[security-announce] SUSE-SU-2014:0248-1: important: Security update for MozillaFirefox

SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0248-1 Rating: important References: #859055 #861847 Cross-References: CVE-2014-1477 CVE-2014-1479 CVE-2014-1480 CVE-2014-1481 CVE-2014-1482 CVE-2014-1483 CVE-2014-1484 CVE-2014-1485 CVE-2014-1486 CVE-2014-1487 CVE-2014-1488 CVE-2014-1489 CVE-2014-1490 CVE-2014-1491 Affected Products: SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. It includes two new package versions. Description: This updates the Mozilla Firefox browser to the 24.3.0ESR security release. The Mozilla NSS libraries are now on version 3.15.4. The following security issues have been fixed: * MFSA 2014-01: Memory safety bugs fixed in Firefox ESR 24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345) * MFSA 2014-02: Using XBL scopes its possible to steal(clone) native anonymous content (CVE-2014-1479)(bnc#862348) * MFSA 2014-03: Download "open file" dialog delay is too quick, doesn't prevent clickjacking (CVE-2014-1480) * MFSA 2014-04: Image decoding causing FireFox to crash with Goo Create (CVE-2014-1482)(bnc#862356) * MFSA 2014-05: caretPositionFromPoint and elementFromPoint leak information about iframe contents via timing information (CVE-2014-1483)(bnc#862360) * MFSA 2014-06: Fennec leaks profile path to logcat (CVE-2014-1484) * MFSA 2014-07: CSP should block XSLT as script, not as style (CVE-2014-1485) * MFSA 2014-08: imgRequestProxy Use-After-Free Remote Code Execution Vulnerability (CVE-2014-1486) * MFSA 2014-09: Cross-origin information disclosure with error message of Web Workers (CVE-2014-1487) * MFSA 2014-10: settings & history ID bug (CVE-2014-1489) * MFSA 2014-11: Firefox reproducibly crashes when using asm.js code in workers and transferable objects (CVE-2014-1488) * MFSA 2014-12: TOCTOU, potential use-after-free in libssl's session ticket processing (CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH value (CVE-2014-1491)(bnc#862289) * MFSA 2014-13: Inconsistent this value when invoking getters on window (CVE-2014-1481)(bnc#862309) Security Issue references: * CVE-2014-1477 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477

* CVE-2014-1479 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479

* CVE-2014-1480 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1480

* CVE-2014-1481 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481

* CVE-2014-1482 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482

* CVE-2014-1483 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1483

* CVE-2014-1484 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1484

* CVE-2014-1485 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1485

* CVE-2014-1486 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486

* CVE-2014-1487 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487

* CVE-2014-1488 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1488

* CVE-2014-1489 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1489

* CVE-2014-1490 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1490

* CVE-2014-1491 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1491

Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-firefox-201402-8879 - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-firefox-201402-8879 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-firefox-201402-8879 - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-firefox-201402-8879 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.15.4]: MozillaFirefox-devel-24.3.0esr-0.8.1 mozilla-nss-devel-3.15.4-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.3.0esr and 3.15.4]: MozillaFirefox-24.3.0esr-0.8.1 MozillaFirefox-translations-24.3.0esr-0.8.1 libfreebl3-3.15.4-0.7.1 libsoftokn3-3.15.4-0.7.1 mozilla-nss-3.15.4-0.7.1 mozilla-nss-tools-3.15.4-0.7.1 - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.15.4]: libfreebl3-32bit-3.15.4-0.7.1 libsoftokn3-32bit-3.15.4-0.7.1 mozilla-nss-32bit-3.15.4-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.3.0esr and 3.15.4]: MozillaFirefox-24.3.0esr-0.8.1 MozillaFirefox-branding-SLED-24-0.7.14 MozillaFirefox-translations-24.3.0esr-0.8.1 libfreebl3-3.15.4-0.7.1 libsoftokn3-3.15.4-0.7.1 mozilla-nss-3.15.4-0.7.1 mozilla-nss-tools-3.15.4-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.15.4]: libfreebl3-32bit-3.15.4-0.7.1 libsoftokn3-32bit-3.15.4-0.7.1 mozilla-nss-32bit-3.15.4-0.7.1 - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.15.4]: libfreebl3-x86-3.15.4-0.7.1 libsoftokn3-x86-3.15.4-0.7.1 mozilla-nss-x86-3.15.4-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.3.0esr and 3.15.4]: MozillaFirefox-24.3.0esr-0.8.1 MozillaFirefox-branding-SLED-24-0.7.14 MozillaFirefox-translations-24.3.0esr-0.8.1 libfreebl3-3.15.4-0.7.1 libsoftokn3-3.15.4-0.7.1 mozilla-nss-3.15.4-0.7.1 mozilla-nss-tools-3.15.4-0.7.1 - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.15.4]: libfreebl3-32bit-3.15.4-0.7.1 libsoftokn3-32bit-3.15.4-0.7.1 mozilla-nss-32bit-3.15.4-0.7.1 References: http://support.novell.com/security/cve/CVE-2014-1477.html http://support.novell.com/security/cve/CVE-2014-1479.html http://support.novell.com/security/cve/CVE-2014-1480.html http://support.novell.com/security/cve/CVE-2014-1481.html http://support.novell.com/security/cve/CVE-2014-1482.html http://support.novell.com/security/cve/CVE-2014-1483.html http://support.novell.com/security/cve/CVE-2014-1484.html http://support.novell.com/security/cve/CVE-2014-1485.html http://support.novell.com/security/cve/CVE-2014-1486.html http://support.novell.com/security/cve/CVE-2014-1487.html http://support.novell.com/security/cve/CVE-2014-1488.html http://support.novell.com/security/cve/CVE-2014-1489.html http://support.novell.com/security/cve/CVE-2014-1490.html http://support.novell.com/security/cve/CVE-2014-1491.html https://bugzilla.novell.com/859055 https://bugzilla.novell.com/861847 http://download.novell.com/patch/finder/?keywords=b12f5cfd95ec4eca119a488f5f... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org