CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
EPSS
Percentile
100.0%
Updated nss, firefox, and thunderbird packages fix security vulnerabilities: In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (CVE-2014-1569). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593). A flaw was found in the Alarm API, which could allow applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass the same-origin policy (CVE-2014-1594). This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0, mitigating CVE-2014-3566, also known as POODLE. SSL 3.0 support has also been disabled by default in this Firefox and Thunderbird update, further mitigating POODLE.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | rootcerts | < 20141117.00-1 | rootcerts-20141117.00-1.mga4 |
Mageia | 4 | noarch | nss | < 3.17.3-1 | nss-3.17.3-1.mga4 |
Mageia | 4 | noarch | firefox | < 31.3.0-1 | firefox-31.3.0-1.mga4 |
Mageia | 4 | noarch | firefox-l10n | < 31.3.0-1 | firefox-l10n-31.3.0-1.mga4 |
Mageia | 4 | noarch | thunderbird | < 31.3.0-1 | thunderbird-31.3.0-1.mga4 |
Mageia | 4 | noarch | thunderbird-l10n | < 31.3.0-1 | thunderbird-l10n-31.3.0-1.mga4 |
bugs.mageia.org/show_bug.cgi?id=14716
bugzilla.mozilla.org/show_bug.cgi?id=1064670
developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
rhn.redhat.com/errata/RHSA-2014-1919.html
rhn.redhat.com/errata/RHSA-2014-1924.html
rhn.redhat.com/errata/RHSA-2014-1948.html
www.mozilla.org/en-US/security/advisories/mfsa2014-83/
www.mozilla.org/en-US/security/advisories/mfsa2014-85/
www.mozilla.org/en-US/security/advisories/mfsa2014-87/
www.mozilla.org/en-US/security/advisories/mfsa2014-88/
www.mozilla.org/en-US/security/advisories/mfsa2014-89/
www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
EPSS
Percentile
100.0%