Firefox updated...

Firefox 41.0 released

FYI...

Firefox 41.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/41.0/releasenotes/
Sep 22, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41
Fixed in Firefox 41
2015-114 Information disclosure via the High Resolution Time API
2015-113 Memory safety errors in libGLES in the ANGLE graphics library
2015-112 Vulnerabilities found through code inspection
2015-111 Errors in the handling of CORS preflight request headers
2015-110 Dragging and dropping images exposes final URL after redirects
2015-109 JavaScript immutable property enforcement can be bypassed
2015-108 Scripted proxies can access inner window
2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems
2015-106 Use-after-free while manipulating HTML media content
2015-105 Buffer overflow while decoding WebM video
2015-104 Use-after-free with shared workers and IndexedDB
2015-103 URL spoofing in reader mode
2015-102 Crash when using debugger with SavedStacks in JavaScript
2015-101 Buffer overflow in libvpx while parsing vp9 format video
2015-100 Arbitrary file manipulation by local user through Mozilla updater
2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme
2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes
2015-97 Memory leak in mozTCPSocket to servers
2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)

... complete list of changes in this release... 3502 bugs found.

Fixed in Firefox ESR 38.3
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.3
___

- http://www.securitytracker.com/id/1033640
CVE Reference: CVE-2015-4476, CVE-2015-4500, CVE-2015-4501, CVE-2015-4502, CVE-2015-4503, CVE-2015-4504, CVE-2015-4505, CVE-2015-4506, CVE-2015-4507, CVE-2015-4508, CVE-2015-4509, CVE-2015-4510, CVE-2015-4512, CVE-2015-4516, CVE-2015-4517, CVE-2015-4519, CVE-2015-4520, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180
Sep 22 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 41.0...
Solution: The vendor has issued a fix (41.0, ESR 38.3).

:fear:
 
Last edited:
Firefox 41.0.2 released

FYI...

Firefox 41.0.2 released

Start Firefox, then >Help >About >Apply Update ...

Release notes
- https://www.mozilla.org/en-US/firefox/41.0.2/releasenotes/
Oct 15, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox41.0.2
2015-115 Cross-origin restriction bypass using Fetch
___

- http://www.securitytracker.com/id/1033820
CVE Reference: CVE-2015-7184
Oct 16 2015
Impact: Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 41.0.2 ...
Impact: A remote user can obtain potentially sensitive information from other origins on the target system.
Solution: The vendor has issued a fix (41.0.2)...

:fear:
 
Firefox 42.0 released

FYI...

Firefox 42.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/42.0/releasenotes/
Nov 3, 2015

... complete list of changes in this release... 3230 bugs found.

Fixed in Firefox 42.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox42
MFSA 2015-133 NSS and NSPR memory corruption issues
MFSA 2015-132 Mixed content WebSocket policy bypass through workers
MFSA 2015-131 Vulnerabilities found through code inspection
MFSA 2015-130 JavaScript garbage collection crash with Java applet
MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped
MFSA 2015-128 Memory corruption in libjar through zip files
MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X
MFSA 2015-125 XSS attack through intents on Firefox for Android
MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files
MFSA 2015-123 Buffer overflow during image interactions in canvas
MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
MFSA 2015-121 disabling scripts in Add-on SDK panels has no effect
MFSA 2015-120 Reading sensitive profile files through local HTML file on Android
MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode
MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist
MFSA 2015-117 Information disclosure through NTLM authentication
MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

Fixed in Firefox ESR 38.4
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.4
___

- http://www.securitytracker.com/id/1034069
CVE Reference: CVE-2015-4513, CVE-2015-4514, CVE-2015-4515, CVE-2015-4518, CVE-2015-7181, CVE-2015-7182, CVE-2015-7183, CVE-2015-7185, CVE-2015-7186, CVE-2015-7187, CVE-2015-7188, CVE-2015-7189, CVE-2015-7190, CVE-2015-7191, CVE-2015-7192, CVE-2015-7193, CVE-2015-7194, CVE-2015-7195, CVE-2015-7196, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200
Nov 5 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 42.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (ESR 38.4; 42.0).

:fear:
 
Last edited:
Firefox 43.0 released

FYI...

Firefox 43.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/43.0/releasenotes/
Dec 15, 2015

... complete list of changes in this release... 3067 bugs found.

Fixed in Firefox 43.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox43
2015-149 Cross-site reading attack through data and view-source URIs
2015-148 Privilege escalation vulnerabilities in WebExtension APIs
2015-147 Integer underflow and buffer overflow processing MP4 metadata in libstagefright
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-144 Buffer overflows found through code inspection
2015-143 Linux file chooser crashes on malformed images due to flaws in Jasper library
2015-142 DOS due to malformed frames in HTTP/2
2015-141 Hash in data URI is incorrectly parsed
2015-140 Cross-origin information leak through web workers error events
2015-139 Integer overflow allocating extremely large textures
2015-138 Use-after-free in WebRTC when datachannel is used after being destroyed
2015-137 Firefox allows for control characters to be set in cookies
2015-136 Same-origin policy violation using perfomance.getEntries and history navigation
2015-135 Crash with JavaScript variable assignment with unboxed objects
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

Fixed in Firefox ESR 38.5
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.5
___

- http://www.securitytracker.com/id/1034426
CVE Reference: CVE-2015-7201, CVE-2015-7202, CVE-2015-7203, CVE-2015-7204, CVE-2015-7205, CVE-2015-7207, CVE-2015-7208, CVE-2015-7210, CVE-2015-7211, CVE-2015-7212, CVE-2015-7213, CVE-2015-7214, CVE-2015-7215, CVE-2015-7216, CVE-2015-7217, CVE-2015-7218, CVE-2015-7219, CVE-2015-7220, CVE-2015-7221, CVE-2015-7222, CVE-2015-7223
Dec 16 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 43.0 ...
Solution: The vendor has issued a fix (43.0, ESR 38.5).

- https://www.us-cert.gov/ncas/curren...ases-Security-Updates-Firefox-and-Firefox-ESR
Dec 15, 2015
___

- http://www.securitytracker.com/id/1034541
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
Dec 28 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 43.0.2 ...
Impact: A remote user can conduct hash collision forgery attacks.
Solution: The vendor has issued a fix (43.0.2, ESR 38.5.2).

- https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
Fixed in: Firefox 43.0.2, Firefox ESR 38.5.2

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7575
Last revised: 01/08/2016
___

- https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/
Jan 6, 2016

:fear::fear:
 
Last edited:
Firefox 44.0 released

FYI...

Firefox 44.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/44.0/releasenotes/
Jan 26, 2015
New:
Improved warning pages for certificate errors and untrusted connections
Enable H.264 if system decoder is available
Enable WebM/VP9 video support on systems that don't support MP4/H.264
In the animation-inspector timeline, lightning bolt icon next to animations running on the compositor thread
Support the brotli compression format via HTTPS content-encoding
Screenshot commands allow user choice of pixel ratio in Developer Tools
Fixed:
Windows XP and Vista screensaver doesn't disable when watching videos (Bug 1193610)

Fixed in Firefox 44.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44
2016-12 Lightweight themes on Firefox for Android do not verify a secure connection
2016-11 Application Reputation service disabled in Firefox 43
2016-10 Unsafe memory manipulation found through code inspection
2016-09 Addressbar spoofing attacks
2016-08 Delay following click events in file download dialog too short on OS X
2016-06 Missing delay following user click events in protocol handler dialog
2016-05 Addressbar spoofing through stored data url shortcuts on Firefox for Android
2016-04 Firefox allows for control characters to be set in cookie names
2016-03 Buffer overflow in WebGL after out of memory allocation
2016-02 Out of Memory crash when parsing GIF format images
2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)

Fixed in Firefox ESR 38.6
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.6
___

- http://www.securitytracker.com/id/1034825
CVE Reference: CVE-2015-7208, CVE-2016-1930, CVE-2016-1931, CVE-2016-1933, CVE-2016-1935, CVE-2016-1937, CVE-2016-1938, CVE-2016-1939, CVE-2016-1940, CVE-2016-1941, CVE-2016-1942, CVE-2016-1943, CVE-2016-1944, CVE-2016-1945, CVE-2016-1946, CVE-2016-1947, CVE-2016-1948
Jan 27 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 44.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A remote user can bypass security controls on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (44; ESR 38.6)...
___

44.0.1
- https://www.mozilla.org/en-US/firefox/44.0.1/releasenotes/
Feb 8, 2016
Fixed:
Fix issue which could lead to the removal of stored passwords under certain circumstances (1242176)
Allows spaces in cookie names (1244505)
Fix WebSockets when used in a Service Worker context (1243942)
Disable opus/vorbis audio with H.264 (1245696)
Require NSS 3.21 (1244069)
Ship the Gecko SDK (1243740)
Fix for graphics startup crash (GNU/Linux) (1222171)
Fix a crash in cache networking (1244076).

:fear::fear:
 
Last edited:
Firefox 44.0.2 released

FYI...

Firefox 44.0.2 released

Start Firefox, then >Help >About >Apply Update ...

Release notes
- https://www.mozilla.org/en-US/firefox/44.0.2/releasenotes/
Feb 11, 2016
Fixed:
Firefox hangs or crashes on startup (1243098)
Various security fixes:
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2
2016-13 Same-origin-policy violation using Service Workers with plugins
Critical - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1949
Fixed in: Firefox 44.0.2

Firefox ESR 38.6.1
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.6.1
2016-14 Vulnerabilities in Graphite 2
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1523

- https://www.us-cert.gov/ncas/current-activity/2016/02/11/Mozilla-Releases-Security-Updates
Feb 11, 2016

:fear::fear:
 
Last edited:
Firefox v45.0 released

FYI...

Firefox v45.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/45.0/releasenotes/
Mar 8, 2016
New:
Instant browser tab sharing through Hello
Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching
Synced Tabs button in button bar
Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level
Guarani [gn] locale added
Fixed:
URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected
Various security fixes*

* https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45
Fixed in Firefox 45
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-33 Use-after-free in GetStaticInstance in WebRTC
2016-32 WebRTC and LibVPX vulnerabilities found through code inspection
2016-31 Memory corruption with malicious NPAPI plugin
2016-30 Buffer overflow in Brotli decompression
2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore
2016-28 Addressbar spoofing though history navigation and Location protocol property
2016-27 Use-after-free during XML transformations
2016-26 Memory corruption when modifying a file being read by FileReader
2016-25 Use-after-free when using multiple WebRTC data channels
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager
2016-21 Displayed page address can be overridden
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-19 Linux video memory DOS with Intel drivers
2016-18 CSP reports fail to strip location information for embedded iframe pages
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

- https://tinyurl.com/jm28onb
"... 2948 bugs found."

Fixed in Firefox ESR 38.7
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.7
___

- http://www.securitytracker.com/id/1035215
CVE Reference: CVE-2016-1950, CVE-2016-1952, CVE-2016-1953, CVE-2016-1954, CVE-2016-1955, CVE-2016-1956, CVE-2016-1957, CVE-2016-1958, CVE-2016-1959, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1963, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966, CVE-2016-1967, CVE-2016-1968, CVE-2016-1970, CVE-2016-1971, CVE-2016-1972, CVE-2016-1973, CVE-2016-1974, CVE-2016-1975, CVE-2016-1976, CVE-2016-1977, CVE-2016-1979, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802
Mar 9 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 45.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause denial of service conditions.
A remote user can overwrite files on the target system.
A remote user can bypass same-origin restrictions on the target system.
A remote user can spoof the address bar.
Solution: The vendor has issued a fix (ESR 38.7; 45.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/03/08/Mozilla-Releases-Security-Updates
March 08, 2016

:fear:
 
Last edited:
Firefox 45.0.1 released

FYI...

Firefox 45.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/45.0.1/releasenotes/
March 18, 2016
Fixed:
- Fix a -regression- causing search engine settings to be lost in some context (1254694)
- Bring back non-standard jar: URIs to fix a -regression- in IBM iNotes (1255139)
- XSLTProcessor.importStylesheet was failing when <import> was used (1249572)
- Fix an issue which could cause the list of search provider to be empty (1255605)
- Fix a -regression- when using the location bar (1254503)
- Fix some loading issues when Accept third-party cookies: was set to Never (1254856)
Changed:
- Disabled Graphite font shaping library

> https://wiki.mozilla.org/Releases/Firefox_45.0.1/BuildNotes#Issues

:fear::fear:
 
Firefox 45.0.2 released

FYI...

Firefox 45.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/45.0.2/releasenotes/
April 11, 2016
Fixed:
Fix an issue impacting the cookie header when third-party cookies are blocked (1257861)
Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482)
Fix a crash impacting the video playback with Media Source Extension (1258562)
Fix a regression impacting some specific uploads (1255735)
Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980)

:fear::fear:
 
Firefox 46.0 released

FYI...

Firefox 46.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/46.0/releasenotes/
April 26, 2016
New:
Improved security of the JavaScript Just In Time (JIT) Compiler
GTK3 integration (GNU/Linux only)
Fixed:
Screen reader behavior with blank spaces in Google Docs corrected
Correct rendering for scaled SVGs that use a clip and a mask
Changed:
WebRTC fixes to improve performance and stability
Developer:
Display dominator trees in Memory tool
Allocation and garbage collection pause profiling in the performance panel
Launch responsive mode from the Style Editor @media sidebar
HTML5:
Added support for document.elementsFromPoint
Added HKDF support for Web Crypto API

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox46
Fixed in Firefox 46
2016-48 Firefox Health Reports could accept events from untrusted domains
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
2016-42 Use-after-free and buffer overflow in Service Workers
2016-41 Content provider permission bypass allows malicious application to access data
2016-40 Privilege escalation through file deletion by Maintenance Service updater
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

- https://bugzilla.mozilla.org/buglis...CLOSED&v1=mozilla46&v2=fixed,verified&limit=0
... 3059 bugs found.

Fixed in Firefox ESR 38.8
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.8

Fixed in Firefox ESR 45.1
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.1
___

- http://www.securitytracker.com/id/1035692
CVE Reference: CVE-2016-2804, CVE-2016-2805, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2809, CVE-2016-2810, CVE-2016-2811, CVE-2016-2812, CVE-2016-2813, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2820
Apr 27 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 46.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote or local user can gain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (46.0; ESR 38.8, ESR 45.1)...

:fear::fear:
 
Last edited:
Firefox 46.0.1 released

FYI...

Firefox 46.0.1 released

Start Firefox, then >Help >About >Apply Update ...

- https://www.mozilla.org/en-US/firefox/46.0.1/releasenotes/
May 3, 2016
Fixed:
Fix for search plugin issue for various locales (Bug 1246494)
Fix for add-on signing certificate expiration (Bug 1267318)
Limit Sync registration updates (Bug 1262312)
Fix for service worker update issue (Bug 1267733)
Fix a build issue when jit is disabled (Bug 1266366)
Fix for page loading issue related to antivirus software (Bug 1268922)

:fear:
 
Firefox 47.0 released

FYI...

Firefox 47.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/47.0/releasenotes/
June 7, 2016
New...
Fixed...
Changed...
Developer...
HTML5...

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47
Fixed in Firefox 47
2016-62 Network Security Services (NSS) vulnerabilities
2016-60 Java applets bypass CSP protections
2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
2016-58 Entering fullscreen and persistent pointerlock without user permission
2016-57 Incorrect icon displayed on permissions notifications
2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
2016-55 File overwrite and privilege escalation through Mozilla Windows updater
2016-54 Partial same-origin-policy through setting location.host through data URI
2016-53 Out-of-bounds write with WebGL shader
2016-52 Addressbar spoofing though the SELECT element
2016-51 Use-after-free deleting tables from a contenteditable document
2016-50 Buffer overflow parsing HTML5 fragments
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)

Fixed in Firefox ESR 45.2
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.2

... 3389 bugs found.
___

- https://www.us-cert.gov/ncas/current-activity/2016/06/07/Mozilla-Releases-Security-Updates
June 07, 2016
___

- http://www.securitytracker.com/id/1036057
CVE Reference: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2824, CVE-2016-2825, CVE-2016-2826, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833, CVE-2016-2834
Jun 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 47.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain elevated privileges on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (47.0; ESR 45.2)...

:fear::fear:
 
Last edited:
Firefox 48.0 released

FYI...

Firefox 48.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/48.0/releasenotes/
Aug 2, 2016
New...
Fixed...
Changed...
Developer...
Unresolved...

... 4050 bugs found.

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox48
Fixed in Firefox 48
2016-84 Information disclosure through Resource Timing API during page navigation
2016-83 Spoofing attack through text injection into internal error pages
2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
2016-81 Information disclosure and local file manipulation through drag and drop
2016-80 Same-origin policy violation using local HTML file and saved shortcut file
2016-79 Use-after-free when applying SVG effects
2016-78 Type confusion in display transformation
2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
2016-76 Scripts on marquee tag can execute in sandboxed iframes
2016-75 Integer overflow in WebSockets during data buffering
2016-74 Form input type change from password to text can store plain text password in session restore file
2016-73 Use-after-free in service workers with nested sync events
2016-72 Use-after-free in DTLS during WebRTC session shutdown
2016-71 Crash in incremental garbage collection in JavaScript
2016-70 Use-after-free when using alt key and toplevel menus
2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
2016-68 Out-of-bounds read during XML parsing in Expat library
2016-67 Stack underflow during 2D graphics rendering
2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
2016-65 Cairo rendering crash due to memory allocation issue with FFMpeg 0.10
2016-64 Buffer overflow rendering SVG with bidirectional content
2016-63 Favicon network connection can persist when page is closed
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

Firefox ESR 45.3
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.3
___

Enhancing Download Protection in Firefox
- https://blog.mozilla.org/security/2016/08/01/enhancing-download-protection-in-firefox/
Aug 1, 2016
___

- http://www.securitytracker.com/id/1036508
CVE Reference: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268
Aug 3 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 48.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can modify files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof content.
A local user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix (48.0, ESR 45.3)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/08/03/Mozilla-Releases-Security-Updates
Aug 03, 2016

:fear:
 
Last edited:
Firefox 48.0.1 released

FYI...

Firefox 48.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/48.0.1/releasenotes/
Aug 18, 2016
Fixed:
Fix an audio regression impacting some major websites (bug 1295296)
Fix a top crash in the JavaScript engine (Bug 1290469)
Fix a startup crash issue caused by Websense (Bug 1291738)
Fix a different behavior with e10s / non-e10s on <select> and mouse events (Bug 1291078)
Fix a top crash caused by plugin issues (Bug 1264530)
Fix an unsigned add-ons issue on Windows
Fix a shutdown issue (Bug 1276920)
Fix a crash in WebRTC

:fear::fear:
 
Firefox 49.0 released

FYI...

Firefox 49.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/49.0/releasenotes/
Sep 20, 2016
New...
Fixed...
Changed...
Developer...

- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox49
Fixed in Firefox 49
2016-85 Security vulnerabilities fixed in Firefox 49: https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/

Firefox 45.4: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.4
___

- http://www.securitytracker.com/id/1036852
CVE Reference: CVE-2016-2827, CVE-2016-5256, CVE-2016-5257, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5274, CVE-2016-5275, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 49.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause the target application to crash.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (49.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/20/Mozilla-Releases-Security-Updates
Sep 20, 2016

:fear::fear:
 
Last edited:
Firefox 49.0.2 released

FYI...

Firefox 49.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/49.0.2/releasenotes/
Oct 20, 2016
New: Asynchronous rendering of the Flash plugins is now enabled by default. This should improve performance and reduce crashes for sites that use the Flash plugin. (Bug 1307108)
Fixed: Change D3D9 default fallback preference to prevent graphical artifacts (Bug 1306465)
Network issue prevents some users from seeing the Firefox UI on startup (Bug 1305436)
Web compatibility issue with Array.prototype.values (Bug 1299593)
Various security fixes: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox49.0.2
Fixed in Firefox 49.0.2:
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/
Web compatibility issue with file uploads (Bug 1306472)
Changed: Diagnostic information on timing for tab switching (Bug 1304113)
Reference link to Firefox 49.0.1 release notes:
> https://www.mozilla.org/firefox/49.0.1/releasenotes/
Fix a Canvas filters graphics issue affecting HTML5 apps (Bug 1304539)
___

- http://www.securitytracker.com/id/1037077
CVE Reference: CVE-2016-5287, CVE-2016-5288
Oct 21 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 48.x, 49.x ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (49.0.2)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/10/20/Mozilla-Releases-Security-Update-Firefox
Oct 20, 2016

:fear:
 
Last edited:
Firefox 50.0 released

FYI...

Firefox 50.0 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/50.0/releasenotes/
Nov 15, 2016
New:
- Updates to keyboard shortcuts
Set a preference to have Ctrl+Tab cycle through tabs in recently used order
View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)
- Added option to Find in page that allows users to limit search to whole words only
- Added Guarani (gn) locale
- Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
- Added download protection for a large number of executable file types on Windows, Mac and Linux
- Improved performance for SDK extensions or extensions using the SDK module loader
- Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
Fixed:
- Fixed rendering of dashed and dotted borders with rounded corners (border-radius)
- Various security fixes
Changed:
- Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)
- Blocked versions of libavcodec older than 54.35.1 ...

Fixed in Firefox 50.0
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50
2016-89 Security vulnerabilities fixed in Firefox 50
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/
Critical - CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
High - CVE-2016-5292: URL parsing causes crash
High - CVE-2016-5293: Write to arbitrary file with updater and moz maintenance service using updater.log hardlink
High - CVE-2016-5294: Arbitrary target directory for result files of update process
High - CVE-2016-5297: Incorrect argument length checking in Javascript
High - CVE-2016-9064: Addons update must verify IDs match between current and new versions
High - CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
High - CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
High - CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
High - CVE-2016-9068: heap-use-after-free in nsRefreshDriver
High - CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
High - CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
High - CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
Moderate - CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
Moderate - CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
Moderate - CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
Moderate - CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Moderate - CVE-2016-9061: API Key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
Moderate - CVE-2016-9062: Private browsing browser traces (android) in browser.db and wal file
Moderate - CVE-2016-9070: Sidebar bookmark can have reference to chrome window
Moderate - CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
Moderate - CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
Moderate - CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
Low - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in expat
Low - CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
Critical - CVE-2016-5289: Memory safety bugs fixed in Firefox 50
Critical - CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5

Firefox ESR 45.5: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.5
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/
Nov 15, 2016
___

- http://www.securitytracker.com/id/1037298
CVE Reference: CVE-2016-5289, CVE-2016-5290, CVE-2016-5291, CVE-2016-5292, CVE-2016-5293, CVE-2016-5294, CVE-2016-5295, CVE-2016-5296, CVE-2016-5297, CVE-2016-5298, CVE-2016-5299, CVE-2016-9061, CVE-2016-9062, CVE-2016-9063, CVE-2016-9064, CVE-2016-9065, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9069, CVE-2016-9070, CVE-2016-9071, CVE-2016-9072, CVE-2016-9073, CVE-2016-9074, CVE-2016-9075, CVE-2016-9076, CVE-2016-9077
Nov 16 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 50.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can obtain data on the target system.
A local user can modify files on the target system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof a URL.
Solution: The vendor has issued a fix (50.0)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/15/Mozilla-Releases-Security-Updates
Nov 15, 2016

:fear:
 
Last edited:
Firefox 50.0.1 released

FYI...

Firefox 50.0.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/50.0.1/releasenotes/
Nov 28, 2016
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50.0.1
Security vulnerabilities fixed in Firefox 50.0.1
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/
CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect
Impact: Critical
___

- http://www.securitytracker.com/id/1037353
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9078
Nov 29 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 49, 50 ...
Description: A vulnerability was reported in Mozilla Firefox. A remote user can bypass security controls on the target system.
A remote user can return a specially crafted HTTP redirection to a 'data:' URL to bypass same-origin controls and allow the referring domain to access data in the 'data:' URL domain.
Impact: A remote user can bypass same-origin restrictions to potentially read or write information from 'data:' URLs.
Solution: The vendor has issued a fix (50.0.1)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/28/Mozilla-Releases-Security-Update
Nov 28, 2016

:fear::fear:
 
Last edited:
Firefox 50.0.2 released

FYI...

Firefox 50.0.2 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

- https://www.mozilla.org/en-US/firefox/50.0.2/releasenotes/
Nov 30, 2016
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50.0.2
Fixed in:
Firefox 50.0.2
Firefox ESR 45.5.1
Thunderbird 45.5.1
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
CVE-2016-9079: Use-after-free in SVG Animation
Critical
___

- http://www.securitytracker.com/id/1037370
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
Updated: Dec 1 2016
Original Entry Date: Nov 30 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 50.0.1; possibly earlier versions
Impact: A remote user can create JavaScript content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (50.0.2; ESR 45.5.1)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/30/Mozilla-Releases-Security-Updates
Nov 30, 2016

:fear::fear:
 
Firefox 50.1 released

FYI...

Firefox 50.1 released

Start Firefox, then >Help >About >Apply Update ...
-or-
Download: https://www.mozilla.org/en-US/firefox/all/

Release notes
- https://www.mozilla.org/en-US/firefox/50.1.0/releasenotes/
Dec 13, 2016
- https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox50.1 ...
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
CVE-2016-9894: Buffer overflow in SkiaGL - Critical
CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements - Critical
CVE-2016-9895: CSP bypass using marquee tag - High
CVE-2016-9896: Use-after-free with WebVR - High
CVE-2016-9897: Memory corruption in libGLES - High
CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees - High
CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs - High
CVE-2016-9904: Cross-origin information leak in shared atoms - High
CVE-2016-9901: Data from Pocket server improperly sanitized before execution - Moderate
CVE-2016-9902: Pocket extension does not validate the origin of events - Moderate
CVE-2016-9903: XSS injection vulnerability in add-ons SDK - Moderate
CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 - Critical
CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 - Critical
___

- http://www.securitytracker.com/id/1037461
CVE Reference: CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9904
Dec 14 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 50.1; ESR prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (50.1; ESR 45.6)...

- http://www.securitytracker.com/id/1037462
CVE Reference: CVE-2016-9905
Dec 14 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to ESR 45.6
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (ESR 45.6)...

Firefox ESR 45.6: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.6

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top