Firefox updated...

[AplusWebMaster]

FYI...

Firefox 46.0.1 released

Start Firefox, then >Help >About >Apply Update ...

- https://www.mozilla.org/en-US/firefo.../releasenotes/
May 3, 2016
Fixed:
Fix for search plugin issue for various locales (Bug 1246494)
Fix for add-on signing certificate expiration (Bug 1267318)
Limit Sync registration updates (Bug 1262312)
Fix for service worker update issue (Bug 1267733)
Fix a build issue when jit is disabled (Bug 1266366)
Fix for page loading issue related to antivirus software (Bug 1268922)

[AplusWebMaster]

FYI...

Firefox 47.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefo.../releasenotes/
June 7, 2016
New...
Fixed...
Changed...
Developer...
HTML5...

- https://www.mozilla.org/en-US/securi...fox/#firefox47
Fixed in Firefox 47
2016-62 Network Security Services (NSS) vulnerabilities
2016-60 Java applets bypass CSP protections
2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
2016-58 Entering fullscreen and persistent pointerlock without user permission
2016-57 Incorrect icon displayed on permissions notifications
2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
2016-55 File overwrite and privilege escalation through Mozilla Windows updater
2016-54 Partial same-origin-policy through setting location.host through data URI
2016-53 Out-of-bounds write with WebGL shader
2016-52 Addressbar spoofing though the SELECT element
2016-51 Use-after-free deleting tables from a contenteditable document
2016-50 Buffer overflow parsing HTML5 fragments
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

Fixed in Firefox ESR 45.2
- https://www.mozilla.org/en-US/securi...firefoxesr45.2

... 3389 bugs found.
___

- https://www.us-cert.gov/ncas/current...curity-Updates
June 07, 2016
___

- http://www.securitytracker.com/id/1036057
CVE Reference: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2824, CVE-2016-2825, CVE-2016-2826, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833, CVE-2016-2834
Jun 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 47.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (47.0; ESR 45.2)...

[AplusWebMaster]

FYI...

Firefox 48.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefo.../releasenotes/
Aug 2, 2016
New...
Fixed...
Changed...
Developer...
Unresolved...

... 4050 bugs found.

- https://www.mozilla.org/en-US/securi...fox/#firefox48
Fixed in Firefox 48
2016-84 Information disclosure through Resource Timing API during page navigation
2016-83 Spoofing attack through text injection into internal error pages
2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
2016-81 Information disclosure and local file manipulation through drag and drop
2016-80 Same-origin policy violation using local HTML file and saved shortcut file
2016-79 Use-after-free when applying SVG effects
2016-78 Type confusion in display transformation
2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
2016-76 Scripts on marquee tag can execute in sandboxed iframes
2016-75 Integer overflow in WebSockets during data buffering
2016-74 Form input type change from password to text can store plain text password in session restore file
2016-73 Use-after-free in service workers with nested sync events
2016-72 Use-after-free in DTLS during WebRTC session shutdown
2016-71 Crash in incremental garbage collection in JavaScript
2016-70 Use-after-free when using alt key and toplevel menus
2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
2016-68 Out-of-bounds read during XML parsing in Expat library
2016-67 Stack underflow during 2D graphics rendering
2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
2016-65 Cairo rendering crash due to memory allocation issue with FFMpeg 0.10
2016-64 Buffer overflow rendering SVG with bidirectional content
2016-63 Favicon network connection can persist when page is closed
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

Firefox ESR 45.3
- https://www.mozilla.org/en-US/securi...firefoxesr45.3
___

Enhancing Download Protection in Firefox
- https://blog.mozilla.org/security/20...on-in-firefox/
Aug 1, 2016
___

- http://www.securitytracker.com/id/1036508
CVE Reference: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268
Aug 3 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 48.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof content.
A local user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix (48.0, ESR 45.3)...
___

- https://www.us-cert.gov/ncas/current...curity-Updates
Aug 03, 2016

[AplusWebMaster]

FYI...

Firefox 48.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefo.../releasenotes/
Aug 18, 2016
Fixed:
Fix an audio regression impacting some major websites (bug 1295296)
Fix a top crash in the JavaScript engine (Bug 1290469)
Fix a startup crash issue caused by Websense (Bug 1291738)
Fix a different behavior with e10s / non-e10s on <select> and mouse events (Bug 1291078)
Fix a top crash caused by plugin issues (Bug 1264530)
Fix an unsigned add-ons issue on Windows
Fix a shutdown issue (Bug 1276920)
Fix a crash in WebRTC

[AplusWebMaster]

FYI...

Firefox 49.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefo.../releasenotes/
Sep 20, 2016
New...
Fixed...
Changed...
Developer...

- https://www.mozilla.org/en-US/securi...fox/#firefox49
Fixed in Firefox 49
2016-85 Security vulnerabilities fixed in Firefox 49: https://www.mozilla.org/en-US/securi...s/mfsa2016-85/

Firefox 45.4: https://www.mozilla.org/en-US/securi...firefoxesr45.4
___

- http://www.securitytracker.com/id/1036852
CVE Reference: CVE-2016-2827, CVE-2016-5256, CVE-2016-5257, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5274, CVE-2016-5275, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 49.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause the target application to crash.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (49.0)...
___

- https://www.us-cert.gov/ncas/current...curity-Updates
Sep 20, 2016

[AplusWebMaster]

FYI...

Firefox 49.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefo.../releasenotes/
Oct 20, 2016
New: Asynchronous rendering of the Flash plugins is now enabled by default. This should improve performance and reduce crashes for sites that use the Flash plugin. (Bug 1307108)
Fixed: Change D3D9 default fallback preference to prevent graphical artifacts (Bug 1306465)
Network issue prevents some users from seeing the Firefox UI on startup (Bug 1305436)
Web compatibility issue with Array.prototype.values (Bug 1299593)
Various security fixes: https://www.mozilla.org/en-US/securi...#firefox49.0.2
Fixed in Firefox 49.0.2:
> https://www.mozilla.org/en-US/securi...s/mfsa2016-87/
Web compatibility issue with file uploads (Bug 1306472)
Changed: Diagnostic information on timing for tab switching (Bug 1304113)
Reference link to Firefox 49.0.1 release notes:
> https://www.mozilla.org/firefox/49.0.1/releasenotes/
Fix a Canvas filters graphics issue affecting HTML5 apps (Bug 1304539)
___

- http://www.securitytracker.com/id/1037077
CVE Reference: CVE-2016-5287, CVE-2016-5288
Oct 21 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 48.x, 49.x ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (49.0.2)...
___

- https://www.us-cert.gov/ncas/current...Update-Firefox
Oct 20, 2016

[AplusWebMaster]

FYI...

Firefox 50.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefo.../releasenotes/
Nov 15, 2016
New:
- Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently used order
View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
- Added option to Find in page that allows users to limit search to whole words only
- Added Guarani (gn) locale
- Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
- Added download protection for a large number of executable file types on Windows, Mac and Linux
- Improved performance for SDK extensions or extensions using the SDK module loader
- Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
Fixed:
- Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
- Various security fixes
Changed:
- Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
- Blocked versions of libavcodec older than 54.35.1 ...

Fixed in Firefox 50.0
- https://www.mozilla.org/en-US/securi...fox/#firefox50
2016-89 Security vulnerabilities fixed in Firefox 50
- https://www.mozilla.org/en-US/securi...s/mfsa2016-89/
Critical - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
High - CVE-2016-5292: URL parsing causes crash
High - CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink
High - CVE-2016-5294: Arbitrary target directory for result files of update process
High - CVE-2016-5297: Incorrect argument length checking in Javascript
High - CVE-2016-9064: Addons update must verify IDs match between current and new versions
High - CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
High - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
High - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
High - CVE-2016-9068: heap-use-after-free in nsRefreshDriver
High - CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
High - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
High - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
Moderate - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
Moderate - CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
Moderate - CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
Moderate - CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Moderate - CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Moderate - CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file
Moderate - CVE-2016-9070: Sidebar bookmark can have reference to chrome window
Moderate - CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
Moderate - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
Moderate - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
Low - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat
Low - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
Critical - CVE-2016-5289: Memory safety bugs fixed in Firefox 50
Critical - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

Firefox ESR 45.5: https://www.mozilla.org/en-US/securi...firefoxesr45.5
- https://www.mozilla.org/en-US/securi...s/mfsa2016-90/
Nov 15, 2016
___

- http://www.securitytracker.com/id/1037298
CVE Reference: CVE-2016-5289, CVE-2016-5290, CVE-2016-5291, CVE-2016-5292, CVE-2016-5293, CVE-2016-5294, CVE-2016-5295, CVE-2016-5296, CVE-2016-5297, CVE-2016-5298, CVE-2016-5299, CVE-2016-9061, CVE-2016-9062, CVE-2016-9063, CVE-2016-9064, CVE-2016-9065, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9069, CVE-2016-9070, CVE-2016-9071, CVE-2016-9072, CVE-2016-9073, CVE-2016-9074, CVE-2016-9075, CVE-2016-9076, CVE-2016-9077
Nov 16 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 50.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain data on the target system.
A local user can modify files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (50.0)...
___

- https://www.us-cert.gov/ncas/current...curity-Updates
Nov 15, 2016

[AplusWebMaster]

FYI...

Firefox 50.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefo.../releasenotes/
Nov 28, 2016
> https://www.mozilla.org/en-US/securi...#firefox50.0.1
Security vulnerabilities fixed in Firefox 50.0.1
> https://www.mozilla.org/en-US/securi...s/mfsa2016-91/
CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect
Impact: Critical
___

- http://www.securitytracker.com/id/1037353
CVE Reference: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2016-9078
Nov 29 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 49, 50 ...
Description: A vulnerability was reported in Mozilla Firefox. A remote user can bypass security controls on the target system.
A remote user can return a specially crafted HTTP redirection to a 'data:' URL to bypass same-origin controls and allow the referring domain to access data in the 'data:' URL domain.
Impact: A remote user can bypass same-origin restrictions to potentially read or write information from 'data:' URLs.
Solution: The vendor has issued a fix (50.0.1)...
___

- https://www.us-cert.gov/ncas/current...ecurity-Update
Nov 28, 2016

[AplusWebMaster]

FYI...

Firefox 50.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefo.../releasenotes/
Nov 30, 2016
> https://www.mozilla.org/en-US/securi...#firefox50.0.2
Fixed in:
Firefox 50.0.2
Firefox ESR 45.5.1
Thunderbird 45.5.1
> https://www.mozilla.org/en-US/securi...s/mfsa2016-92/
CVE-2016-9079: Use-after-free in SVG Animation
Critical
___

- http://www.securitytracker.com/id/1037370
CVE Reference: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2016-9079
Updated: Dec 1 2016
Original Entry Date: Nov 30 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 50.0.1; possibly earlier versions
Impact: A remote user can create JavaScript content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (50.0.2; ESR 45.5.1)...
___

- https://www.us-cert.gov/ncas/current...curity-Updates
Nov 30, 2016

[AplusWebMaster]

FYI...

Firefox 50.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefo.../releasenotes/
Dec 13, 2016
- https://www.mozilla.org/en-US/securi...x/#firefox50.1 ...
> https://www.mozilla.org/en-US/securi...s/mfsa2016-94/
CVE-2016-9894: Buffer overflow in SkiaGL - Critical
CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements - Critical
CVE-2016-9895: CSP bypass using marquee tag - High
CVE-2016-9896: Use-after-free with WebVR - High
CVE-2016-9897: Memory corruption in libGLES - High
CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees - High
CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs - High
CVE-2016-9904: Cross-origin information leak in shared atoms - High
CVE-2016-9901: Data from Pocket server improperly sanitized before execution - Moderate
CVE-2016-9902: Pocket extension does not validate the origin of events - Moderate
CVE-2016-9903: XSS injection vulnerability in add-ons SDK - Moderate
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 - Critical
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - Critical
___

- http://www.securitytracker.com/id/1037461
CVE Reference: CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9904
Dec 14 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 50.1; ESR prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (50.1; ESR 45.6)...

- http://www.securitytracker.com/id/1037462
CVE Reference: CVE-2016-9905
Dec 14 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (ESR 45.6)...

Firefox ESR 45.6: https://www.mozilla.org/en-US/securi...firefoxesr45.6