Debian Firefox vulnerabilities

CVE-2016-5255 [HIGH] CVE-2016-5255: firefox - Use-after-free vulnerability in the js::PreliminaryObjectArray::sweep function i... Use-after-free vulnerability in the js::PreliminaryObjectArray::sweep function in Mozilla Firefox before 48.0 allows remote attackers to execute arbitrary code via crafted JavaScript that is mishandled during incremental garbage collection. Scope: local sid: resolved (fixed in 48.0-1)

CVE-2016-2831 [HIGH] CVE-2016-2831: firefox - Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that ... Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings, which allows remote attackers to cause a denial of service (UI outage), or conduct clickjacking or spoofing attacks, via a crafted web site. Scope: local sid: resolved (fixed in 47.0-1)

CVE-2016-2815 [HIGH] CVE-2016-2815: firefox - Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox be... Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 47.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. Scope: local sid: resolved (fixed in 47.0-1)

CVE-2016-1959 [HIGH] CVE-2016-1959: firefox - The ServiceWorkerManager class in Mozilla Firefox before 45.0 allows remote atta... The ServiceWorkerManager class in Mozilla Firefox before 45.0 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via unspecified use of the Clients API. Scope: local sid: resolved (fixed in 45.0-1)

CVE-2016-1968 [HIGH] CVE-2016-1968: brotli - Integer underflow in Brotli, as used in Mozilla Firefox before 45.0, allows remo... Integer underflow in Brotli, as used in Mozilla Firefox before 45.0, allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted data with brotli compression. Scope: local bookworm: resolved (fixed in 0.3.0+dfsg-3) bullseye: resolved (fixed in 0.3.0+dfsg-3) forky: resolved (fixed in 0.3.0+dfsg-3) sid: resolved (fixed in

CVE-2016-5266 [HIGH] CVE-2016-5266: firefox - Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTr... Mozilla Firefox before 48.0 does not properly restrict drag-and-drop (aka dataTransfer) actions for file: URIs, which allows user-assisted remote attackers to access local files via a crafted web site. Scope: local sid: resolved (fixed in 48.0-1)

CVE-2016-2814 [HIGH] CVE-2016-2814: firefox - Heap-based buffer overflow in the stagefright::SampleTable::parseSampleCencInfo ... Heap-based buffer overflow in the stagefright::SampleTable::parseSampleCencInfo function in libstagefright in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allows remote attackers to execute arbitrary code via crafted CENC offsets that lead to mismanagement of the sizes table. Scope: local sid: resolved (fixed in 46.0-1)

CVE-2016-9902 [HIGH] CVE-2016-9902: firefox - The Pocket toolbar button, once activated, listens for events fired from it's ow... The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50

CVE-2016-2791 [HIGH] CVE-2016-2791: firefox - The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in... The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. Scope: local sid: resolved (fixed in 45.0-1)

CVE-2016-9076 [MEDIUM] CVE-2016-9076: firefox - An issue where a "<select>" dropdown menu can be used to cover location bar cont... An issue where a "" dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function. This vulnerability affects Firefox < 50. Scope: local sid: resolved (fixed in 50.0-1)

CVE-2016-2816 [MEDIUM] CVE-2016-2816: firefox - Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Securi... Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type. Scope: local sid: resolved (fixed in 46.0-1)

CVE-2016-5262 [MEDIUM] CVE-2016-5262: firefox - Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript ... Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site. Scope: local sid: resolved (fixed in 48

CVE-2016-5251 [MEDIUM] CVE-2016-5251: firefox - Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar vi... Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar via crafted characters in the media type of a data: URL. Scope: local sid: resolved (fixed in 48.0-1)

CVE-2016-5265 [MEDIUM] CVE-2016-5265: firefox - Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted... Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow user-assisted remote attackers to bypass the Same Origin Policy, and conduct Universal XSS (UXSS) attacks or read arbitrary files, by arranging for the presence of a crafted HTML document and a crafted shortcut file in the same local directory. Scope: local sid: resolved (fixed in 48.0-1)

CVE-2016-5288 [MEDIUM] CVE-2016-5288: firefox - Web content could access information in the HTTP cache if e10s is disabled. This... Web content could access information in the HTTP cache if e10s is disabled. This can reveal some visited URLs and the contents of those pages. This issue affects Firefox 48 and 49. This vulnerability affects Firefox < 49.0.2. Scope: local sid: resolved (fixed in 50.0-1)

CVE-2016-9064 [MEDIUM] CVE-2016-9064: firefox - Add-on updates failed to verify that the add-on ID inside the signed package mat... Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Fire

CVE-2016-2825 [MEDIUM] CVE-2016-2825: firefox - Mozilla Firefox before 47.0 allows remote attackers to bypass the Same Origin Po... Mozilla Firefox before 47.0 allows remote attackers to bypass the Same Origin Policy and modify the location.host property via an invalid data: URL. Scope: local sid: resolved (fixed in 47.0-1)

CVE-2016-5292 [MEDIUM] CVE-2016-5292: firefox - During URL parsing, a maliciously crafted URL can cause a potentially exploitabl... During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash. This vulnerability affects Firefox < 50. Scope: local sid: resolved (fixed in 50.0-1)

CVE-2016-2827 [MEDIUM] CVE-2016-2827: firefox - The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox before 49.0 ... The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a Content Security Policy (CSP) referrer directive with zero values. Scope: local sid: resolved (fixed in 49.0-1)

CVE-2016-2817 [MEDIUM] CVE-2016-2817: firefox - The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in... The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) javascript: or (2) data: URL. Scope: