Mageia 2024-0092: nss firefox, nss security update
Summary
Crash in NSS TLS method. (CVE-2024-0743)
JIT code failed to save return registers on Armv7-A. (CVE-2024-2607)
Integer overflow could have led to out of bounds write. (CVE-2024-2608)
Improve handling of out-of-memory conditions in ICU. (CVE-2024-2616)
NSS susceptible to timing attack against RSA decryption. (CVE-2023-5388)
Improper handling of html and body tags enabled CSP nonce leakage.
(CVE-2024-2610)
Clickjacking vulnerability could have led to a user accidentally
granting permissions. (CVE-2024-2611)
Self referencing object could have potentially led to a use-after-free.
(CVE-2024-2612)
Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and
Thunderbird 115.9. (CVE-2024-2614)
Privileged JavaScript Execution via Event Handlers.(CVE-2024-29944)
References
- https://bugs.mageia.org/show_bug.cgi?id=32986
- https://www.mozilla.org/en-US/firefox/115.9.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/
- https://www.mozilla.org/en-US/firefox/115.9.1/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2616
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29944
Resolution
MGASA-2024-0092 - Updated nss firefox, nss packages fix security vulnerabilities
SRPMS
- 9/core/nss-3.99.0-1.mga9
- 9/core/firefox-115.9.1-1.mga9
- 9/core/firefox-l10n-115.9.1-1.mga9
