OVAL Reference oval:org.mitre.oval:def:28351

CVE-2014-1587, CVE-2014-1588)Cody Crews discovered a way to trigger chrome-level XBL bindings from webcontent in some circumstances. If a user were tricked in to opening aspecially crafted website, an attacker could potentially exploit this tobypass security restrictions. (CVE-2014-1589)Joe Vennix discovered a crash when using XMLHttpRequest in somecircumstances. If a user were tricked in to opening a specially craftedwebsite, an attacker could potentially exploit this to cause a denial ofservice. (CVE-2014-1590)Muneaki Nishimura discovered that CSP violation reports did not removepath information in some circumstances. If a user were tricked in toopening a specially crafted website, an attacker could potentiallyexploit this to obtain sensitive information. (CVE-2014-1591)Berend-Jan Wever discovered a use-after-free during HTML parsing. If auser were tricked in to opening a specially crafted website, an attackercould potentially exploit this to cause a denial of service viaapplication crash or execute arbitrary code with the privileges of theuser invoking Firefox. (CVE-2014-1592)Abhishek Arya discovered a buffer overflow when parsing media content. Ifa user were tricked in to opening a specially crafted website, an attackercould potentially exploit this to cause a denial of service viaapplication crash or execute arbitrary code with the privileges of theuser invoking Firefox. (CVE-2014-1593)Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in thecompositor. If a user were tricked in to opening a specially craftedwebsite, an attacker could potentially exploit this to cause undefinedbehaviour, a denial of service via application crash or execute abitrarycode with the privileges of the user invoking Firefox. (CVE-2014-1594)"> OVAL Reference oval:org.mitre.oval:def:28351 - CERT Civis.Net

Oval Definition:

oval:org.mitre.oval:def:28351

Revision Date:	2015-03-09	Version:	5
Title:	USN-2424-1 -- Firefox vulnerabilities
Description:	Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max JonasWerner, Christian Holler, Jon Coppeard, Eric Rahm, Byron Campen, EricRescorla, and Xidorn Quan discovered multiple memory safety issues inFirefox. If a user were tricked in to opening a specially crafted website,an attacker could potentially exploit these to cause a denial of servicevia application crash, or execute arbitrary code with the privileges ofthe user invoking Firefox. (CVE-2014-1587, CVE-2014-1588)Cody Crews discovered a way to trigger chrome-level XBL bindings from webcontent in some circumstances. If a user were tricked in to opening aspecially crafted website, an attacker could potentially exploit this tobypass security restrictions. (CVE-2014-1589)Joe Vennix discovered a crash when using XMLHttpRequest in somecircumstances. If a user were tricked in to opening a specially craftedwebsite, an attacker could potentially exploit this to cause a denial ofservice. (CVE-2014-1590)Muneaki Nishimura discovered that CSP violation reports did not removepath information in some circumstances. If a user were tricked in toopening a specially crafted website, an attacker could potentiallyexploit this to obtain sensitive information. (CVE-2014-1591)Berend-Jan Wever discovered a use-after-free during HTML parsing. If auser were tricked in to opening a specially crafted website, an attackercould potentially exploit this to cause a denial of service viaapplication crash or execute arbitrary code with the privileges of theuser invoking Firefox. (CVE-2014-1592)Abhishek Arya discovered a buffer overflow when parsing media content. Ifa user were tricked in to opening a specially crafted website, an attackercould potentially exploit this to cause a denial of service viaapplication crash or execute arbitrary code with the privileges of theuser invoking Firefox. (CVE-2014-1593)Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in thecompositor. If a user were tricked in to opening a specially craftedwebsite, an attacker could potentially exploit this to cause undefinedbehaviour, a denial of service via application crash or execute abitrarycode with the privileges of the user invoking Firefox. (CVE-2014-1594)
Family:	unix	Class:	patch
Status:	ACCEPTED	Reference(s):	CVE-2014-1587 CVE-2014-1588 CVE-2014-1589 CVE-2014-1590 CVE-2014-1591 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 USN-2424-1
Platform(s):	Ubuntu 12.04 Ubuntu 14.04 Ubuntu 14.10	Product(s):	firefox
Definition Synopsis
Ubuntu 14.10 release section Ubuntu 14.10 is installed AND firefox is earlier than 0:34.0+build2-0ubuntu0.14.10.2 Ubuntu 14.04 release section Ubuntu 14.04 is installed AND firefox is earlier than 0:34.0+build2-0ubuntu0.14.04.1 Ubuntu 12.04 release section Ubuntu 12.04 is installed AND firefox is earlier than 0:34.0+build2-0ubuntu0.12.04.1

BACK