| Description: | Summary:
The remote host is missing an update for the 'iceape' package(s) announced via the MGASA-2015-0126 advisory.
Vulnerability Insight:
Updated iceape packages fix security issues:
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 36.0 allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors. (CVE-2015-0835)
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before
31.5 allow remote attackers to cause a denial of service (memory corruption
and application crash) or possibly execute arbitrary code via unknown
vectors. (CVE-2015-0836)
Mozilla Firefox before 36.0 does not properly recognize the equivalence of
domain names with and without a trailing . (dot) character, which allows
man-in-the-middle attackers to bypass the HPKP and HSTS protection
mechanisms by constructing a URL with this character and leveraging access
to an X.509 certificate for a domain with this character. (CVE-2015-0832)
The WebGL implementation in Mozilla Firefox before 36.0 does not properly
allocate memory for copying an unspecified string to a shader's compilation
log, which allows remote attackers to cause a denial of service
(application crash) via crafted WebGL content. (CVE-2015-0830)
Use-after-free vulnerability in the
mozilla::dom::IndexedDB::IDBObjectStore::CreateIndex function in Mozilla
Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before
31.5 allows remote attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via crafted content that is improperly
handled during IndexedDB index creation. (CVE-2015-0831)
Buffer overflow in libstagefright in Mozilla Firefox before 36.0 allows
remote attackers to execute arbitrary code via a crafted MP4 video that is
improperly handled during playback. (CVE-2015-0829)
Double free vulnerability in the nsXMLHttpRequest::GetResponse function in
Mozilla Firefox before 36.0, when a nonstandard memory allocator is used,
allows remote attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via crafted JavaScript code that makes an
XMLHttpRequest call with zero bytes of data. (CVE-2015-0828)
Heap-based buffer overflow in the mozilla::gfx::CopyRect function in
Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird
before 31.5 allows remote attackers to obtain sensitive information from
uninitialized process memory via a malformed SVG graphic. (CVE-2015-0827)
The nsTransformedTextRun::SetCapitalization function in Mozilla Firefox
before 36.0 allows remote attackers to execute arbitrary code or cause a
denial of service (out-of-bounds read of heap memory) via a crafted
Cascading Style Sheets (CSS) token sequence that triggers a restyle or
reflow operation. (CVE-2015-0826)
Stack-based buffer underflow in the mozilla::MP3FrameParser::ParseBuffer
function in Mozilla Firefox ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'iceape' package(s) on Mageia 4.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
