Update 20150807 UTC

1. Mozilla Firefox
   
   A flaw was discovered in Firefox that permits the violation of same origin policy and injection of script into a non-privileged part
   of the built-in PDF viewer. This allows an attacker to read and steal sensitive local files on a victim's computer. (CVE-2015-4495)
   
   Mozilla has received numerous reports of active exploitation in the wild.
   
   Recommendation: Slackware users should upgrade to Firefox 39.0.3, asap.
   
   Note: Slackware 14.1 ships FF ESR 31 which has EOL'd in favor of FF ESR 38. Slackware 14.1 users who wish to remain on the
   ESR track should upgrade to ESR 38.1.1 to address this flaw. Alternatively, they can use ruario's script (see earlier posts for
   instructions) to install Mozilla's build of 39.0.3.

--mancha

I've just built and upgraded to 38.1.1esr. Be aware that there are changes in how this firefox handles profiles. I highly recommend backing up the .mozilla folder before starting the newly installed firefox. I've already needed the back up for restoring some of my preferences.

Update

Regarding the Firefox flaw (CVE-2015-4495) I report above, Mozilla published a blog entry that briefly describes one exploit found in
the wild that uses this vulnerability to steal files from Windows and Linux systems and uploads them to what appears to be a machine
in Ukraine.

They recommend changing passwords/keys in certain files targeted by that particular exploit. I would err on the side of caution and
expand the recommendation to include all password/keys accessible by the Firefox process.

--mancha

thanks for the heads-up, mancha: a reason more to keep using adblock and noscript extensions.

It's weird, that CVE number comes up as reserved at http://cve.mitre.org/cgi-bin/cvename...=CVE-2015-4495.
But a search for the exploit here https://web.nvd.nist.gov/view/vuln/s...execution=e2s1
brings up https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-2743.

Is this perhaps the syntax change that mitre.org is describing?

CVE-2015-4495 is very impressive :-(. Does it mean that Firefox users must update all certificates, ssh, gpg keys etc.?

Mancha,
Where does that leave users of SeaMonkey, which hasn't been updated since March?
Thanks.

Uh ... just disable the builtin pdf viewer in firefox?!?!?!?!

Set "pdfjs.disabled" to true in "about:config".

mupdf and evince do not have javascript builtin.

From the mupdf slackbuild:

From reading this [@mozillazine.org] it seems that Seamonkey does not have the pdf viewer built in. It needs to be explicitly installed.

You could also firejail the Firefox process, and when run with the default profile
it blocks process access to the user's config directories for gpg, kwallet, gnome keyring, and a few other things. You can add your own directories to block, and although it uses a blacklist system, it works. Firejail tutorial for Firefox here.

drgibbon, thanks for the heads-up about firejail! It is most useful in this day and age where every application and its cousin has to have some kind of access to the Internet. :)

Just as a heads up, firejail is available at SBo http://slackbuilds.org/repository/14.1/system/firejail/
I'm going to try it after I post this.

EDIT: the version in the SlackBuild is a bit old, but substituting the newer version (0.9.28) in the script, it builds without errors.

POST EDIT: running a simple instance of right now. I need to read up more about and utilize firejail's options, but initial impression is that it doesn't break anything yet and I hardly notice it there. Thanks for the pointer to this, drgibbon.

LAST EDIT: I noticed that if you try to start firefox jailed by firejail and you already have an instance of firefox running unjailed, firejail will close and the new firefox is attaching (this is a guess) to the existing firefox process. If you ensure that the first firefox is firejail'd, then it seems that new firefox windows get immediated jailed (another guess, will try to debug to be sure). The dev for firejail seems to be very active and very responsive, so I am encouraged about this.

Updates for ca-certificates, mozilla-nss, mozilla-firefox have been released for both 14.1 and current.

What is better approach, firejail or running firefox under a different user like "Skype with a grain of salt"?

For some reason that didn't work for me, I had to explicitly load the Firefox profile from the command line as above. I tested it by adding: to /etc/firejail/firefox.profile and it was only when supplying the profile to the firejail call that access to ~/documents was denied (by Ctrl-O and browsing to ~/documents in Firefox), but YMMV.