Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
Changelog:
Security fixes:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still
in use. This results in a potentially exploitable crash during
these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for
data theft of URLs loaded by users.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56 and Firefox ESR 52.4.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to
run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
No changes intended on other platforms, the configure script arguments
should be identical to those previously found in config.toml. Doing it
this way makes it a lot easier to have per-OS configuration.
Bugs fixed in this release
- 784735 : gst-libav: Memory leak and possible crash in avio_alloc_context.
XXX Unfortunately https://trac.ffmpeg.org/ticket/6775 stands.
(ffmpeg 3.4 regression)
This modification to the Makefile is no longer necessary since the
custom CFLAGS and LDFLAGS are now passed explicitly, instead of through
the environment (which did not work for me).
NFC.
In the C plug-ins, mark the constructor and destructor functions as
such. While there, comment out a new target to run the tests; they are
broken, but not because of this modification. This allows us to use
cc(1) to link the plug-ins, thus working around a bug in the cwrappers
for ld(1).
Bump PKGREVISION, since this generates a different binary now that SSP
and FORTIFY are enabled.
This bug-fix release addresses several regressions in Gradle 4.3.
- Gradle 4.3 introduced an improvement where an error in resolving a
module from one repository would prevent Gradle from searching for
that same module in subsequent repositories. However, the change to
abort searching repositories on all unrecognized errors proved to be
too aggressive. With 4.3.1, only repository timeout errors will
prevent Gradle from searching for a module in a subsequent repository.
- Moreover, the connection and socket timeouts for HTTP/HTTPS requests
have been increased to 30 seconds.
- This version of Gradle also removes an overload of
TaskInputs.property which caused statically compiled plugin code to
use the wrong method when calling TaskInputs.property(..., null).
- Finally, when using --scan the build scan plugin is applied before
other plugins to avoid rendering a warning message.
Features
- Send keyspace in QUERY, PREPARE, and BATCH messages
- Add IPv4Address/IPv6Address support for inet types
- WriteType.CDC and VIEW missing
- Warn on Cluster init if contact points are specified but LBP isn't
- Include hash of result set metadata in prepared stmt id
- Add NO_COMPACT startup option
- Add new exception type for CDC
Bug Fixes
- Both _set_final_exception/result called for the same ResponseFuture
- Use of DCAwareRoundRobinPolicy raises NoHostAvailable exception
- Not create two sessions by default in CQLEngine
- Bug when subclassing AyncoreConnection
- Error at cleanup when closing the asyncore connections
- Fix sites where sessions can change during iteration
- cqlengine: allow min_length=0 for Ascii and Text column types
- Rare exception when "sys.exit(0)" after query timeouts
- Dont set the session keyspace when preparing statements
- Use of DCAwareRoundRobinPolicy raises NoHostAvailable exception
Other
- Remove DeprecationWarning when using WhiteListRoundRobinPolicy
- Bump Cython dependency version to 0.27
Pkgsrc changes:
* for zabbix-frontend, adjust PLIST
Upstream changes:
Changes for 3.2.10
3.2.10rc1 was released as 3.2.10 without any changes
Changes for 3.2.10rc1
New features:
..F....... [ZBXNEXT-1421] added service sorting by name if multiple services
has same 'sortorder' value (miks)
..F....... [ZBXNEXT-4081] improved error message for case when none of
supported database modules exists (gcalenko)
Bug fixes:
..F....... [DEV-593] fixed multiple security issues (miks)
........S. [ZBX-11658] fixed error message in case no items were found
for aggre gated check (gleb)
.......PS. [ZBX-12854] fixed crash of VMware collector with DebugLevel=4 (gleb)
...G...... [ZBX-11902] fixed CPU count for LPAR partitions in IBM AIX (abs)
...G...... [ZBX-12260] fixed windows agent to support UTF-16LE, UCS-2,
UCS-2LE encodings (vso)
..F....... [ZBX-6669] fixed use of current host as filter when selecting
items for graph forms and trigger forms (gcalenko)
..F....... [ZBX-12722] fixed scrollbar causing a JS error in "500 latest
values" page due to unnecessarily initialization (Ivo)
..F....... [ZBX-12710] fixed OS type detection logic (vjaceslavs)
..F....... [ZBX-12543] fixed problems with session management (vjaceslavs)
........S. [ZBX-12259] added an informative warning about lack of data for
macros used in LLD rule filter (viktors)
--------------------------------------------------------------------------------
Changes for 3.2.9
3.2.9rc1 was released as 3.2.9 without any changes
--------------------------------------------------------------------------------
Changes for 3.2.9rc1
New features:
...G...PS. [ZBXNEXT-1862] modified server, proxy and agent to follow
changes in /etc/resolv.conf (Andris)
Bug fixes:
..F....... [ZBX-12788] fixed error when template is added to hosts via
mass update form (gcalenko, vmurzins)
..F....... [ZBX-12666] fixed ETag comparison check in jsLoader for web
server with enabled compression (gcalenko)
........S. [ZBX-10547] fixed IT services calculation in parallel
transactions not seeing each other changes when calculating
common parent service (vso)
........S. [ZBX-12441] fixed user permission check for macros containing
user personal information in notification messages (viktors)
....I..... [ZBX-12779] fixed detection of PostgreSQL 10 (Andris)
.......P.. [ZBX-12281] fixed simultaneous sending of the same history
data from passive proxy (gleb, vjaceslavs)
..F....... [ZBX-12770] fixed links in select popup for user groups;
updated group selection field in Administration->Users (gcalenko)
A......... [ZBX-8277] improved performance of hostgeneral.unlink() method;
fixed SQL statement (Sasha)
........S. [ZBX-11426] fixed the housekeeper for not deleting events in
open problem state (abs)
A......... [ZBX-10754] fixed inheritance of template properties in
web scenarios (miks)
A......... [ZBX-12681] fixed SQL errors in event.get() method (Sasha)
A......... [ZBX-12727] fixed response for script.get() method with
"editable" flag (Sasha)
A......... [ZBX-12727] fixed dcheck.get(), dhost.get() and dservice.get()
permission checks for admin users; related to ZBX-7238 (Sasha)
--------------------------------------------------------------------------------
Changes for 3.2.8
3.2.8rc1 was released as 3.2.8 without any changes
--------------------------------------------------------------------------------
Changes for 3.2.8rc1
New features:
A.F....... [ZBX-1357] enabled Turkish translation to be displayed
by default (zalex_ua)
A.F....... [ZBX-1357] updated Czech, English (United States), French,
Italian, Japanese, Korean, Russian, Turkish translations;
thanks to Zabbix translators (zalex_ua)
........S. [ZBX-12258] added bulk selections to improve performance
in processing of escalations (Sergejs)
Bug fixes:
..F....... [ZBX-12769] fixed XSS vulnerabilities in argument passing for
popup forms and file import forms (gcalenko)
A.F....... [ZBX-12768] added schema validation for URL fields based on
schemas whitelist in ZBX_URI_VALID_SCHEMES (gcalenko, Sasha)
.......PS. [ZBX-11675] fixed crash that could occur during connection
failures to MySQL (Sergejs, vso)
..F....... [ZBX-12617] fixed sorting by host name for items on
availability report page (gcalenko)
........S. [ZBX-12696] fixed trigger not being calculated for newly
received item values if last one of those is unsupported value (vso)
..F....... [ZBX-12548] fixed notification sound not being played for
message with timeout set to greater than minute (gcalenko)
...G...... [ZBX-12653] fixed heap corruption in Windows agent;
thanks to Ronnie Kaech for the patch (abs)
A......... [ZBX-12660] fixed result of hostinterface.replacehostinterfaces
method (Sasha)
..F....... [ZBX-12469] added new context for 'Second' string to be
properly translated in maintenance period form (gcalenko)
.......PS. [ZBX-12493] fixed address and ports array size in
zbx_init_ipmi_host() to match OpenIPMI internals (Andris, vso)
..F....... [ZBX-12623] fixed label macro resolving in maps (vjaceslavs)
..F.....S. [ZBX-11042] allowed libcurl to choose SMTP authentication
mechanism other than PLAIN (gleb, vjaceslavs)
..F....... [ZBX-8997] fixed trigger expression validation test
form (gcalenko, Sasha)
..F.I...S. [ZBX-12434] fixed housekeeping of problems and events for
deleted items and triggers; added optional database patch
to cleanup problems for deleted items and triggers (vso)
..F....... [ZBX-12646] fixed incorrect SQL query in availability reports (Sasha)
..F....... [ZBX-12545] fixed undefined index error on latest data
page when host was deleted in another session (gcalenko)
..F....... [ZBX-12321] fixed removal of multiselect options using
backspace button (miks)
..F....... [ZBX-12416] optimized data selection of user preferences
stored in profiles (gcalenko)
..F....... [ZBX-11607] fixed a rounding of large unsigned numbers (miks)
..F....... [ZBX-12404] fixed visibility of item data first row for
'latest data' page and 'audit log' page (gcalenko)
..F....... [ZBX-12463] fixed undefined index error in "Last 20 issues" (Sasha)
........S. [ZBX-12186] fixed parallel processing of multiple values
for same lld rule (vjaceslavs)
..F....... [ZBX-11887] fixed improper DB::refreshIds() call when
selected row is locked (miks)
..F....... [ZBX-12022] fixed trigger resolving in services configuration;
fixed popup window size (miks)
..F....... [ZBX-12429] fixed template replacement in mass update form (gcalenko)
..F....... [ZBX-12396] fixed an error in screens if screen trigger
overview element contains deleted host group (miks)
..F....... [ZBX-12439] fixed macro name field length in host configuration
form (gcalenko)
...G...PS. [ZBX-10820] fixed potential loss of data when server/proxy
processes zabbix_sender data (Andris)
........S. [ZBX-12446] fixed discovery and auto registration to accept
empty DNS names (vso)
........S. [ZBX-12295] fixed possible accumulation of executed tasks in
database (Sergejs)
........S. [ZBX-12318] fixed maintenance status not being updated in cache
if host is disabled (vso)
.......PS. [ZBX-12224] fixed connection to Oracle database when database
server gives out warnings (gleb)
...G...PS. [ZBX-12195] fixed contamination of script output with Zabbix'es
own log messages when logging level is set to 4 or 5 and
LogType=console (gleb)
...G...... [ZBX-12270] fixed processing of AIX item 'system.stat[ent]'
in agent; thanks to Marc for patch (Andris)
..F....... [ZBX-12277] fixed trigger expression test form incorrectly
replacing macros (Ivo)
DEPRECATIONS/CHANGES:
- API HTTP client behavior: When calling `NewClient` the API no longer
modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
backend that gets returned along with the authentication response
will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
or update a role with the mutually-exclusive options
`disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
backend, the TTL/max TTL values will now be an integer number of
seconds rather than a string. This better matches the API elsewhere
in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
the API, the response data will additionally return a `key_info` map
that will contain a map of each key with a corresponding object
containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
are still in RFC3339 format but now have a granularity of
nanoseconds.
- High availability related values have been moved out of the
`storage` and `ha_storage` stanzas, and into the top-level
configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
is optional and enables configuration of the seal type to use for
additional data protection, such as using HSM or Cloud KMS solutions
to encrypt and decrypt data.
FEATURES:
- RSA Support for Transit Backend: Transit backend can now generate
RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
enhancements, Identity is an integrated system for understanding
users across tokens and enabling easier management of users directly
and via groups.
- External Groups in Identity: Vault can now automatically assign
users and systems to groups in Identity based on their membership in
external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
take advantage of FIPS 140-2-certified HSMs to ensure that Critical
Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
Sentinel to create extremely flexible access control policies - even
on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
auto-unsealing functionality, the `rekey` operation is now
supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
using Disaster Recovery replication, a token can be created that can
be used to authorize actions such as promotion and updating primary
information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
auto-unsealing, a request to unseal Vault can be triggered by a
threshold of recovery keys, rather than requiring the Vault process to
be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
Enterprise UI. The look and feel has been completely redesigned to
give users a better experience and make managing secrets fast and
easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
backend, create and browse roles. And use them to sign keys or
generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
backend via the Vault Enterprise UI. In addition you can create
roles, browse the roles and Generate IAM Credentials from them
in the UI.
IMPROVEMENTS:
- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
The files themselves were `600` and are all encrypted, but this
doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
or an integer
- secret/transit: Sign and verify operations now support a `none` hash
algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
promoting, and updating primary on DR Secondary clusters
BUG FIXES:
- api: Fix panic when setting a custom HTTP client but with a nil
transport
- api: Fix authing to the `cert` backend when the CA for the client
cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
matching
- physical/etcd3: Fix case where standbys can lose their etcd client
lease
- physical/file: Fix listing when underscores are the first component
of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
this was erroneously removed in a previous release
global `_res' variable. That's not supported on NetBSD, and IME
causes the zabbix agent daemon to exit shortly after having been started.
Convert to instead using res_ninit(), res_nsend(), and res_nclose().
Bump PKGREVISION.
This patch is a workaround for a perl core problem.
The patch has not been accepted upstream, and in its current form
introduces other bugs, see https://rt.perl.org/Ticket/Display.html?id=132448
Bump PKGREVISION.
3.37.0:
This is a deprecation release for some health check related features.
The following are now deprecated:
* Passing exception_in_generation to suppress_health_check. This no longer does anything even when passed - All errors that occur during data generation will now be immediately reraised rather than going through the health check mechanism.
* Passing random_module to suppress_health_check. This hasn’t done anything for a long time, but was never explicitly deprecated. Hypothesis always seeds the random module when running @given tests, so this is no longer an error and suppressing it doesn’t do anything.
* Passing non-HealthCheck values in suppress_health_check. This was previously allowed but never did anything useful.
In addition, passing a non-iterable value as suppress_health_check will now raise an error immediately (it would never have worked correctly, but it would previously have failed later). Some validation error messages have also been updated.
17.3.0:
Backward-incompatible Changes
- Attributes are not defined on the class body anymore.
This means that if you define a class C with an attribute x, the class will *not* have an attribute x for introspe
ction anymore.
Instead of C.x, use attr.fields(C).x or look at C.__attrs_attrs__.
The old behavior has been deprecated since version 16.1.
Changes
- super() and __class__ now work on Python 3 when slots=True.
- Added type argument to attr.ib() and corresponding type attribute to attr.Attribute.
This change paves the way for automatic type checking and serialization (though as of this release attrs does not make use of it).
In Python 3.6 or higher, the value of attr.Attribute.type can alternately be set using variable type annotations
- The combination of str=True and slots=True now works on Python 2.
- attr.Factory is hashable again.
- Subclasses now can overwrite attribute definitions of their superclass.
That means that you can -- for example -- change the default value for an attribute by redefining it.
- Added new option auto_attribs to @attr.s that allows to collect annotated fields without setting them to attr.ib().
Setting a field to an attr.ib() is still possible to supply options like validators.
Setting it to any other value is treated like it was passed as attr.ib(default=value) -- passing an instance of attr.Factory also works as expected.
When not using cwrappers, so far PKGSRC_MKPIE was only automatically
applied when linking using gcc(1) (when enabled). This is now also the
case for packages using ld(1) to link executables.
This notably fixes building with MKPIE or RELRO enabled.
Bump PKGREVISION, since this generates a different binary now that SSP and
FORTIFY are enabled.
The following CA certificates were Added:
CN = GDCA TrustAUTH R5 ROOT
SHA-256 Fingerprint: BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93
Trust Flags: Websites
CN = SSL.com Root Certification Authority RSA
SHA-256 Fingerprint: 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69
Trust Flags: Websites, Email
CN = SSL.com Root Certification Authority ECC
SHA-256 Fingerprint: 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65
Trust Flags: Websites, Email
CN = SSL.com EV Root Certification Authority RSA R2
SHA-256 Fingerprint: 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C
Trust Flags: Websites
CN = SSL.com EV Root Certification Authority ECC
SHA-256 Fingerprint: 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8
Trust Flags: Websites
CN = TrustCor RootCert CA-1
SHA-256 Fingerprint: D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
Trust Flags: Websites, Email
CN = TrustCor RootCert CA-2
SHA-256 Fingerprint: 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
Trust Flags: Websites, Email
CN = TrustCor ECA-1
SHA-256 Fingerprint: 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
Trust Flags: Websites, Email
The following CA certificates were Removed:
CN = Certum CA, O=Unizeto Sp. z o.o.
SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24
CN = StartCom Certification Authority
SHA-256 Fingerprint: C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA
CN = StartCom Certification Authority
SHA-256 Fingerprint: E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11
CN = StartCom Certification Authority G2
SHA-256 Fingerprint: C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95
CN = TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
SHA-256 Fingerprint: E4:C7:34:30:D7:A5:B5:09:25:DF:43:37:0A:0D:21:6E:9A:79:B9:D6:DB:83:73:A0:C6:9E:B1:CC:31:C7:C5:2A
CN = ACEDICOM Root
SHA-256 Fingerprint: 03:95:0F:B4:9A:53:1F:3E:19:91:94:23:98:DF:A9:E0:EA:32:D7:BA:1C:DD:9B:C8:5D:B5:7E:D9:40:0B:43:4A
CN = Certinomis - Autorité Racine
SHA-256 Fingerprint: FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17
CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
SHA-256 Fingerprint: 97:8C:D9:66:F2:FA:A0:7B:A7:AA:95:00:D9:C0:2E:9D:77:F2:CD:AD:A6:AD:6B:A7:4A:F4:B9:1C:66:59:3C:50
CN = PSCProcert
SHA-256 Fingerprint: 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0
CN = CA 沃通根证书, O=WoSign CA Limited
SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
CN = Certification Authority of WoSign
SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
CN = Certification Authority of WoSign G2
SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
CN = CA WoSign ECC Root
SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
libfreebl no longer requires SSE2 instructions.
New in NSS 3.34
New Functionality
When listing an NSS database using certutil -L, but the database
hasn't yet been initialized with any non-empty or empty password,
the text "Database needs user init" will be included in the listing.
When using certutil to set an inacceptable password in FIPS mode,
a correct explanation of acceptable passwords will be printed.
SSLKEYLOGFILE is now supported with TLS 1.3, see Bug 1287711 for details.
SSLChannelInfo has two new fields (Bug 1396525)
SSLNamedGroup originalKeaGroup holds the key exchange group of the
original handshake when the session was resumed.
PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE
otherwise.
RSA-PSS signatures are now supported on certificates. Certificates
with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS
signature on a certificate using the --pss-sign argument to certutil.
New Functions
Compatibility
NSS 3.34 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries
will work with NSS 3.34 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with
future versions of the NSS shared libraries.
Changelog: New
A completely new browsing engine, designed to take full advantage
of the processing power in modern devices
A redesigned interface with a clean, modern appearance, consistent
visual elements, and optimizations for touch screens
A unified address and search bar. New installs will see this
unified bar. Learn how to add the stand-alone search bar to
the toolbar
A revamped new tab page that includes top visited sites, recently
visited pages, and recommendations from Pocket (in the US,
Canada, and Germany)
An updated product tour to orient new and returning Firefox
users
AMD VP9 hardware video decoder support for improved video
playback with lower power consumption
An expanded section in preferences to manage all website
permissions
Fixed
Various security fixes
Changed
Firefox now exclusively supports extensions built using the
WebExtension API, and unsupported legacy extensions will no
longer work. Learn more about our efforts to improve the
performance and security of extensions
The browser's autoscroll feature, as well as scrolling by
keyboard input and touch-dragging of scrollbars, now use
asynchronous scrolling. These scrolling methods are now similar
to other input methods like mousewheel, and provide a smoother
scrolling experience
The content process now has a stricter security sandbox that
blocks filesystem reading and writing on Linux, similar to the
protections for Windows and macOS that shipped in Firefox 56
Middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
Removed the toolbar Share button. If you relied on this feature,
you can install the Share Backported extension instead.
Some older versions of the ATOK IME, including ATOK 2006, 2008,
2009 and 2010, can cause crashes and are therefore disabled on
the Windows 64-bit version of Firefox Quantum. To fix those
incompatibility issues, please use a newer version of ATOK or
one of other IMEs.
The default font for Japanese text is now Meiryo
Security fixes:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in
use. This results in a potentially exploitable crash during these
operations.
References
Bug 1406750 Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in
cross-origin iframes. This is a same-origin policy violation and
could allow for data theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7831: Information disclosure of exposed properties on
JavaScript proxy objects
Reporter
Oriol Brufau
Impact
moderate
Description
A vulnerability where the security wrapper does not deny access to
some exposed properties using the deprecated exposedProps mechanism
on proxy objects. These properties should be explicitly unavailable
to proxy objects.
References
Bug 1392026
#CVE-2017-7832: Domain spoofing through use of dotless 'i' character
followed by accent markers
Reporter
Jonathan Kew
Impact
moderate
Description
The combined, single character, version of the letter 'i' with any
of the potential accents in unicode, such as acute or grave, can
be spoofed in the addressbar by the dotless version of 'i' followed
by the same accent as a second character with most font sets. This
allows for domain spoofing attacks because these combined domain
names do not display as punycode.
References
Bug 1408782
#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker
characters
Reporter
Rayyan Bijoora
Impact
moderate
Description
Some Arabic and Indic vowel marker characters can be combined with
Latin characters in a domain name to eclipse the non-Latin character
with some font sets on the addressbar. The non-Latin character will
not be visible to most viewers. This allows for domain spoofing
attacks because these combined domain names do not display as
punycode.
References
Bug 1370497
#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections
Reporter
Jordi Chancel
Impact
moderate
Description
A data: URL loaded in a new tab did not inherit the Content Security
Policy (CSP) of the original page, allowing for bypasses of the
policy including the execution of JavaScript. In prior versions
when data: documents also inherited the context of the original
page this would allow for potential cross-site scripting (XSS)
attacks.
References
Bug 1358009
#CVE-2017-7835: Mixed content blocking incorrectly applies with
redirects
Reporter
Ben Kelly
Impact
moderate
Description
Mixed content blocking of insecure (HTTP) sub-resources in a secure
(HTTPS) document was not correctly applied for resources that
redirect from HTTPS to HTTP, allowing content that should be blocked,
such as scripts, to be loaded on a page.
References
Bug 1402363
#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and
OS X
Reporter
Ezra Caltum
Impact
moderate
Description
The "pingsender" executable used by the Firefox Health Report
dynamically loads a system copy of libcurl, which an attacker could
replace. This allows for privilege escalation as the replaced
libcurl code will run with Firefox's privileges. Note: This attack
requires an attacker have local system access and only affects OS
X and Linux. Windows systems are not affected.
References
Bug 1401339
#CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies
Reporter
Jun Kokatsu
Impact
moderate
Description
SVG loaded through <img> tags can use <meta> tags within the SVG
data to set cookies for that page.
References
Bug 1325923
#CVE-2017-7838: Failure of individual decoding of labels in
international domain names triggers punycode display of entire IDN
Reporter
Corey Bonnell
Impact
low
Description
Punycode format text will be displayed for entire qualified
international domain names in some instances when a sub-domain
triggers the punycode display instead of the primary domain being
displayed in native script and the sub-domain only displaying as
punycode. This could be used for limited spoofing attacks due to
user confusion.
References
Bug 1399540
#CVE-2017-7839: Control characters before javascript: URLs defeats
self-XSS prevention mechanism
Reporter
Eric Lawrence
Impact
low
Description
Control characters prepended before javascript: URLs pasted in the
addressbar can cause the leading characters to be ignored and the
pasted JavaScript to be executed instead of being blocked. This
could be used in social engineering and self-cross-site-scripting
(self-XSS) attacks where users are convinced to copy and paste text
into the addressbar.
References
Bug 1402896
#CVE-2017-7840: Exported bookmarks do not strip script elements
from user-supplied tags
Reporter
Hanno Bock
Impact
low
Description
JavaScript can be injected into an exported bookmarks file by
placing JavaScript code into user-supplied tags in saved bookmarks.
If the resulting exported HTML file is later opened in a browser
this JavaScript will be executed. This could be used in social
engineering and self-cross-scripting (self-XSS) attacks if users
were convinced to add malicious tags to bookmarks, export them,
and then open the resulting file.
References
Bug 1366420
#CVE-2017-7842: Referrer Policy is not always respected for <link>
elements
Reporter
Jun Kokatsu
Impact
low
Description
If a document's Referrer Policy attribute is set to "no-referrer"
sometimes two network requests are made for <link> elements
instead of one. One of these requests includes the referrer instead
of respecting the set policy to not include a referrer on requests.
References
Bug 1397064
#CVE-2017-7827: Memory safety bugs fixed in Firefox 57
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Boris Zbarsky, Carsten Book,
Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer,
Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith,
and Ting-Yu Chou reported memory safety bugs present in Firefox 56.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to run
arbitrary code.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox
ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob
Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and
Ryan VanderMeulen reported memory safety bugs present in Firefox
56 and Firefox ESR 52.4. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
This is only relevant for PKGSRC_MKPIE. It partly reflects a fix that
was committed to the cwrappers for MKPIE, where the "-pie" flag was
automatically added in spite of the linker not actually creating an
executable.
