CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
96.4%
A flaw was discovered in the implementation of typed array bounds checking in the Javascript just-in-time compilation. If a user were tricked in to opening a specially crafted website, an attacked could exploit this to execute arbitrary code with the privileges of the user invoking Firefox (CVE-2015-0817). Mariusz Mlynski discovered a flaw in the processing of SVG format content navigation. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to run arbitrary script in a privileged context (CVE-2015-0818). The firefox package has been updated to version 31.5.3 to fix these issues. Also, the nss package has been updated to version 3.18, which enables TLS and DTLS 1.2, increases the default RSA key size created by certutil to 2048 bits, and has some CA root certificate updates.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | rootcerts | < 20150226.00-1 | rootcerts-20150226.00-1.mga4 |
Mageia | 4 | noarch | nss | < 3.18.0-1 | nss-3.18.0-1.mga4 |
Mageia | 4 | noarch | firefox | < 31.5.3-1 | firefox-31.5.3-1.mga4 |
Mageia | 4 | noarch | firefox-l10n | < 31.5.3-1 | firefox-l10n-31.5.3-1.mga4 |
www.ubuntu.com/usn/usn-2538-1/
bugs.mageia.org/show_bug.cgi?id=15555
developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
www.mozilla.org/en-US/security/advisories/mfsa2015-28/
www.mozilla.org/en-US/security/advisories/mfsa2015-29/
www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/