Mozilla sent Firefox Version 53.0 to the release channel today. The update includes a massive 35 security updates identified as eight (8) Critical, sixteen (16) High, seven (7) Moderate updates and four (4) low security updates. Firefox ESR was updated to version 45.9.0.The next scheduled release is June 13, 2017 (5 week cycle with release for critical fixes as needed).
Security Fixes:
Critical
- CVE-2017-5433: Use-after-free in SMIL animation functions
- #CVE-2017-5435: Use-after-free during transaction processing in the editor
- #CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
- #CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
- #CVE-2017-5459: Buffer overflow in WebGL
- #CVE-2017-5466: Origin confusion when reloading isolated data:text/html URL
- #CVE-2017-5430: Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
- #CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
High
- #CVE-2017-5434: Use-after-free during focus handling
- #CVE-2017-5432: Use-after-free in text input selection
- #CVE-2017-5460: Use-after-free in frame selection
- #CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
- #CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
- #CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
- #CVE-2017-5441: Use-after-free with selection during scroll events
- #CVE-2017-5442: Use-after-free during style changes
- #CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
- #CVE-2017-5443: Out-of-bounds write during BinHex decoding#CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
- #CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data#CVE-2017-5447: Out-of-bounds read during glyph processing
- #CVE-2017-5465: Out-of-bounds read in ConvolvePixel
- #CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor#CVE-2017-5437: Vulnerabilities in Libevent library
- #CVE-2017-5454: Sandbox escape allowing file system read access through file picker#CVE-2017-5455: Sandbox escape through internal feed reader APIs
- #CVE-2017-5456: Sandbox escape allowing local file system access
- #CVE-2017-5469: Potential Buffer overflow in flex-generated code
Moderate
- #CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
- #CVE-2017-5449: Crash during bidirectional unicode manipulation with animation
- #CVE-2017-5450: Addressbar spoofing using javascript: URI on Firefox for Android
- #CVE-2017-5451: Addressbar spoofing with onblur event
- #CVE-2017-5462: DRBG flaw in NSS
- #CVE-2017-5463: Addressbar spoofing through reader view on Firefox for Android
- #CVE-2017-5467: Memory corruption when drawing Skia content
Low
- #CVE-2017-5452: Addressbar spoofing during scrolling with editable content on Firefox for Android#CVE-2017-5453: HTML injection into RSS Reader feed preview page through TITLE element
- #CVE-2017-5458: Drag and drop of javascript: URLs can allow for self-XSS
- #CVE-2017-5468: Incorrect ownership model for Private Browsing information
New
- Improved graphics stability for Windows users with the addition of compositor process separation (Quantum Compositor)
- Two new 'compact' themes available in Firefox, dark and light, based on the Firefox Developer Edition theme
- Lightweight themes are now applied in private browsing windows
- Reader Mode now displays estimated reading time for the page
- Windows 7+ users on 64-bit OS can select 32-bit or 64-bit versions in the stub installer
Changed
- Updated the design of site permission requests to make them harder to miss and easier to understand
- Windows XP and Vista are no longer supported. XP and Vista users running Firefox 52 will continue to receive security updates on Firefox ESR 52.
- 32-bit Mac OS X is no longer supported. 32-bit Mac OS X users can switch to Firefox ESR 52 to continue receiving security updates.
- Updates for Mac OS X are smaller in size compared to updates for Firefox 52
- Media playback on new tabs is blocked until the tab is visible
- The last few characters of shortened tab titles fade out instead of being replaced by ellipses to keep more of the title visible
- New visual design for audio and video controls
- Ended Firefox Linux support for processors older than Pentium 4 and AMD Opteron
To get the update now, select "Help" from the Firefox menu, then pick "About Firefox." Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.
References
- Common questions after updating Firefox
- Security Updates
- Mozilla Firefox Release Notes
- Bug Fixes
- Rapid Release Calendar
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
No comments:
Post a Comment