| Beschreibung: | Summary:
The remote host is missing an update for the 'firefox, firefox-l10n, thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2015-0025 advisory.
Vulnerability Insight:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-8634).
It was found that the Beacon interface implementation in Firefox and
Thunderbird did not follow the Cross-Origin Resource Sharing (CORS)
specification. A web page containing malicious content could allow a remote
attacker to conduct a Cross-Site Request Forgery (XSRF) attack
(CVE-2014-8638).
It was found that a Web Proxy returning a 407 Proxy Authentication response
with a Set-Cookie header could inject cookies into the originally requested
domain. This could be used for session-fixation attacks. This attack only
allows cookies to be written but does not allow them to be read
(CVE-2014-8639).
Security researcher Mitchell Harper discovered a read-after-free in WebRTC
due to the way tracks are handled. This results in a either a potentially
exploitable crash or incorrect WebRTC behavior. Note that this issue only
affects Firefox (CVE-2014-8641).
Affected Software/OS:
'firefox, firefox-l10n, thunderbird, thunderbird-l10n' package(s) on Mageia 4.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
