[devel] Vulnerability policy

Anton Farygin rider на altlinux.com
Вт Фев 21 22:02:57 MSK 2017


21.02.2017 21:44, Dmitry V. Levin пишет:
> Но если кому-то существенно удобнее записывать это как-то иначе и без
> скобочек, то, наверное, это можно формализовать и включить в правила.

Мне в последнее время нравится такая трактовка, предпочёл бы её, когда 
есть время всё это описывать:

- Fixed:
+ CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
+ CVE-2017-5376: Use-after-free in XSL
+ CVE-2017-5377: Memory corruption with transforms to create gradients 
in Skia
+ CVE-2017-5378: Pointer and frame data leakage of Javascript objects
+ CVE-2017-5379: Use-after-free in Web Animations
+ CVE-2017-5380: Potential use-after-free during DOM manipulations
+ CVE-2017-5390: Insecure communication methods in Developer Tools JSON 
viewer
+ CVE-2017-5389: WebExtensions can install additional add-ons via 
modified host requests
+ CVE-2017-5396: Use-after-free with Media Decoder
+ CVE-2017-5381: Certificate Viewer exporting can be used to navigate 
and save to arbitrary filesystem locations
+ CVE-2017-5382: Feed preview can expose privileged content errors and 
exceptions
+ CVE-2017-5383: Location bar spoofing with unicode characters
+ CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
+ CVE-2017-5385: Data sent in multipart channels ignores referrer-policy 
response headers
+ CVE-2017-5386: WebExtensions can use data: protocol to affect other 
extensions
+ CVE-2017-5394: Android location bar spoofing using fullscreen and 
JavaScript events
+ CVE-2017-5391: Content about: pages can load privileged about: pages
+ CVE-2017-5392: Weak references using multiple threads on weak proxy 
objects lead to unsafe memory usage
+ CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for 
mozAddonManager
+ CVE-2017-5395: Android location bar spoofing during scrolling
+ CVE-2017-5387: Disclosure of local file existence through TRACK tag 
error messages
+ CVE-2017-5388: WebRTC can be used to generate a large amount of UDP 
traffic for DDOS attacks
+ CVE-2017-5374: Memory safety bugs fixed in Firefox 51
+ CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7


Подробная информация о списке рассылки Devel