From nobody Fri Feb 07 16:49:49 2025
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YqKhF3gjyz5mTH9;
	Fri, 07 Feb 2025 16:49:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YqKhF2rl6z3t09;
	Fri, 07 Feb 2025 16:49:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1738946989;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=prDItSY0uleKLvmX+f92G/G9zh+aoFDxj1NkEuOYdkE=;
	b=sAqIODKHFWKnTE0Sx5JVbtnvfMQbZGSpu/U57heZfGAPPFpbn6zj5JE4ANIm+fmkVGKN7W
	nEdvUhAM3pMFHsjjLSMCIJ9jqMh7+AASVMKtprCm2OtunNQVXhDZhCqzIem1oKCZeUkrCG
	2kPKIA1uUMZ7YZHRcUxneQY7ifMTDpu+bC0CFatINSfuLY2LYOgqfUKr3Kqb7VeCu1iVfU
	mPEf+Wf6u0HC/Vf2CHX9NaaOXVK+U14wPTQ/pinL15akKp+MrDkqP4Ahpf+qwHVFcYoUPB
	oXXL/gtPvoJF915EMWsvrCNPCoRXsqJKbVbRlbXMgI0/fuDS0myM32upYgsADQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1738946989;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=prDItSY0uleKLvmX+f92G/G9zh+aoFDxj1NkEuOYdkE=;
	b=pNgsjiz8xloI1zBHfg7vPKOyFZu6CW3KtB7Zyz4mJ88l/lACLeZps9eiWNJAXSVrVQiUQQ
	O9XjnvmYHeV36XbGDQH+837bXz5qvtHvKncgdLlfEqA9VXHXKqwzb0C/AlqRa0bcXfknXB
	SlvYJvoeLmLXr1yzR0VmLUlJ8YCClLenv6drdbofnmIQ/SK7XKP7bSna8LvRaNdW5npxxL
	m5GHN8bQdyQSypNPkUwWQV9QvYL+Oby69+BsC6Yh+SvEe3Crgos0+bxQT7ySIgXB3V8SCk
	BLRrbedXDXJiIpXH3GU995TcSbhIyHOOawBnHKjP/l4gh2YyFmoxMOYvLTtFJQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738946989; a=rsa-sha256; cv=none;
	b=NNliFAMyaQHNQr0lwYu363N8DE7GWexZWYomLDwoI1+I9D68P+Ixj563Na+Fd7pRcp/ddP
	5T1lfsdoHdykSFrixVfMatkmGYaXtTY7DJfFpax5gzcco43GG2XlzHxcT9Zs4ro9h74kvK
	GZuO9u63UOUE+c0cu93a+XkaUE1LhV+3pEt4ubOKkNazkOzg4kWiNZRKmEQ35EEXNnxSWj
	tKdnhteOvK1evghskx/SuCNs7A2Cj0sLfwcg4XbiZfk/XoeAnwHt2PARzl4+jWnJublWVj
	bZ9VZ3gVirBvfHM7RsImLeTK8mQ1R0dgwp3vYvAfFC62/8B0NXNDfs8vVpH9yQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YqKhF28jKzYvc;
	Fri, 07 Feb 2025 16:49:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 517GnndN029484;
	Fri, 7 Feb 2025 16:49:49 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 517GnnKq029481;
	Fri, 7 Feb 2025 16:49:49 GMT
	(envelope-from git)
Date: Fri, 7 Feb 2025 16:49:49 GMT
Message-Id: <202502071649.517GnnKq029481@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org>
Subject: git: d62ea8c0ed16 - main - security/vuxml: Entries for
  mozilla products
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: fernape
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d62ea8c0ed16eade163e7af7293829dad0a4dcd2
Auto-Submitted: auto-generated

The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d62ea8c0ed16eade163e7af7293829dad0a4dcd2

commit d62ea8c0ed16eade163e7af7293829dad0a4dcd2
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2025-02-07 16:47:56 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2025-02-07 16:48:21 +0000

    security/vuxml: Entries for mozilla products
    
    CVE-2025-10{09,10,11,12,13,14,15,16,17,18,19,20}
---
 security/vuxml/vuln/2025.xml | 172 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 172 insertions(+)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index d237a93416e7..1a7462c511a2 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,175 @@
+  <vuln vid="20485d27-e540-11ef-a845-b42e991fc52e">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>135.0.0,2</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>128.7,1</lt></range>
+      </package>
+      <package>
+	<name>thunderbird</name>
+	<range><lt>128.7</lt></range>
+	<range><gt>129</gt><lt>135</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>security@mozilla.org reports:</p>
+	<blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1926256%2C1935984%2C1935471">
+	<p>A bug in WebAssembly code generation could have lead to a crash.
+	It may have been possible for an attacker to leverage this to achieve
+	code execution.</p>
+	<p>A race condition could have led to private browsing tabs being
+	opened in normal browsing windows.  This could have resulted in a
+	potential privacy leak.</p>
+	<p>Certificate length was not properly checked when added to a certificate
+	store.  In practice only trusted data was processed.</p>
+	<p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox
+	ESR 128.6, and Thunderbird 128.6.  Some of these bugs showed evidence
+	of memory corruption and we presume that with enough effort some
+	of these could have been exploited to run arbitrary code.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-1011</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1011</url>
+      <cvename>CVE-2025-1013</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1013</url>
+      <cvename>CVE-2025-1014</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1014</url>
+      <cvename>CVE-2025-1017</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1017</url>
+    </references>
+    <dates>
+      <discovery>2025-02-04</discovery>
+      <entry>2025-02-07</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="f7ca4ff7-e53f-11ef-a845-b42e991fc52e">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>mozilla</name>
+	<range><lt>135.0.0,2</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>security@mozilla.org reports:</p>
+	<blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1939063%2C1942169">
+	  <p>Memory safety bugs present in Firefox 134 and Thunderbird 134.  Some
+	of these bugs showed evidence of memory corruption and we presume
+	that with enough effort some of these could have been exploited to
+	run arbitrary code.</p>
+	  <p>The fullscreen notification is prematurely hidden when fullscreen
+	is re-requested quickly by the user.  This could have been leveraged
+	to perform a potential spoofing attack.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-1018</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1018</url>
+      <cvename>CVE-2025-1019</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1019</url>
+      <cvename>CVE-2025-1020</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1020</url>
+    </references>
+    <dates>
+      <discovery>2025-02-04</discovery>
+      <entry>2025-02-07</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e54a1413-e539-11ef-a845-b42e991fc52e">
+    <topic>mozilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>firefox</name>
+	<range><lt>135.0.0,2</lt></range>
+      </package>
+      <package>
+	<name>firefox-esr</name>
+	<range><lt>115.20,1</lt></range>
+	<range><gt>116.0,1</gt><lt>128.6,1</lt></range>
+      </package>
+      <package>
+	<name>thunderbird</name>
+	<range><lt>128.7</lt></range>
+	<range><gt>129</gt><lt>135</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>security@mozilla.org reports:</p>
+	<blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1936601%2C1936844%2C1937694%2C1938469%2C1939583%2C1940994">
+	<p>An attacker could have caused a use-after-free via crafted XSLT
+	data, leading to a potentially exploitable crash.</p>
+	<p>An attacker could have caused a use-after-free via the Custom
+	Highlight API, leading to a potentially exploitable crash.</p>
+	<p>A race during concurrent delazification could have led to a
+	use-after-free.</p>
+	<p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox
+	ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird
+	128.6.  Some of these bugs showed evidence of memory corruption and
+	we presume that with enough effort some of these could have been
+	exploited to run arbitrary code.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-1009</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1009</url>
+      <cvename>CVE-2025-1010</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1010</url>
+      <cvename>CVE-2025-1012</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1012</url>
+      <cvename>CVE-2025-1016</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1016</url>
+    </references>
+    <dates>
+      <discovery>2025-02-04</discovery>
+      <entry>2025-02-07</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="830381c7-e539-11ef-a845-b42e991fc52e">
+    <topic>Thundirbird -- unprivileged JavaScript code execution</topic>
+    <affects>
+      <package>
+	<name>mozilla</name>
+	<range><lt>128.7,1</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>security@mozilla.org reports:</p>
+	<blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1939458">
+	  <p>The Thunderbird Address Book URI fields contained unsanitized links.
+	This could be used by an attacker to create and export an address
+	book containing a malicious payload in a field.  For example, in
+	the Other field of the Instant Messaging section.  If another user
+	imported the address book, clicking on the link could result in
+	opening a web page inside Thunderbird, and that page could execute
+	(unprivileged) JavaScript.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-1015</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1015</url>
+    </references>
+    <dates>
+      <discovery>2025-02-04</discovery>
+      <entry>2025-02-07</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="7bcfca95-e563-11ef-873e-8447094a420f">
     <topic>MariaDB -- DoS vulnerability in InnoDB</topic>
     <affects>