A use-after-free during XML transformation operations issue was also patched in this release (CVE-2016-1964).įirefox 45 also patches a Critical use-after-free issue when using multiple WebRTC data channel connections (CVE-2016-1962), a use-after-free issue in the SetBody function of HTMLDocument (CVE-2016-1961), a use-after-free issue in the HTML5 string parser (CVE-2016-1960), a mechanism where the Clients API in Service Workers can be used to trigger an out-of-bounds read in ServiceWorkerManager (CVE-2016-1959), and memory safety bugs in the browser engine (CVE-2016-1952 and CVE-2016-1953). The issue was resolved in Graphite 2 version 1.3.6, which also patches 11 heap buffer overflow bugs, along with two uninitialized memory flaws (CVE-2016-2790 and CVE-2016-2795), and an out of bounds bit set issue (CVE-2016-1977), Mozilla revealed.Īnother Critical issue resolved in Firefox 45 (and Firefox ESR 38.7) was a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures, which could result in arbitrary code execution (CVE-2016-1950).
One of the issues resolved in the library with the new update was an out-of-bounds write when loading a crafted Graphite font file (CVE-2016-1969). The update arrived in Firefox 44.0.2, which was released roughly two weeks after Firefox 44 landed in the stable channel with push notifications and deprecated support for RC4.
In February, Graphite 2 was updated to version 1.3.5 to resolve four issues that could result in arbitrary code execution and denial-of-service (DoS) attacks. Other Critical vulnerabilities were found in NSS, XML transformations, SetBody, HTML5 string parser, Service Worker Manager, and WebRTC data channels.
The update patches flaws in multiple browser components, the most affected being the Graphite 2 library, which was impacted by 14 Critical bugs. Mozilla this week released the stable version of Firefox 45 to resolve 40 vulnerabilities in the browser, 22 of which are rated Critical.
0 kommentar(er)
