{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","type":"mozilla","namespace":"","name":"Firefox ESR","version":"38.8.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"45.1.0","latest_non_vulnerable_version":"140.11.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1887?format=json","vulnerability_id":"VCID-27t5-214b-33g2","summary":"Using Address Sanitizer, security researcher Sascha Just reported a\nbuffer overflow in the libstagefright library due to issues with the handling of CENC\noffsets and the sizes table. This results in a potentially exploitable crash triggerable\nthrough web content.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2814","reference_id":"CVE-2016-2814","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2814"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-44","reference_id":"mfsa2016-44","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-44"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/906?format=json","purl":"pkg:mozilla/Firefox%20ESR@45.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.1.0"}],"aliases":["CVE-2016-2814"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-27t5-214b-33g2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1965?format=json","vulnerability_id":"VCID-7hry-whqg-97gm","summary":"Mozilla developers fixed several memory safety bugs in the browser engine used in\nFirefox and other Mozilla-based products. Some of these bugs showed evidence of memory\ncorruption under certain circumstances, and we presume that with enough effort at least\nsome of these could be exploited to run arbitrary code.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2807","reference_id":"CVE-2016-2807","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2807"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-39","reference_id":"mfsa2016-39","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-39"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/906?format=json","purl":"pkg:mozilla/Firefox%20ESR@45.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.1.0"}],"aliases":["CVE-2016-2807"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7hry-whqg-97gm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1922?format=json","vulnerability_id":"VCID-fam8-n44k-2qh7","summary":"Mozilla developer Tim Taubert used the Address Sanitizer tool and\nsoftware fuzzing to discover a use-after-free vulnerability while processing DER encoded\nkeys in the Network Security Services (NSS) libraries. The vulnerability overwrites the\nfreed memory with zeroes. This issue has been addressed in NSS 3.21.1, shipping in Firefox\n45.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1979","reference_id":"CVE-2016-1979","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1979"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-36","reference_id":"mfsa2016-36","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-36"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"}],"aliases":["CVE-2016-1979"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fam8-n44k-2qh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1886?format=json","vulnerability_id":"VCID-jwzp-ucfg-wycd","summary":"Security researcher Hanno Böck reported that calculations with\nmp_div and mp_exptmod in Network Security Services (NSS) can\nproduce wrong results in some circumstances. These functions are used within NSS for a\nvariety of cryptographic division functions, leading to potential cryptographic\nweaknesses.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1938","reference_id":"CVE-2016-1938","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1938"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-07","reference_id":"mfsa2016-07","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-07"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"}],"aliases":["CVE-2016-1938"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jwzp-ucfg-wycd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1971?format=json","vulnerability_id":"VCID-nmg1-t9x3-8kgb","summary":"The CESG, the Information Security Arm of GCHQ, reported that the\nJavaScript .watch() method could be used to overflow the 32-bit generation\ncount of the underlying HashMap, resulting in a write to an invalid entry. Under the right\nconditions this write could lead to arbitrary code execution. The overflow takes\nconsiderable time and a malicious page would require a user to keep it open for the\nduration of the attack.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2808","reference_id":"CVE-2016-2808","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2808"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-47","reference_id":"mfsa2016-47","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/906?format=json","purl":"pkg:mozilla/Firefox%20ESR@45.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.1.0"}],"aliases":["CVE-2016-2808"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmg1-t9x3-8kgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1878?format=json","vulnerability_id":"VCID-s692-wjkg-xkfr","summary":"Mozilla developer  Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1978","reference_id":"CVE-2016-1978","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1978"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-15","reference_id":"mfsa2016-15","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-15"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"}],"aliases":["CVE-2016-1978"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s692-wjkg-xkfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1928?format=json","vulnerability_id":"VCID-werm-rpt3-cuad","summary":"Security researcher Jordi Chancel discovered a variant of Mozilla Foundation\nSecurity Advisory 2015-136 which was fixed in Firefox 43. In the original bug, it\nwas possible to read cross-origin URLs following a redirect if\nperformance.getEntries() was used along with an iframe to host a page.\nNavigating back in history through script, content was pulled from the browser cache for\nthe redirected location instead of going to the original location. In the newly reported\nvariant issue, it was found that if a browser session was restored, history navigation\nwould still allow for the same attack as content was restored from the browser cache. This\nis a same-origin policy violation and could allow for data theft.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1967","reference_id":"CVE-2016-1967","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1967"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-29","reference_id":"mfsa2016-29","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-29"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/900?format=json","purl":"pkg:mozilla/Firefox%20ESR@38.8.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"}],"aliases":["CVE-2016-1967"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-werm-rpt3-cuad"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@38.8.0"}