Sicherheit: Mangelnde Eingabeprüfung in mozilla-noscript
Aktuelle Meldungen Distributionen
Name: Mangelnde Eingabeprüfung in mozilla-noscript
ID: FEDORA-2018-09c51bbcec
Distribution: Fedora
Plattformen: Fedora 27
Datum: Do, 27. September 2018, 23:32
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16983
Applikationen: mozilla-noscript


Fedora Update Notification
2018-09-27 16:16:50.020527

Name : mozilla-noscript
Product : Fedora 27
Version :
Release : 1.fc27
URL : http://noscript.net/
Summary : JavaScript white list extension for Mozilla Firefox
Description :
The NoScript Firefox extension provides extra protection for Firefox.
It allows JavaScript, Java, Flash and other plug-ins to be executed only by
trusted web sites of your choice (e.g. your online bank) and additionally
provides Anti-XSS protection.

Update Information:

Changes since === v
============================================================= * [TB] Gracefully
handle legacy external message recipients * [XSS] Updated known HTML5 events *
Better IPV6 support * UI support for protocol-only entries v
============================================================= * Fix for various
content script timing related issues (thanks therube for reporting) v ============================================================= *
total breakages when policies accidentally map to invalid match patterns *
Internal messaging dispatch better coping with multiple option windows *
multiple CSP DOM insertions v
============================================================= * Fixed message
handling regression breaking embedders and causing potential internal message
loops v =============================================================
* More efficient window.name-based tab-scoped permissions persistence * Fixed
URL parsing bugs * Fixed bug in requestKey generation * [Build] Enhanced TLD
data update subsystem * [UI] CUSTOM presets gets initialized with currently
applied preset, including temporary/permanent status * Improved internal
message dispatching, avoiding potential race conditions * [L10n] Transifex
integration * Work-around for DOM-injected CSP not being honored when
to the root element, rather than HEAD * Transparent support for FQDNs * Better
file: protocol support * Full-page placeholders for media/plugin documents v ============================================================= * Fixed
NOSCRIPT emulation not running in contexts where service workers are
such as private windows (thanks Peter Wu for patch) v 10.1.9
============================================================= * Completely
revamped CSP backend, enforcing policies both in webRequest and in the DOM *
Reload-less service worker busting * removed obsoleted failsafes, including
forced reloads * Better timing for popup UI feedback on permissions changes *
Send out a "started" message after initialization to help embedders
(like the
Tor browser) interact with NoScript * Updated TLDs v
============================================================= * Hotfix for
reload loops before CSP management refactoring v
============================================================= * Fixed reload
loop on unrestricted tabs (thanks random for reporting) v
============================================================= * Fixed
Sites.domainImplies() misplaced optimization. * [L10n] Added Catalan (ca) v ============================================================= * Fixed
onResponseHeader failing on session restore because of onBeforeRequest not
having being called. * Fixed regression: framed documents' URLs not being
reported in the UI (thanks xaex for report) v
============================================================= * More resilient
and optimized Sites.domainImplies() * Update ChildPolicies when automatic temp
TRUST for top-level documents is enabled * Fixed messages from content
being "eaten" by the wrong dispatcher when UI is open (thanks
skriptimaahinen) * Fixed typo causing accidental permissions/status mismatches
being checked only while pages are still loading (thanks skriptimaahinen) *
Fixed typo in XSS name sanitization script injection (thanks skriptimaahinen)
v ============================================================= *
Sites.domainImplies() should match subdomains * More coherent wrapper around
webex messaging API * Fixed inconsistencies affecting ChildPolicies content
script auto-generated matching rules. * Fixed potential issues with cross-
process messages * Simpler and more reliable safety net to ensure CSP headers
are injected last among WebExtensions * Fixed regression causing refresh loops
on pages which use type="object" requests to load images, css and
other types
* [L10n] ru and de translations * [XSS] Updated HTML events auto-generate
matching code to use both latest Mozilla source code and archived data since
Firefox ESR 52 * New dynamic scripts management strategy based on the
browser.contentScripts API, should fix some elusive, likely requestFilter-
induced, bugs * Fixed no-dot domains threated as empty TLDs (thanks Peter Wu
for patch) * Removed requestFilter hack for dynamic scripts management * [L10n]
br and tr translations (thanks Transifex/OTF,
https://www.transifex.com/otf/noscript/) * Best effort to have
webRequest.onHeaderReceived listener run last (issue #6, thanks kkapsner) *
[L10n] Localized "NoScript Options" title (thanks Diklabyte) * Fixed
scripts not being reported to UI (thanks skriptimaahinen for patch) * Skip
non-content windows when deferring startup page loads (thanks Rob Wu for
reporting) * Broader detection of UTF-8 encoding in responses (thanks Rob Wu
for reporting) * Improved support for debugging code removal in releases *
startup race condition with pending request tracking * Fixed updating NoScript
reloads tabs with revoked temporary permissions. Legacy version: === v ============================================================= *
[Security] Fixed script blocking bypass zero-day (thanks Zerodium for
unresponsible disclosure,
https://twitter.com/Zerodium/status/1039127214602641409) * [Surrogate] Fixed
typo in 2mdn replacement (thansk barbaz) * [XSS] Fixed InjectionChecker choking
at some big JSON payloads sents as POST form data * [XSS] In-depth protection
against native ES6 modules abuse * Fixed classic beta channel users being
accidentally migrated to stable (thanks barbaz)

* Sun Sep 16 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to
- update classic version to (fixes CVE-2018-16983)
* Mon Jul 30 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1609266)
- make main package dependencies on subpackages versioned
* Fri Jul 20 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1601456)
- update classic version to
- extract only the licenses and cfg file
* Fri Jun 29 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1583884)
* Wed May 23 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1572820)
* Thu Apr 12 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1557592)
- update classic version to
* Fri Mar 16 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1557318)
- update bundled components Provides:
* Mon Feb 19 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1543851)
- update classic version to
* Thu Feb 1 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1539464)
- switch URL to upstream instead of AMO, they're identical
- split FF and SM extensions to separate subpackages
* Sat Jan 20 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1532905)
- install metainfo file in the new standard location
* Mon Jan 1 2018 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1528835)
* Tue Dec 19 2017 Dominik Mierzejewski <rpm@greysector.net> - 10.1.6-1
- update to 10.1.6 (#1527501)
* Sat Dec 16 2017 Dominik Mierzejewski <rpm@greysector.net> -
- update to (#1524389)
- bring back the classic version (still developed until June 2018)
for SeaMonkey (#1526199)
* Sat Nov 25 2017 Dominik Mierzejewski <rpm@greysector.net> - 10.1.2-1
- update to 10.1.2
* Mon Nov 20 2017 Dominik Mierzejewski <rpm@greysector.net> - 10.1.1-1
- update to 10.1.1 (pure WebExtension version, Firefox 57+ only)
* Thu Nov 2 2017 Dominik Mierzejewski <rpm@greysector.net> - 5.1.4-1
- update to 5.1.4 (#1504408)

[ 1 ] Bug #1629212 - CVE-2018-16983 mozilla-noscript: NoScript Bypass via the
text/html;/json Content-Type value

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2018-09c51bbcec' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux @Twitter
Neue Nachrichten