Linux Mint

CVE-2016-9079 firefox use after free in SVG

Bug #1646741 reported by Rubin
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux Mint
Fix Released
Undecided
Unassigned

Bug Description

Firefox less than 50.0.2 is vulnerable to a remote-code-execution bug as described in

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9079.html

This is a '0-day' publicly disclosed vulnerability with extremely high risk due to the ease of getting malicious images onto websites. (Ad networks, user uploads etc)

Firefox and ubuntu have released 50.0.2 (50.0.2+build1-0ubuntu0.16.04.1) which patches the problem, but due to the way mint18 pins the 'mint' version of firefox it will not install:

apt-cache policy firefox
firefox:
  Installed: 50.0+linuxmint1+serena
  Candidate: 50.0+linuxmint1+serena
  Version table:
     50.0.2+build1-0ubuntu0.16.04.1 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
 *** 50.0+linuxmint1+serena 700
        700 http://packages.linuxmint.com sarah/upstream amd64 Packages
        100 /var/lib/dpkg/status
     45.0.2+build1-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

This is a very critical update that needs #1 priority. This patch needs deployed yesterday, where is it?

Sorry if this is being tracked somewhere else, I couldn't find any hint of it being addressed anywhere.

Rubin (rubin)
information type: Private Security → Public Security
Revision history for this message
Rubin (rubin) wrote :

50.0.2+linuxmint1+serena dropped this morning. thanks.

Changed in linuxmint:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.