Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Mageia 8: 2023-0018 Moderate: Firefox NSS Crash and Library Risks

mageia
Calendar Grey January 24, 2023
Dist Mageia Esm H88
An array of Chrome upgrades targeting various vulnerabilities identified by Google, affecting BoringSSL and libc functions stability.
A vulnerability was found in NSS

Summary

A vulnerability was found in NSS. The NSS client auth crashes without a user certificate in the database, leading to a segmentation fault or crash (CVE-2022-3479).
An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited (CVE-2022-46871).
By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks (CVE-2022-46877).
Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData (CVE-2023-23598).
Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks (CVE-2023-23601).
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could l...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=31415

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html

- https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/

-

- https://access.redhat.com/errata/RHSA-2023:0288

- https://www.cve.org/CVERecord?id=CVE-2022-3479

- https://www.cve.org/CVERecord?id=CVE-2022-46871

- https://www.cve.org/CVERecord?id=CVE-2022-46877

- https://www.cve.org/CVERecord?id=CVE-2023-23598

- https://www.cve.org/CVERecord?id=CVE-2023-23601

- https://www.cve.org/CVERecord?id=CVE-2023-23602

- https://www.cve.org/CVERecord?id=CVE-2023-23603

- https://www.cve.org/CVERecord?id=CVE-2023-23605

Topics%20covered

Topics Covered

security advisory browser security Firefox update Mageia NSS issue libusrsctp

Resolution

SRPMS

- 8/core/firefox-102.7.0-1.mga8

- 8/core/firefox-l10n-102.7.0-1.mga8

- 8/core/nss-3.87.0-1.mga8

Publication date: 24 Jan 2023
URL: https://advisories.mageia.org/MGASA-2023-0018.html
Type: security
CVE: CVE-2022-3479, CVE-2022-46871, CVE-2022-46877, CVE-2023-23598, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23605

Topics%20covered

Topics Covered

security advisory browser security Firefox update Mageia NSS issue libusrsctp

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here