CVE-2015-4482 CVE-2015-4488
> CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4495 from Guix
As the author of the backported patches from GNU Guix included in this
release, I feel compelled to warn users that I was not able to backport
all of the patches from Mozilla's ESR 38 branch. Specifically, the
following vulnerabilities might not be addressed by 31.8.0-gnu2:
* Miscellaneous memory safety hazards
Impact: Critical (CVE-2015-4473)
(only partially addressed in 31.8.0-gnu2)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
* Buffer overflows in bundled libvpx when decoding WebM video
Impact: Critical (CVE-2015-4485, CVE-2015-4486)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
* Overflow issues in libstagefright
Impact: Critical, but only affects Android
(CVE-2015-4479, CVE-2015-4480, CVE-2015-4493)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
* Vulnerabilities found through code inspection
Impact: High (CVE-2015-4487)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
* Redefinition of non-configurable JavaScript object properties
Impact: High (CVE-2015-4478)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
* Out-of-bounds read with malformed MP3 file
Impact: High (CVE-2015-4475)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
* Arbitrary file overwriting through Mozilla Maintenance Service
with hard links
Impact: High, but only affects Windows systems (CVE-2015-4481)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/
* Crash when using shared memory in JavaScript
Impact: Moderate (CVE-2015-4484)
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
Therefore, we still have an urgent need for GNU IceCat 38.2.
Mark