Thunderbird 38 delayed - 31.7 released
FYI...
Thunderbird 38 - delayed ...
- http://emailmafia.net/2015/05/12/thu...rd-38-delayed/
May 12, 2015 - "... Thunderbird 38.0 will -not- ship on the same date as Firefox 38.0 but will likely be delayed a couple of weeks... there are still a number of regressions that we are working on, and last week’s beta was the first beta that was feature complete. That means we will not be ready to ship according to the original schedule.
A current estimate of when we will ship Thunderbird 38.0 is approximately May 26."
___
Thunderbird 31.7 released
Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
- https://www.mozilla.org/en-US/securi...hunderbird31.7
Fixed in Thunderbird 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
Thunderbird 31.7 download:
- https://www.mozilla.org/en-US/thunderbird/all/
___
- http://www.securitytracker.com/id/1032303
CVE Reference: CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716
May 13 2015
Impact: Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.7
:fear:
Adblock Plus 1.9 for Chrome, Opera and Safari released
FYI...
Adblock Plus 1.9 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adb...afari-released
2015-06-16
Install Adblock Plus 1.9 for Chrome
Install Adblock Plus 1.9 for Opera
Install Adblock Plus 1.9 for Safari (Safari 6 or higher required)
>> Changes:
Fixed: Placeholders weren’t hidden for elements that were blocked by an URL given in the srcset attribute (issue 2634).
Exception rules with protocol don’t imply the $document flag anymore (issue 2503).
Changed the label for the share buttons to reflect the functionality more accurately (issue 2202).
Implemented an alternative format for subscription links (issue 2212).
Fixed some issues with the “Block element” dialog:
Fixed some issues with element highlighting (issue 2077, issue 2209).
Fixed some issues with dragging the dialog (issue 2100, issue 2173, issue 2194).
Fixed issues with how the context menu interacted with other parts of the user interface (issue 2279, issue 2298).
The page no longer freezes when selecting an element that would result in a lot of other elements being blocked as well (issue 2215).
Performance improvements:
Mitigated the effect of slow request blocking filters (issue 2177).
Determine whether a page or frame is whitelisted more efficiently by only matching exception rules (issue 2132).
Moved code not crucial to blocking requests out of the critical path, decreasing load times (issue 2505).
> Chrome/Opera-only changes
Changed the way Adblock Plus stores persistent data such as setting and filter lists, replacing localStorage and the deprecated FileSystem API with chrome.storage (issue 2021, issue 2040).
Run content scripts in anonymous frames again, in order to block ads more reliably (issue 2216, issue 2217).
Worked around a Chromium bug that caused corruption of the page layout when using the feedback dialog on Google Mail and other Google websites (issue 2602).
Fixed element hiding filters using CSS selectors with commas inside quoted text (issue 2467).
Don’t assume Chromium-specific user agent string, fixing issues when using --user-agent switch, or running on a different platform (issue 2537).
Performance improvements:
Flush caches after filter changes only when absolutely necessary and respect the browser’s quotas (issue 2034, issue 2297).
Improved the performance of CSS selector injection, slightly decreasing page load time, in particular on pages with many frames and/or many active element hiding filters (issue 2528).
Avoid calling into JavaScript when processing headers when loading other resources than documents and frames (issue 2538).
Got rid of some try..catch statements which prevent functions from being (issue 2658, issue 2569).
Avoid iteration over a hash-table which prevents functions from being optimized, slightly improving performance of element hiding filter matching (issue 2582).
> Chrome-only changes
Added a pre-configurable preference to suppress the first run page (issue 1488).
> Opera-only changes
Fixed: Spanish translation wasn’t being used (issue 2665).
> Safari-only changes
Restored compatibility with Safari 6 (issue 2172).
:fear::fear:
Secunia drops Public Listing of Vulnerabilities
FYI...
- http://it.slashdot.org/story/15/06/2...ulnerabilities
June 19, 2015 - "Secunia just announced on a forum post* that they will no longer provide public access to advisories newer than 9 months. According to Secunia they, "frequently encounter organizations engaged in wrongful use of Secunia Advisories" and that VIM customers, "have full access to all advisories." While Secunia is under no obligation to provide their aggregated vulnerabilities they've been doing it for over 10 years. The information they provide is primarily from public sources."
* https://secunia.com/community/forum/thread/show/15400
19th Jun, 2015 - "We have decided to make advisories more recent than nine months unavailable on secunia.com . The decision was made to avoid abuse of the advisories for commercial use, and because we frequently encounter organizations engaged in wrongful use of Secunia Advisories. Our advisories are made available for personal use only, and commercial use is prohibited.
Users who wish to make commercial use of our vulnerability intelligence must subscribe to our vulnerability management solution, the Secunia Vulnerability Intelligence Manager (Secunia VIM: - http://secunia.com/vulnerability_intelligence/ ). Users of the Secunia VIM have full access to all advisories and are able to analyse all the latest advisories in chronological order as well as proactive alerting the moment they have been released. Private users who have created a Secunia community profile ( http://secunia.com/community/profile/ ), can access advisories less than 9 months old using the search engine ( http://secunia.com/community/advisories/search/ ). We are aware that the search on the community pages is not working optimally and are working to fix that shortly.
Stay Secure,
Kasper Lindgaard, Director of Research and Security"
.
Apple Updates - 6.30.2015
FYI...
> https://support.apple.com/en-us/HT201222
iOS 8.4 released
- https://support.apple.com/en-us/HT204941
Jun 30, 2015
- http://www.securitytracker.com/id/1032761
CVE Reference: CVE-2015-3722, CVE-2015-3723, CVE-2015-3724, CVE-2015-3725, CVE-2015-3726, CVE-2015-3728
Jul 1 2015
Impact: Denial of service via network, Execution of arbitrary code via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.4...
___
QuickTime 7.7.7 released
- https://support.apple.com/en-us/HT204947
Jun 30, 2015
- http://www.securitytracker.com/id/1032756
CVE Reference: CVE-2015-3661, CVE-2015-3662, CVE-2015-3663, CVE-2015-3664, CVE-2015-3665, CVE-2015-3666, CVE-2015-3667, CVE-2015-3668, CVE-2015-3669
Jul 1 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.7 ...
Download: https://www.apple.com/quicktime/download/
"QuickTime 7.7.7 for Windows Vista or Windows 7"
Alternate download site: http://www.majorgeeks.com/files/details/quicktime.html
Author: Apple, Inc.
Date: 07/01/2015 06:34 AM
Size: 39.9 MB
License: Freeware
Requires: Win 10/8/7/Vista
___
Safari 8.0.7, 7.1.7, 6.2.7
- https://support.apple.com/en-us/HT204950
Jun 30, 2015
- http://www.securitytracker.com/id/1032754
CVE Reference: CVE-2015-3658, CVE-2015-3659, CVE-2015-3660, CVE-2015-3727
Jun 30 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.2.7, 7.1.7, 8.0.7 ...
___
Security Update 2015-005 - OS X Yosemite v10.10.4
- https://support.apple.com/en-us/HT204942
Jun 30, 2015
- http://www.securitytracker.com/id/1032759
CVE Reference: CVE-2015-4000
Jul 1 2015
Impact: Modification of authentication information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (10.10.4, Security Update 2015-005)...
- http://www.securitytracker.com/id/1032760
CVE Reference: CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2015-3671, CVE-2015-3672, CVE-2015-3673, CVE-2015-3674, CVE-2015-3675, CVE-2015-3676, CVE-2015-3677, CVE-2015-3678, CVE-2015-3679, CVE-2015-3680, CVE-2015-3681, CVE-2015-3682, CVE-2015-3683, CVE-2015-3684, CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-3689, CVE-2015-3690, CVE-2015-3691, CVE-2015-3694, CVE-2015-3695, CVE-2015-3696, CVE-2015-3697, CVE-2015-3698, CVE-2015-3699, CVE-2015-3700, CVE-2015-3701, CVE-2015-3702, CVE-2015-3703, CVE-2015-3704, CVE-2015-3705, CVE-2015-3706, CVE-2015-3707, CVE-2015-3708, CVE-2015-3709, CVE-2015-3710, CVE-2015-3711, CVE-2015-3712, CVE-2015-3714, CVE-2015-3715, CVE-2015-3716, CVE-2015-3717, CVE-2015-3718, CVE-2015-3719, CVE-2015-3721
Jul 1 2015
Impact: Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (10.10.4, Security Update 2015-005)...
___
Security Update 2015-001 - Mac EFI
- https://support.apple.com/en-us/HT204934
Jun 30, 2015
- http://www.securitytracker.com/id/1032755
CVE Reference: CVE-2015-3693
Jun 30 2015
Impact: Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (Security Update 2015-001, OS X 10.10.4).
___
iTunes 12.2 for Windows
- https://support.apple.com/en-us/HT204949
Jul 1, 2015
- https://www.apple.com/itunes/download/
___
- http://net-security.org/secworld.php?id=18577
01 July 2015 - "... The OS X update contains fixes for 77 vulnerabilities, many of which can be exploited by attackers to gain admin or root privilege, crash applications, perform unauthenticated access to the system, execute arbitrary code, intercept network traffic, and so on. It also includes fixes for vulnerabilities in the Mac EFI (Extensible Firmware Interface), one of which could allow a malicious app with root privileges to modify EFI flash memory when it resumes from sleep states...
The iOS security update contains fixes for a slew of vulnerabilities that could lead to unexpected application termination or arbitrary code execution just by making the users open or the OS process a malicious crafted PDF, text, font or .tiff file.
The 'Logjam bug' in coreTLS that could be exploited by an attacker with a privileged network position to SSL/TLS connections has also been plugged, as have two vulnerabilities discovered by FireEye researchers, which could allow attackers to deploy two new kinds of Masque Attack and prevent iOS and Watch apps from launching..."
> http://lists.apple.com/archives/secu...dex.html#00005
:fear::fear:
Thunderbird 38.1 released
FYI...
Thunderbird 38.1 released
Automated Updates: https://support.mozilla.org/en-US/kb...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
- https://www.mozilla.org/en-US/securi...hunderbird38.1
Fixed in Thunderbird 38.1
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___
- http://www.securitytracker.com/id/1032784
CVE Reference: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-4000
Jul 3 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 38.0 and prior ...
Solution: The vendor has issued a fix (38.1)...
___
Thunderbird 38.2
Download: https://www.mozilla.org/en-US/thunderbird/all/
- https://www.mozilla.org/en-US/securi...hunderbird38.2
Aug 11, 2015
Fixed in Thunderbird 38.2
Vulnerabilities found through code inspection
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
:fear: