| Description: | Mozilla Firefox is an open source web browser.Several flaws were found in the processing of malformed web content. A webpage containing malicious content could cause Firefox to crash or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2014-1518, CVE-2014-1524, CVE-2014-1529, CVE-2014-1531)A use-after-free flaw was found in the way Firefox resolved hosts incertain circumstances. An attacker could use this flaw to crash Firefox or,potentially, execute arbitrary code with the privileges of the user runningFirefox. (CVE-2014-1532)An out-of-bounds read flaw was found in the way Firefox decoded JPEGimages. Loading a web page containing a specially crafted JPEG image couldcause Firefox to crash. (CVE-2014-1523)A flaw was found in the way Firefox handled browser navigations throughhistory. An attacker could possibly use this flaw to cause the address barof the browser to display a web page name while loading content from anentirely different web page, which could allow for cross-site scripting(XSS) attacks. (CVE-2014-1530)Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Bobby Holley, Carsten Book, Christoph Diehl, GaryKwong, Jan de Mooij, Jesse Ruderman, Nathan Froyd, Christian Holler,Abhishek Arya, Mariusz Mlynski, moz_bug_r_a4, Nils, Tyson Smith, and JesseSchwartzentrube as the original reporters of these issues.For technical details regarding these flaws, refer to the Mozilla securityadvisories for Firefox 24.5.0 ESR. You can find a link to the Mozillaadvisories in the References section of this erratum.All Firefox users should upgrade to this updated package, which containsFirefox version 24.5.0 ESR, which corrects these issues. After installingthe update, Firefox must be restarted for the changes to take effect. |