-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2015.0102
       A vulnerability has been identified in Mozilla Firefox prior
                            to version 41.0.2.
                              19 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Firefox
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Access Confidential Data -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-7184  
Member content until: Wednesday, November 18 2015

OVERVIEW

        A vulnerability has been identified in Mozilla Firefox prior to version
        41.0.2. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        CVE-2015-7184: "Security researcher Abdulrahman Alqabandi reported 
        that the fetch() API did not correctly implement the Cross-Origin 
        Resource Sharing (CORS) specification, allowing a malicious page to
        access private data from other origins. Mozilla developer Ben Kelly
        independently reported the same issue." [1]


MITIGATION

        The vendor recommends updating to the latest versions of Mozilla 
        Firefox and Mozilla Firefox ESR to correct this issue. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2015-115
            https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBViQ+AX6ZAP0PgtI9AQL+AxAA1PBvFs7qQkIPFHoQKRulx1ZhNCIeijNQ
XR2q73e1XcSYVxlEifHN8A365JwjPpQDEZ8PQFEeQTXXVQ+0bwQt2Lpt/HQL4qda
BwQVnEWfa7NVOkiORjzTZms1XoGeEQysXn/STZr41nFk7i1ssP6exbmq0OeTyPZM
mpaCwAqajW2UB87ESu9zOFIJSNnsXhVXIMG77ctUPBokzmWsYrUGP0PPiyeT/qeu
j99gOx81mPlSiPyksSdVvZ6s/jW0tC2DxyvIQ/rLOP6CMDViLhc1YXpqGtq9lNCV
7l1Skw0M7/LQoIQKrmOM5+uUZJ8P9yyvIJyBF078pGuDOm0FCn/SGoVTPPSmigf+
N+X/orObAdZen3keNggYFsZsR1s7SCDIqJ2/2ltmOIqVSEVEkDx8/CLIiVSqNO+K
KzLf5cFdxhn0bFpVx/9Rh9bnBPT5HS76DQ81xqKmBNHQMK75e1U38pXrZmmrCeT3
IZQ5ezZTVf7pW9vrR0ybq6mJsZ86Zu+lF7Ar2tPky+8oQuvSUdRS7/oUtF1xM7kt
ndOfIWa3TwJFtznxaX1C1YzUbZoFVqp1NTFtat7BR3K2stQmnhONNGWPCU/NU09T
9uLKEQ28JknLLK0PPIOD7HSWAXFKXELWRZ3DMdoTSxU2KOYEOTXmAx7eeaaytNnA
nfbzmB5jzx8=
=eb0a
-----END PGP SIGNATURE-----