From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: References: <20170221183312.GD8122@imap.altlinux.org> <20170221184433.GA27660@altlinux.org> To: devel@lists.altlinux.org From: Anton Farygin Message-ID: Date: Tue, 21 Feb 2017 22:02:57 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 MIME-Version: 1.0 In-Reply-To: <20170221184433.GA27660@altlinux.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [devel] Vulnerability policy X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2017 19:02:58 -0000 Archived-At: List-Archive: List-Post: 21.02.2017 21:44, Dmitry V. Levin пишет: > Но если кому-то существенно удобнее записывать это как-то иначе и без > скобочек, то, наверное, это можно формализовать и включить в правила. Мне в последнее время нравится такая трактовка, предпочёл бы её, когда есть время всё это описывать: - Fixed: + CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP + CVE-2017-5376: Use-after-free in XSL + CVE-2017-5377: Memory corruption with transforms to create gradients in Skia + CVE-2017-5378: Pointer and frame data leakage of Javascript objects + CVE-2017-5379: Use-after-free in Web Animations + CVE-2017-5380: Potential use-after-free during DOM manipulations + CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer + CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests + CVE-2017-5396: Use-after-free with Media Decoder + CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations + CVE-2017-5382: Feed preview can expose privileged content errors and exceptions + CVE-2017-5383: Location bar spoofing with unicode characters + CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) + CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers + CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions + CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events + CVE-2017-5391: Content about: pages can load privileged about: pages + CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage + CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager + CVE-2017-5395: Android location bar spoofing during scrolling + CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages + CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks + CVE-2017-5374: Memory safety bugs fixed in Firefox 51 + CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7