{"id":"MGASA-2014-0507","summary":"Updated firefox & thunderbird packages fix security vulnerabilities","details":"Updated nss, firefox, and thunderbird packages fix security vulnerabilities:\n\nIn the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths\nis too permissive, allowing undetected smuggling of arbitrary data\n(CVE-2014-1569).\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox or Thunderbird to\ncrash or, potentially, execute arbitrary code with the privileges of the\nuser running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592,\nCVE-2014-1593).\n\nA flaw was found in the Alarm API, which could allow applications to\nschedule actions to be run in the future. A malicious web application could\nuse this flaw to bypass the same-origin policy (CVE-2014-1594).\n\nThis update adds support for the TLS Fallback Signaling Cipher Suite Value\n(TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade\nattacks against applications which re-connect using a lower SSL/TLS\nprotocol version when the initial connection indicating the highest\nsupported protocol version fails. This can prevent a forceful downgrade of\nthe communication to SSL 3.0, mitigating CVE-2014-3566, also known as\nPOODLE.  SSL 3.0 support has also been disabled by default in this Firefox\nand Thunderbird update, further mitigating POODLE.\n","modified":"2026-01-30T13:40:32.899174Z","published":"2014-12-03T19:27:32Z","related":["CVE-2014-1569","CVE-2014-1587","CVE-2014-1590","CVE-2014-1592","CVE-2014-1593","CVE-2014-1594"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0507.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14716"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/"},{"type":"REPORT","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1064670"},{"type":"REPORT","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/"},{"type":"REPORT","url":"https://rhn.redhat.com/errata/RHSA-2014-1948.html"},{"type":"REPORT","url":"https://rhn.redhat.com/errata/RHSA-2014-1919.html"},{"type":"REPORT","url":"https://rhn.redhat.com/errata/RHSA-2014-1924.html"}],"affected":[{"package":{"name":"rootcerts","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/rootcerts?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20141117.00-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0507.json"}},{"package":{"name":"nss","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.17.3-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0507.json"}},{"package":{"name":"firefox","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"31.3.0-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0507.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"31.3.0-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0507.json"}},{"package":{"name":"thunderbird","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"31.3.0-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0507.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"31.3.0-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0507.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}