Ubuntu 2458-2: Ubufox update

    Date14 Jan 2015
    CategoryUbuntu
    50
    Posted ByLinuxSecurity Advisories
    This update provides compatible packages for Firefox 35.
    ==========================================================================
    Ubuntu Security Notice USN-2458-2
    January 14, 2015
    
    ubufox update
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 14.10
    - Ubuntu 14.04 LTS
    - Ubuntu 12.04 LTS
    
    Summary:
    
    This update provides compatible packages for Firefox 35.
    
    Software Description:
    - ubufox: Ubuntu Firefox specific configuration defaults and apt support
    
    Details:
    
    USN-2458-1 fixed vulnerabilities in Firefox. This update provides the
    corresponding version of Ubufox.
    
    Original advisory details:
    
     Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
     Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
     multiple memory safety issues in Firefox. If a user were tricked in to
     opening a specially crafted website, an attacker could potentially exploit
     these to cause a denial of service via application crash, or execute
     arbitrary code with the privileges of the user invoking Firefox.
     (CVE-2014-8634, CVE-2014-8635)
     
     Bobby Holley discovered that some DOM objects with certain properties
     can bypass XrayWrappers in some circumstances. If a user were tricked in
     to opening a specially crafted website, an attacker could potentially
     exploit this to bypass security restrictions. (CVE-2014-8636)
     
     Michal Zalewski discovered a use of uninitialized memory when rendering
     malformed bitmap images on a canvas element. If a user were tricked in to
     opening a specially crafted website, an attacker could potentially
     exploit this to steal confidential information. (CVE-2014-8637)
     
     Muneaki Nishimura discovered that requests from navigator.sendBeacon()
     lack an origin header. If a user were tricked in to opening a specially
     crafted website, an attacker could potentially exploit this to conduct
     cross-site request forgery (XSRF) attacks. (CVE-2014-8638)
     
     Xiaofeng Zheng discovered that a web proxy returning a 407 response
     could inject cookies in to the originally requested domain. If a user
     connected to a malicious web proxy, an attacker could potentially exploit
     this to conduct session-fixation attacks. (CVE-2014-8639)
     
     Holger Fuhrmannek discovered a crash in Web Audio while manipulating
     timelines. If a user were tricked in to opening a specially crafted
     website, an attacker could potentially exploit this to cause a denial
     of service. (CVE-2014-8640)
     
     Mitchell Harper discovered a use-after-free in WebRTC. If a user were
     tricked in to opening a specially crafted website, an attacker could
     potentially exploit this to cause a denial of service via application
     crash, or execute arbitrary code with the privileges of the user invoking
     Firefox. (CVE-2014-8641)
     
     Brian Smith discovered that OCSP responses would fail to verify if signed
     by a delegated OCSP responder certificate with the id-pkix-ocsp-nocheck
     extension, potentially allowing a user to connect to a site with a revoked
     certificate. (CVE-2014-8642)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 14.10:
      xul-ext-ubufox                  3.0-0ubuntu0.14.10.1
    
    Ubuntu 14.04 LTS:
      xul-ext-ubufox                  3.0-0ubuntu0.14.04.1
    
    Ubuntu 12.04 LTS:
      xul-ext-ubufox                  3.0-0ubuntu0.12.04.1
    
    After a standard system update you need to restart Firefox to make
    all the necessary changes.
    
    Package Information:
      https://launchpad.net/ubuntu/+source/ubufox/3.0-0ubuntu0.14.10.1
      https://launchpad.net/ubuntu/+source/ubufox/3.0-0ubuntu0.14.04.1
      https://launchpad.net/ubuntu/+source/ubufox/3.0-0ubuntu0.12.04.1
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.