출처: http://la-nube.tistory.com/326 [la Nube's Lab. | 라 누베 연구소]
모질라(Mozilla)에서 개발하는 웹브라우저 '불여우' 파이어폭스(Firefox)의 새로운 기능 추가와 버그 수정 및 보안 취약점 문제를 해결한 파이어폭스 58.0 버전이 업데이트를 통해 배포되었습니다.
--
이번 업데이트에는 다음과 같은 32건의 보안 취약점에 대한 보안 패치가 포함되어 있습니다.
■ Critical 등급 (3)
CVE-2018-5089 : Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
CVE-2018-5090 : Memory safety bugs fixed in Firefox 58
CVE-2018-5091 : Use-after-free with DTMF timers
■ High 등급 (13)
CVE-2018-5092 : Use-after-free in Web Workers
CVE-2018-5093 : Buffer overflow in WebAssembly during Memory/Table resizing
CVE-2018-5094 : Buffer overflow in WebAssembly with garbage collection on uninitialized memory
CVE-2018-5095 : Integer overflow in Skia library during edge builder allocation
CVE-2018-5097 : Use-after-free when source document is manipulated during XSLT
CVE-2018-5098 : Use-after-free while manipulating form input elements
CVE-2018-5099 : Use-after-free with widget listener
CVE-2018-5100 : Use-after-free when IsPotentiallyScrollable arguments are freed from memory
CVE-2018-5101 : Use-after-free with floating first-letter style elements
CVE-2018-5102 : Use-after-free in HTML media elements
CVE-2018-5103 : Use-after-free during mouse event handling
CVE-2018-5104 : Use-after-free during font face manipulation
CVE-2018-5105 : WebExtensions can save and execute files on local file system without user prompts
■ Moderate 등급 (13)
CVE-2018-5106 : Developer Tools can expose style editor information cross-origin through service worker
CVE-2018-5107 : Printing process will follow symlinks for local file access
CVE-2018-5108 : Manually entered blob URL can be accessed by subsequent private browsing tabs
CVE-2018-5109 : Audio capture prompts and starts with incorrect origin attribution
CVE-2018-5110 : Cursor can be made invisible on OS X
CVE-2018-5111 : URL spoofing in addressbar through drag and drop
CVE-2018-5112 : Extension development tools panel can open a non-relative URL in the panel
CVE-2018-5113 : WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow
CVE-2018-5114 : The old value of a cookie changed to HttpOnly remains accessible to scripts
CVE-2018-5115 : Background network requests can open HTTP authentication in unrelated foreground tabs
CVE-2018-5116 : WebExtension ActiveTab permission allows cross-origin frame content access
CVE-2018-5117 : URL spoofing with right-to-left text aligned left-to-right
CVE-2018-5118 : Activity Stream images can attempt to load local content through file
■ Low 등급 (3)
CVE-2018-5119 : Reader view will load cross-origin content in violation of CORS headers
CVE-2018-5121 : OS X Tibetan characters render incompletely in the addressbar
CVE-2018-5122 : Potential integer overflow in DoCrypt
--
그 외에 다음과 같은 새로운 기능 추가 및 버그 수정이 이루어졌습니다.
■ NEW - Performance improvements
* Rendering graphics for Windows users by using Off-Main-Thread Painting (OMTP)
* Loading pages faster by changing how Firefox caches and retrieves JavaScript
■ NEW - Improvements to Firefox Screenshots
* Copy and paste screenshots directly to your clipboard
* Firefox Screenshots now works in Private Browsing mode
■ NEW - Added Nepali (ne-NP) locale
■ FIXED - Fonts installed in non-standard directories will no longer appear blank for Linux users
■ CHANGED - User profiles created in Firefox 58 (and in future releases) are not supported in previous versions of Firefox. Users who downgrade to a previous version should create a new profile for that version. Learn about alternatives to downgrading on our support site.
■ DEVELOPER - Implemented the PerformanceNavigationTiming API
자세한 업데이트 내역은 아래 링크의 정보를 참고하기 바랍니다.
--
[영향을 받는 소프트웨어 및 업데이트 버전]
□ 파이어폭스 57.0.4 및 이하 버전 → 파이어폭스 58.0 버전으로 업데이트
※ https://www.mozilla.org/en-US/firefox/58.0/releasenotes/
※ https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/
--
그러므로 파이어폭스 사용자는 자동 업데이트('메뉴 열기 → 도움말 → Firefox 정보') 기능을 통해 최신버전으로 업데이트하기 바랍니다.
리눅스에서는 패키지 업데이트를 통해 최신버전으로 업데이트하기 바랍니다.
데비안 / 우분투 기준 : $ sudo apt-get update && sudo apt-get dist-upgrade
출처: http://la-nube.tistory.com/326 [la Nube's Lab. | 라 누베 연구소]
