196 replies to this topic

[AplusWebMaster]

FYI...

Firefox 35.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....irefox/all.html

Release notes
- https://www.mozilla....1/releasenotes/
Jan 26, 2015

... complete list of changes in this release 3610 bugs found.
 

[AplusWebMaster]

FYI...

Firefox 36.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....irefox/all.html

Security Advisories for 36.0:
- https://www.mozilla.....html#firefox36
Fixed in Firefox 36

2015-27 Caja Compiler JavaScript sandbox bypass
2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs
2015-25 Local files or privileged URLs in pages can be opened into new tabs
2015-24 Reading of local files through manipulation of form autocomplete
2015-23 Use-after-free in Developer Console date with OpenType Sanitiser
2015-22 Crash using DrawTarget in Cairo graphics library
2015-21 Buffer underflow during MP3 playback
2015-20 Buffer overflow during CSS restyling
2015-19 Out-of-bounds read and write while rendering SVG content
2015-18 Double-free when using non-default memory allocators with a zero-length XHR
2015-17 Buffer overflow in libstagefright during MP4 video playback
2015-16 Use-after-free in IndexedDB
2015-15 TLS TURN and STUN connections silently fail to simple TCP connections
2015-14 Malicious WebGL content crash when writing strings
2015-13 Appended period to hostnames can bypass HPKP and HSTS protections
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

Release notes
- https://www.mozilla....0/releasenotes/
Feb 24, 2015

... complete list of changes in this release... 3608 bugs found.
___

- http://www.securityt....com/id/1031791
CVE Reference: CVE-2015-0819, CVE-2015-0821, CVE-2015-0822, CVE-2015-0823, CVE-2015-0824, CVE-2015-0825, CVE-2015-0826, CVE-2015-0827, CVE-2015-0828, CVE-2015-0829, CVE-2015-0830, CVE-2015-0831, CVE-2015-0833, CVE-2015-0834, CVE-2015-0835, CVE-2015-0836
Feb 24 2015
Version: prior to 36.0...
 

Edited by AplusWebMaster, 25 February 2015 - 07:09 AM.

[AplusWebMaster]

FYI...

Firefox 36.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....3/releasenotes/
What’s New:
Fixed: 36.0.3: Security fixes for issues disclosed at HP Zero Day Initiative's Pwn2Own contest*

* https://www.mozilla..../#firefox36.0.3
Fixed in Firefox 36.0.3
2015-29 Code execution through incorrect JavaScript bounds checking elimination
2015-28 Privilege escalation through SVG navigation
___

- https://www.us-cert....R-and-SeaMonkey
March 20, 2015 - "... Available updates include:
    • Firefox 36.0.3
    • Firefox ESR 31.5.2
    • SeaMonkey 2.33.1 ..."
___

- http://www.securityt....com/id/1031958
CVE Reference: https://cve.mitre.or...e=CVE-2015-0817
Mar 22 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 36.0.3 ...

All four major browsers take a stomping at Pwn2Own...
- http://arstechnica.c...ng-competition/
Mar 20, 2015 - "The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader..."
 

Edited by AplusWebMaster, 23 March 2015 - 05:10 AM.

[AplusWebMaster]

FYI...

Firefox 36.0.4 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....4/releasenotes/

- https://www.mozilla..../#firefox36.0.4
Fixed in Firefox 36.0.4
2015-28 Privilege escalation through SVG navigation

... HP Zero Day Initiative's Pwn2Own contest... AGAIN.
___

- http://www.securityt....com/id/1031959
CVE Reference: https://cve.mitre.or...e=CVE-2015-0818
Mar 22 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 36.0.4...

- https://www.mozilla....es/mfsa2015-28/
- https://www.mozilla....es/mfsa2015-29/
Impact: Critical

- https://web.nvd.nist...d=CVE-2015-0817- 6.8
Last revised: 03/27/2015
- https://web.nvd.nist...d=CVE-2015-0818- 7.5 (HIGH)
Last revised: 03/27/2015
 

Edited by AplusWebMaster, 30 March 2015 - 10:22 AM.

[AplusWebMaster]

FYI...

Firefox 37.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

 

- https://www.mozilla....0/releasenotes/
March 31, 2015

- https://www.mozilla....efox/#firefox37
Fixed in Firefox 37.0
2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
2015-41 PRNG weakness allows for DNS poisoning on Android
2015-40 Same-origin bypass through anchor navigation
2015-39 Use-after-free due to type confusion flaws
2015-38 Memory corruption crashes in Off Main Thread Compositing
2015-37 CORS requests should not follow 30x redirections after preflight
2015-36 Incorrect memory management for simple-type arrays in WebRTC
2015-35 Cursor clickjacking with flash and images
2015-34 Out of bounds read in QCMS library
2015-33 resource:// documents can load privileged pages
2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

... complete list of changes in this release... 2817 bugs found.
___

- http://www.securityt....com/id/1031996
CVE Reference: CVE-2015-0800, CVE-2015-0801, CVE-2015-0802, CVE-2015-0803, CVE-2015-0804, CVE-2015-0805, CVE-2015-0806, CVE-2015-0807, CVE-2015-0808, CVE-2015-0810, CVE-2015-0811, CVE-2015-0812, CVE-2015-0813, CVE-2015-0814, CVE-2015-0815, CVE-2015-0816
Apr 1 2015
Original Entry Date: Mar 31 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 37.0 ...
 

Edited by AplusWebMaster, 03 April 2015 - 09:14 AM.

[AplusWebMaster]

FYI...

Firefox 37.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....1/releasenotes/
April 3, 2015

- https://www.mozilla..../#firefox37.0.1
Fixed in Firefox 37.0.1
2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header*
2015-43 Loading privileged content through Reader mode

* https://web.nvd.nist...d=CVE-2015-0799
___

- https://www.us-cert....-Update-Firefox
April 06, 2015 - "... Mozilla Foundation has released Firefox 37.0.1 to address two vulnerabilities, one of which may allow a remote attacker to conduct man-in-the-middle attacks. Users and administrators are encouraged to review the security advisories for Firefox and apply the necessary updates."
 

Edited by AplusWebMaster, 08 April 2015 - 05:27 AM.

[AplusWebMaster]

FYI...

Firefox 37.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....2/releasenotes/
April 20, 2015

- https://www.mozilla..../#firefox37.0.2
Fixed in Firefox 37.0.2
2015-45 Memory corruption during failed plugin initialization
IMPACT: High
___

- http://www.securityt....com/id/1032171
CVE Reference: https://web.nvd.nist...d=CVE-2015-2706  - 6.8
Apr 21 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 37.0.2...

- https://www.us-cert....-Update-Firefox
Apr 21 2015
 

Edited by AplusWebMaster, 11 May 2015 - 07:39 AM.

[AplusWebMaster]

FYI...

Firefox 38 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....0/releasenotes/
May 12, 2015

- https://www.mozilla....efox/#firefox38
Fixed in Firefox 38
2015-58 Mozilla Windows updater can be run outside of application directory
2015-57 Privilege escalation through IPC channel messages
2015-56 Untrusted site hosting trusted page can intercept webchannel responses
2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata
2015-54 Buffer overflow when parsing compressed XML
2015-53 Use-after-free due to Media Decoder Thread creation during shutdown
2015-52 Sensitive URL encoded information written to Android logcat
2015-51 Use-after-free during text processing with vertical text enabled
2015-50 Out-of-bounds read and write in asm.js validation
2015-49 Referrer policy ignored when links opened by middle-click and context menu
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

... complete list of changes in this release... 3660 bugs found.
___

- http://www.securityt....com/id/1032301
CVE Reference: CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2711, CVE-2015-2712, CVE-2015-2713, CVE-2015-2714, CVE-2015-2715, CVE-2015-2716, CVE-2015-2717, CVE-2015-2718, CVE-2015-2720
May 13 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 38.0 ...
 

Edited by AplusWebMaster, 13 May 2015 - 05:06 AM.

[AplusWebMaster]

FYI...

Firefox 38.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....1/releasenotes/
May 14, 2015
Fixed: Systems with first generation NVidia Optimus graphics cards may crash on start-up
Fixed: Users who import cookies from Google Chrome can end up with broken websites
Fixed: WebRTC H264 video streams from CiscoSpark native clients are not decoded correctly.

(Fixed in Firefox ESR 38.0.1; was already fixed in Firefox 38.0)
Fixed: Large animated images may fail to play and may stop other images from loading
 

[AplusWebMaster]

FYI...

Firefox 38.0.5 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....5/releasenotes/
June 2, 2015
New: Keep track of articles and videos with Pocket
New: Clean formatting for articles and blog posts with Reader View
New: Share the active tab or window in a Hello conversation
Fixed: A race condition that would cause Firefox to stop painting when switching tabs
Fixed: Fixed graphics performance when using the built-in VGA driver on Windows 7
___

> https://wiki.mozilla...re_branch_dates
release date: release
2015-06-30 - Firefox 39

V39.0 bugs...
- https://bugzilla.moz....cgi?id=1151506
Status: REOPENED
Keywords: crash
Modified: 2015-07-01
Importance: critical ...
- https://bugzilla.moz....cgi?id=1151506
___

Firefox Blocklist: https://addons.mozil...irefox/blocked/
 

Edited by AplusWebMaster, 01 July 2015 - 02:27 PM.

[AplusWebMaster]

FYI...

Firefox 39.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

- https://www.mozilla....0/releasenotes/

- https://www.mozilla....efox/#firefox39
Fixed in Firefox 39
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-69 Privilege escalation in PDF.js
2015-68 OS X crash reports may contain entered key press information
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-65 Use-after-free in workers while using XMLHttpRequest
2015-64 ECDSA signature validation fails to handle some signatures correctly
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-62 Out-of-bound read while computing an oscillator rendering range in Web Audio
2015-61 Type confusion in Indexed Database Manager
2015-60 Local files or privileged URLs in pages can be opened into new tabs
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

...  complete list of changes in this release 3279 bugs found.
___

Also: Fixed in Firefox ESR 38.1
- https://www.mozilla....#firefoxesr38.1

- https://www.mozilla....0/releasenotes/
___

- http://www.securityt....com/id/1032783
CVE Reference: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2742, CVE-2015-2743, CVE-2015-4000
Jul 3 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 39.0 ...
 

Edited by AplusWebMaster, 04 July 2015 - 09:15 AM.

[AplusWebMaster]

FYI...

Firefox 39.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes
- https://www.mozilla....3/releasenotes/

> https://www.mozilla....es/mfsa2015-78/
Aug 6, 2015 - "... violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer. This would allow an attacker to read and steal sensitive local files on the victim's computer. Mozilla has received reports that an exploit based on this vulnerability has been found in the wild."
Critical
Products: Firefox, Firefox ESR

Fixed in Firefox 39.0.3
> https://www.mozilla..../#firefox39.0.3
Fixed in Firefox ESR 38.1.1
> https://www.mozilla....irefoxesr38.1.1
___

- http://www.securityt....com/id/1033216
CVE Reference: https://web.nvd.nist...d=CVE-2015-4495
"... as exploited in the wild in August 2015."
Aug 7 2015
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 39.0.3...
Solution: The vendor has issued a fix (39.0.3, ESR 38.1.1).

- https://blog.mozilla...nd-in-the-wild/
Aug 6, 2015 - "... an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine... Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context... The exploit leaves no trace it has been run on the local machine..."
 

Edited by AplusWebMaster, 07 August 2015 - 07:43 PM.

[AplusWebMaster]

FYI...

Firefox 40 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes
- https://www.mozilla....0/releasenotes/
What’s New:
- Support for Windows 10
- Added protection against unwanted software downloads
(More at the URL above.)

Fixed in Firefox 40.0
- https://www.mozilla....efox/#firefox40
2015-92 Use-after-free in XMLHttpRequest with shared workers
2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
2015-90 Vulnerabilities found through code inspection
2015-89 Buffer overflows on Libvpx when decoding WebM video
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-87 Crash when using shared memory in JavaScript
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-83 Overflow issues in libstagefright
2015-82 Redefinition of non-configurable JavaScript object properties
2015-81 Use-after-free in MediaStream playback
2015-80 Out-of-bounds read with malformed MP3 file
2015-79 Miscellaneous memory safety hazards (rv:40.0/rv:38.2)

... complete list of changes in this release - 3453 bugs found.

Fixed in Firefox ESR 38.2
- https://www.mozilla....#firefoxesr38.2
___

Expanded Malware Protection in Firefox
- https://blog.mozilla...ion-in-firefox/
Aug 11, 2015
___

- http://www.securityt....com/id/1033247
CVE Reference: CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4477, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482, CVE-2015-4483, CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4490, CVE-2015-4491, CVE-2015-4492, CVE-2015-4493
Aug 11 2015
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 40.0...
Solution: The vendor has issued a fix (40.0, ESR 38.2)...
 

Edited by AplusWebMaster, 11 August 2015 - 06:31 PM.

[AplusWebMaster]

FYI...

Firefox 40.0.3 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes
- https://www.mozilla....3/releasenotes/
Aug 27, 2015

- https://www.mozilla..../#firefox40.0.3
Fixed in Firefox 40.0.3
2015-95 Add-on notification bypass through data URLs
2015-94 Use-after-free when resizing canvas element during restyling

- https://www.mozilla....irefoxesr38.2.1
___

- http://www.securityt....com/id/1033396
CVE Reference: CVE-2015-4498
Aug 27 2015
Impact: Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 40.0.3 ...
Solution: The vendor has issued a fix (40.0.3, ESR 38.2.1).

- http://www.securityt....com/id/1033397
CVE Reference: CVE-2015-4497
Aug 27 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 40.0.3 ...
Solution: The vendor has issued a fix (40.0.3, ESR 38.2.1).
 

Edited by AplusWebMaster, 28 August 2015 - 04:22 AM.

[AplusWebMaster]

FYI...

Firefox 41.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla....US/firefox/all/

Release notes
- https://www.mozilla....0/releasenotes/
Sep 22, 2015

- https://www.mozilla....efox/#firefox41
Fixed in Firefox 41
2015-114 Information disclosure via the High Resolution Time API
2015-113 Memory safety errors in libGLES in the ANGLE graphics library
2015-112 Vulnerabilities found through code inspection
2015-111 Errors in the handling of CORS preflight request headers
2015-110 Dragging and dropping images exposes final URL after redirects
2015-109 JavaScript immutable property enforcement can be bypassed
2015-108 Scripted proxies can access inner window
2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
2015-106 Use-after-free while manipulating HTML media content
2015-105 Buffer overflow while decoding WebM video
2015-104 Use-after-free with shared workers and IndexedDB
2015-103 URL spoofing in reader mode
2015-102 Crash when using debugger with SavedStacks in JavaScript
2015-101 Buffer overflow in libvpx while parsing vp9 format video
2015-100 Arbitrary file manipulation by local user through Mozilla updater
2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
2015-97 Memory leak in mozTCPSocket to servers
2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

... complete list of changes in this release... 3502 bugs found.

Fixed in Firefox ESR 38.3
- https://www.mozilla....#firefoxesr38.3
___

- http://www.securityt....com/id/1033640
CVE Reference: CVE-2015-4476, CVE-2015-4500, CVE-2015-4501, CVE-2015-4502, CVE-2015-4503, CVE-2015-4504, CVE-2015-4505, CVE-2015-4506, CVE-2015-4507, CVE-2015-4508, CVE-2015-4509, CVE-2015-4510, CVE-2015-4512, CVE-2015-4516, CVE-2015-4517, CVE-2015-4519, CVE-2015-4520, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180
Sep 22 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 41.0...
Solution: The vendor has issued a fix (41.0, ESR 38.3).
 

Edited by AplusWebMaster, 22 September 2015 - 08:47 PM.