Rubén Rodríguez <[email protected]> writes: > == Changes since v31.8.0 == > > * Applied patch for CVE-2015-4473 CVE-2015-4482 CVE-2015-4488 > CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4495 from Guix
As the author of the backported patches from GNU Guix included in this release, I feel compelled to warn users that I was not able to backport all of the patches from Mozilla's ESR 38 branch. Specifically, the following vulnerabilities might not be addressed by 31.8.0-gnu2: * Miscellaneous memory safety hazards Impact: Critical (CVE-2015-4473) (only partially addressed in 31.8.0-gnu2) https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ * Buffer overflows in bundled libvpx when decoding WebM video Impact: Critical (CVE-2015-4485, CVE-2015-4486) https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ * Overflow issues in libstagefright Impact: Critical, but only affects Android (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493) https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ * Vulnerabilities found through code inspection Impact: High (CVE-2015-4487) https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ * Redefinition of non-configurable JavaScript object properties Impact: High (CVE-2015-4478) https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/ * Out-of-bounds read with malformed MP3 file Impact: High (CVE-2015-4475) https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/ * Arbitrary file overwriting through Mozilla Maintenance Service with hard links Impact: High, but only affects Windows systems (CVE-2015-4481) https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/ * Crash when using shared memory in JavaScript Impact: Moderate (CVE-2015-4484) https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/ Therefore, we still have an urgent need for GNU IceCat 38.2. Mark -- http://gnuzilla.gnu.org
