==========================================================================

Ubuntu Security Notice USN-3477-2

November 27, 2017



firefox regression

==========================================================================



A security issue affects these releases of Ubuntu and its derivatives:



- Ubuntu 17.10

- Ubuntu 17.04

- Ubuntu 16.04 LTS

- Ubuntu 14.04 LTS



Summary:



USN-3477-1 caused a regression in Firefox.



Software Description:

- firefox: Mozilla Open Source web browser



Details:



USN-3477-1 fixed vulnerabilities in Firefox. The update caused search

suggestions to not be displayed when performing Google searches from the

search bar. This update fixes the problem.



We apologize for the inconvenience.



Original advisory details:



Multiple security issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service, read uninitialized

memory, obtain sensitive information, bypass same-origin restrictions,

bypass CSP protections, bypass mixed content blocking, spoof the

addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,

CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,

CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)



It was discovered that javascript: URLs pasted in to the addressbar

would be executed instead of being blocked in some circumstances. If a

user were tricked in to copying a specially crafted URL in to the

addressbar, an attacker could potentially exploit this to conduct

cross-site scripting (XSS) attacks. (CVE-2017-7839)



It was discovered that exported bookmarks do not strip script elements

from user-supplied tags. If a user were tricked in to adding specially

crafted tags to bookmarks, exporting them and then opening the resulting

HTML file, an attacker could potentially exploit this to conduct

cross-site scripting (XSS) attacks. (CVE-2017-7840)



Update instructions:



The problem can be corrected by updating your system to the following

package versions:



Ubuntu 17.10:

firefox 57.0+build4-0ubuntu0.17.10.6



Ubuntu 17.04:

firefox 57.0+build4-0ubuntu0.17.04.6



Ubuntu 16.04 LTS:

firefox 57.0+build4-0ubuntu0.16.04.6



Ubuntu 14.04 LTS:

firefox 57.0+build4-0ubuntu0.14.04.5



After a standard system update you need to restart Firefox to make

all the necessary changes.



References:

https://www.ubuntu.com/usn/usn-3477-2

https://www.ubuntu.com/usn/usn-3477-1

https://launchpad.net/bugs/1733970



Package Information:

https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.10.6

https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.04.6

https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.16.04.6

https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.14.04.5







