CVE-2015-4490

Upstream information

CVE-2015-4490 at MITRE

Description

The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in Mozilla Firefox before 40.0 does not implement the Content Security Policy Level 2 exceptions for the blob, data, and filesystem URL schemes during wildcard source-expression matching, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging unexpected policy-enforcement behavior.

SUSE information

SUSE Bugzilla entry: 940806 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2015:1389-1, published Fri, 14 Aug 2015 19:09:37 +0200 (CEST)
openSUSE-SU-2015:1390-1, published Fri, 14 Aug 2015 19:10:03 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise Module for Desktop Applications 15	`MozillaFirefox >= 52.7.3-1.35` `MozillaFirefox-devel >= 52.7.3-1.35` `MozillaFirefox-translations-common >= 52.7.3-1.35` `MozillaFirefox-translations-other >= 52.7.3-1.35`	Patchnames: SUSE Linux Enterprise Module for Desktop Applications 15 GA MozillaFirefox
SUSE Linux Enterprise Module for Desktop Applications 15 SP1	`MozillaFirefox >= 60.6.2-3.32.1` `MozillaFirefox-devel >= 60.6.2-3.32.1` `MozillaFirefox-translations-common >= 60.6.2-3.32.1` `MozillaFirefox-translations-other >= 60.6.2-3.32.1`	Patchnames: SUSE Linux Enterprise Module for Desktop Applications 15 SP1 GA MozillaFirefox
openSUSE 13.1	`MozillaFirefox >= 40.0-82.1` `MozillaFirefox-branding-openSUSE >= 40-2.3.1` `MozillaFirefox-branding-upstream >= 40.0-82.1` `MozillaFirefox-buildsymbols >= 40.0-82.1` `MozillaFirefox-debuginfo >= 40.0-82.1` `MozillaFirefox-debugsource >= 40.0-82.1` `MozillaFirefox-devel >= 40.0-82.1` `MozillaFirefox-translations-common >= 40.0-82.1` `MozillaFirefox-translations-other >= 40.0-82.1`	Patchnames: openSUSE-2015-547
openSUSE Leap 15.0	`MozillaFirefox >= 60.0-lp150.2.2` `MozillaFirefox-translations-common >= 60.0-lp150.2.2` `MozillaFirefox-translations-other >= 60.0-lp150.2.2`	Patchnames: openSUSE Leap 15.0 GA MozillaFirefox
openSUSE Leap 42.1	`MozillaFirefox >= 41.0.2-1.2` `MozillaFirefox-translations-common >= 41.0.2-1.2`	Patchnames: openSUSE Leap 42.1 GA MozillaFirefox
openSUSE Leap 42.2	`MozillaFirefox >= 49.0.2-37.1` `MozillaFirefox-translations-common >= 49.0.2-37.1`	Patchnames: openSUSE Leap 42.2 GA MozillaFirefox
openSUSE Leap 42.3	`MozillaFirefox >= 52.2-58.2` `MozillaFirefox-translations-common >= 52.2-58.2`	Patchnames: openSUSE Leap 42.3 GA MozillaFirefox
openSUSE Tumbleweed	`MozillaFirefox >= 50.1.0-1.1` `MozillaFirefox-branding-upstream >= 50.1.0-1.1` `MozillaFirefox-buildsymbols >= 50.1.0-1.1` `MozillaFirefox-devel >= 50.1.0-1.1` `MozillaFirefox-translations-common >= 50.1.0-1.1` `MozillaFirefox-translations-other >= 50.1.0-1.1`	Patchnames: openSUSE Tumbleweed GA MozillaFirefox