Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0600.2 Firefox vulnerabilities 31 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-5427 CVE-2017-5426 CVE-2017-5422 CVE-2017-5421 CVE-2017-5420 CVE-2017-5419 CVE-2017-5418 CVE-2017-5417 CVE-2017-5416 CVE-2017-5415 CVE-2017-5414 CVE-2017-5413 CVE-2017-5412 CVE-2017-5410 CVE-2017-5408 CVE-2017-5407 CVE-2017-5406 CVE-2017-5405 CVE-2017-5404 CVE-2017-5403 CVE-2017-5402 CVE-2017-5401 CVE-2017-5400 CVE-2017-5399 CVE-2017-5398 CVE-2016-5412 Reference: ESB-2016.2592 Original Bulletin: http://www.ubuntu.com/usn/usn-3216-2 Revision History: March 31 2017: USN-3216-1 introduced a regression in Firefox March 8 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- ========================================================================== Ubuntu Security Notice USN-3216-2 March 30, 2017 firefox regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - - Ubuntu 16.10 - - Ubuntu 16.04 LTS - - Ubuntu 14.04 LTS - - Ubuntu 12.04 LTS Summary: USN-3216-1 introduced a regression in Firefox. Software Description: - - firefox: Mozilla Open Source web browser Details: USN-3216-1 fixed vulnerabilities in Firefox. The update resulted in a startup crash when Firefox is used with XRDP. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: firefox 52.0.2+build1-0ubuntu0.16.10.1 Ubuntu 16.04 LTS: firefox 52.0.2+build1-0ubuntu0.16.04.1 Ubuntu 14.04 LTS: firefox 52.0.2+build1-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: firefox 52.0.2+build1-0ubuntu0.12.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3216-2 http://www.ubuntu.com/usn/usn-3216-1 https://launchpad.net/bugs/1671079 Package Information: https://launchpad.net/ubuntu/+source/firefox/52.0.2+build1-0ubuntu0.16.10.1 https://launchpad.net/ubuntu/+source/firefox/52.0.2+build1-0ubuntu0.16.04.1 https://launchpad.net/ubuntu/+source/firefox/52.0.2+build1-0ubuntu0.14.04.1 https://launchpad.net/ubuntu/+source/firefox/52.0.2+build1-0ubuntu0.12.04.1 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWN2VFYx+lLeg9Ub1AQhd0hAAn3IulwsaEJBErC0U2qKes86ysGGbIkwX llaqmNKHBgM9UCDOWBraPIbq1/T9rxrSedLFgINI+BJqNggj0zZgNCTNuzGZOC6W y97XkaKVqDXM5Vn3BXVYzWeYCe6baGH1koG4Bs0a2tmW5DGVXd0N7baXJNoL8FlU RJrGaQhAkAPncClPJci5M96Gvyqz4LT+JxDgMIPgClYJ4tNPfPnazQ34yGrVySE0 JuAgcbDlwiTu8GORsv8mausy88uRiHhuaWtpo18J3e84LaG7hHPNq6FPyv3lfSHo 7uVQ1cbBtED7U0jRR/B07hFUm0kRPnCs2lFvbFONxrfn2brah/bMO6Ah0jN6eOMF lpKSp2Srqnh8Rr24p4wawexO5thVN7WrB6VDF+V9HGi8S5jN3X2GkUfM9X+1EtN4 vES06JsRyTHrURvaE1yn741ta/oRtOIKvq4V8cUTaMMf5YNlCx1C+YDwpDhN3Dxs vmIiP1xzH5dQcVzzlrLnljZk3awv8bKXGbwA1Tli0YjY/A6b3WF8LN3tPp/Sl8X4 /7ChxNEf0iUK3zFqxNMTasCXAKB703Avh1ktRHfM349B2TJwzcQ3mpTzGisJH5sp PHHD5g1LmXd2ZtGc1As1VlgOYtFIKMnpp7SxKATrJNBUAzASCIvY23K3Yg+j+TTS F6Jsh2tRpVo= =Mlbv -----END PGP SIGNATURE-----