From nobody Thu Sep 05 17:00:38 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X05GH0tgDz5WPQV; Thu, 05 Sep 2024 17:00:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X05GH0HZPz42m5; Thu, 5 Sep 2024 17:00:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725555639; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xWcEZkman2p9F7HyUePO6X9OYF0rwZtTxPGslC8wYEY=; b=XuhUi10XzbA6pO3DmemmOUU2W+LWGatl2YWwAsYrbwySTDZa5suwsR3hIBNXiS05xkrKDb jQ57ynP/fn9GZ6h4D8qHWo3JovtPE1dN/NaAwM84LW7limn2/wwpT2auvoWlQPSKadzg5Q VOztF165agXi9EyWZBIJ5kemBvEF25uxKbhf2Bu4wGwXE3RxEEnbwddhOoJiyDtHYWgn/8 SujRADh0B1MsYYh1+uPR1VMmO/946b4YcXaH699D/hQ7rne7N4qSpPkIHxtRcKejOY+YAJ kVQmHctwVPfZXWt2kgM46r9XZLdvhI03yfJJEvzQ5jqZWUlljH4IxWFSIO0xGA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725555639; a=rsa-sha256; cv=none; b=B0IXpY2ITkZ4m1gllEB/ZvL9DMUlLqaPSrbStQU4Y+Rx2qu6XCEm9hSsnJnKgfZN2rgKx8 FqegDf/1BHn2dKSbjzFvVUada2ddQUNWVr1jCgvqCTXq5Lj0SahtPcSoJewlnQ+ZWCLI+p fPY8PLaXT0nVdOvzG2zhGuY0GZLFkpALBA3aPg/4X1bZD5xnbXR5MzlXZdqfiY9kQlFRyb RKx1zfRw5oHv/OHGPM9ezRel8pH20hzRKXH3gTjOZuM7YeYldJUTUkpS2ErJxBv4EmdMIl TTVWQq0fj0p+/n6x9R49C2SjR7pse+NdGr2VU8Fr8bAKFdwM6JhenUVtt97rcw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725555639; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xWcEZkman2p9F7HyUePO6X9OYF0rwZtTxPGslC8wYEY=; b=OsMiWuu7t/GuSqplYZ14ktlVAffGodpnQSlxIEBMDKMFv6hVb8m8ugUKc4QJknfFwjSRk2 jOocvCxXBBJaLQKQpgNdG9VyZWve3mZHAxfCSLgn/QjGqzfizmHolxguhBoNjeW1MQXcpN 45q+6NJ1NjN9SlBgb9Av+orsPCK1ExveHSn9veZQPgJnnH2yxrklWXQuk1dSAYwMnA91rw O0WNc8O3oBcIbQvZ4BRXHiv7qLzFR2vVqLXuuYSNP8MTeP0wx74te2/cQGpIb7PB54Nc33 kqSce6jhUqrKYZay3dnO0slO8iXw4ucyj2+H1ZHMHQ/yIAZ1348ary8w/wJgyQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X05GG6l1hzGp9; Thu, 5 Sep 2024 17:00:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 485H0ccB098760; Thu, 5 Sep 2024 17:00:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 485H0cZU098757; Thu, 5 Sep 2024 17:00:38 GMT (envelope-from git) Date: Thu, 5 Sep 2024 17:00:38 GMT Message-Id: <202409051700.485H0cZU098757@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= Subject: git: b447efc7742e - main - security/vuxml: Firefox multiple vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b447efc7742e2865d1367a5291e9940d853fffe0 Auto-Submitted: auto-generated The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=b447efc7742e2865d1367a5291e9940d853fffe0 commit b447efc7742e2865d1367a5291e9940d853fffe0 Author: Fernando ApesteguĂ­a AuthorDate: 2024-09-05 16:53:18 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2024-09-05 17:00:26 +0000 security/vuxml: Firefox multiple vulnerabilities CVE-2024-8381: * Base Score: 9.8 CRITICAL * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8382: * Base Score: 8.8 HIGH * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-8383: * Base Score: 7.5 HIGH * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-8384: * Base Score: 9.8 CRITICAL * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8385: * Base Score: 9.8 CRITICAL * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8386: * Base Score: 6.1 MEDIUM * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2024-8387: * Base Score: 9.8 CRITICAL * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-8389: * Base Score: 9.8 CRITICAL * Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H --- security/vuxml/vuln/2024.xml | 80 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index cfd544457a48..04db8e5fbac3 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,83 @@ + + firefox -- multiple vulnerabilities + + + firefox + 130.0_1 + + + + +

security@mozilla.org reports:

+
+

This entry contains 8 vulnerabilities:

+
    +
  • CVE-2024-8381: A potentially exploitable type + confusion could be triggered when looking up a property + name on an object being used as the `with` environment.
    • +
  • CVE-2024-8382: Internal browser event interfaces were + exposed to web content when privileged EventHandler listener + callbacks ran for those events. Web content that tried to + use those interfaces would not be able to use them with + elevated privileges, but their presence would indicate + certain browser features had been used, such as when a user + opened the Dev Tools console.
    • +
  • CVE-2024-8383: Firefox normally asks for confirmation + before asking the operating system to find an application to + handle a scheme that the browser does not support. It did not + ask before doing so for the Usenet-related schemes news: and + snews:. Since most operating systems don't have a + trusted newsreader installed by default, an unscrupulous + program that the user downloaded could register itself as a + handler. The website that served the application download + could then launch that application at will.
    • +
  • CVE-2024-8384: The JavaScript garbage collector could + mis-color cross-compartment objects if OOM conditions were + detected at the right point between two passes. This could have + led to memory corruption.
    • +
  • CVE-2024-8385: A difference in the handling of + StructFields and ArrayTypes in WASM could be used to trigger + an exploitable type confusion vulnerability.
    • +
  • CVE-2024-8386: If a site had been granted the permission + to open popup windows, it could cause Select elements to + appear on top of another site to perform a spoofing attack.
    • +
  • CVE-2024-8387: Memory safety bugs present in Firefox 129, + Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs + showed evidence of memory corruption and we presume that with + enough effort some of these could have been exploited to run + arbitrary code.
    • +
  • CVE-2024-8389: Memory safety bugs present in Firefox 129. + Some of these bugs showed evidence of memory corruption and we + presume that with enough effort some of these could have been + exploited to run arbitrary code.
    • +
+
+ + + + CVE-2024-8381 + https://nvd.nist.gov/vuln/detail/CVE-2024-8381 + CVE-2024-8382 + https://nvd.nist.gov/vuln/detail/CVE-2024-8382 + CVE-2024-8383 + https://nvd.nist.gov/vuln/detail/CVE-2024-8383 + CVE-2024-8384 + https://nvd.nist.gov/vuln/detail/CVE-2024-8384 + CVE-2024-8385 + https://nvd.nist.gov/vuln/detail/CVE-2024-8385 + CVE-2024-8386 + https://nvd.nist.gov/vuln/detail/CVE-2024-8386 + CVE-2024-8387 + https://nvd.nist.gov/vuln/detail/CVE-2024-8387 + CVE-2024-8389 + https://nvd.nist.gov/vuln/detail/CVE-2024-8389 + + + 2024-09-03 + 2024-09-05 + + + FreeBSD -- umtx Kernel panic or Use-After-Free