MGASA-2015-0268

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0268.html

Import Source

https://advisories.mageia.org/MGASA-2015-0268.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2015-0268

Related

CVE-2015-2721
CVE-2015-2722
CVE-2015-2724
CVE-2015-2728
CVE-2015-2730
CVE-2015-2733
CVE-2015-2734
CVE-2015-2735
CVE-2015-2736
CVE-2015-2737
CVE-2015-2738
CVE-2015-2739
CVE-2015-2740
CVE-2015-2743
CVE-2015-4000

Published

2015-07-05T17:22:03Z

Modified

2015-07-09T07:56:53Z

Summary

Updated firefox package fixes security vulnerability

Details

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2015-2722, CVE-2015-2724, CVE-2015-2728, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740).

A flaw was discovered in Mozilla's PDF.js PDF file viewer. When combined with another vulnerability, it could allow execution of arbitrary code with the privileges of the user running Firefox (CVE-2015-2743).

A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000).

Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where the client allows for a ECDHE_ECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDSA certificate. This violates the TLS protocol and also has some security implications for forward secrecy. In this situation, the browser thinks it is engaged in an ECDHE exchange, but has been silently downgraded to a non-forward secret mixed-ECDH exchange instead. As a result, if False Start is enabled, the browser will start sending data encrypted under these non-forward-secret connection keys (CVE-2015-2721).

Mozilla community member Watson Ladd reported that the implementation of Elliptical Curve Cryptography (ECC) multiplication for Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Network Security Services (NSS) did not handle exceptional cases correctly. This could potentially allow for signature forgery (CVE-2015-2730).

The nss package has been updated to version 3.19.2, which fixes issues related to the minimum key sizes of finite field algorithms, including CVE-2015-4000. It also fixes CVE-2015-2721 and CVE-2015-2730.

The Mageia 4 sqlite3 package has also been updated to version 3.8.10.2, fixing an index corruption issue. Mageia 5 already shipped with version 3.8.10.2.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / nss

Package

Name: nss
Purl: pkg:rpm/mageia/nss?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.19.2-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / firefox

Package

Name: firefox
Purl: pkg:rpm/mageia/firefox?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.1.0-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / firefox-l10n

Package

Name: firefox-l10n
Purl: pkg:rpm/mageia/firefox-l10n?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.1.0-1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / sqlite3

Package

Name: sqlite3
Purl: pkg:rpm/mageia/sqlite3?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.8.10.2-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / nss

Package

Name: nss
Purl: pkg:rpm/mageia/nss?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.19.2-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / firefox

Package

Name: firefox
Purl: pkg:rpm/mageia/firefox?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.1.0-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / firefox-l10n

Package

Name: firefox-l10n
Purl: pkg:rpm/mageia/firefox-l10n?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.1.0-1.mga4

Ecosystem specific

{
    "section": "core"
}