Bug 8760

Summary: [UPDATE REQUEST 2014.1] newmoon 27.7.2
Product: [ROSA-based products] ROSA Fresh Reporter: Алзим <alzim>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: andrey.bondrov, v.potapov
Version: FreshFlags: v.potapov: qa_verified+
andrey.bondrov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: --- ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Алзим 2018-02-14 13:01:04 MSK 
Pale Moon 27.7.2 released.

This is a security and stability update.

Changes/fixes:
Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
Changed the perfomance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
Improved the debug-only startup cache wrapper to prevent a rare crash.
Fixed a crash in the XML parser.
Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
Fixed a potential race condition in the browser cache.
Fixed a crash in HTML media elements (CVE-2018-5102)
Fixed a crash in XHR using workers.
Fixed a crash with some uncommon FTP operations.
Fixed a potential race condition in the JAR library.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Comment 2 Vladimir Potapov 2018-02-16 05:47:04 MSK 
The update is sent to expanded testing
*****************************************
Comment 3 Vladimir Potapov 2018-02-20 12:21:59 MSK 
newmoon-27.7.2-1
https://abf.io/build_lists/2919760
https://abf.io/build_lists/2919761

newmoon-l10n-27.7.2-1
https://abf.io/build_lists/2919762
https://abf.io/build_lists/2919763
**************************** Advisory **************************
Updated to 27.7.2
****************************************************************
QA Verified