Mailinglist Archive: opensuse-security-announce (37 mails)

< Previous Next >
[security-announce] openSUSE-SU-2015:0404-1: important: Security update for MozillaFirefox, mozilla-nss
openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:0404-1
Rating: important
References: #910647 #917597
Cross-References: CVE-2014-1569 CVE-2015-0819 CVE-2015-0820
CVE-2015-0821 CVE-2015-0822 CVE-2015-0823
CVE-2015-0824 CVE-2015-0825 CVE-2015-0826
CVE-2015-0827 CVE-2015-0828 CVE-2015-0829
CVE-2015-0830 CVE-2015-0831 CVE-2015-0832
CVE-2015-0834 CVE-2015-0835 CVE-2015-0836

Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________

An update that fixes 18 vulnerabilities is now available.

Description:

MozillaFirefox, mozilla-nss were updated to fix 18 security issues.

MozillaFirefox was updated to version 36.0. These security issues were
fixed:
- CVE-2015-0835, CVE-2015-0836: Miscellaneous memory safety hazards
- CVE-2015-0832: Appended period to hostnames can bypass HPKP and HSTS
protections
- CVE-2015-0830: Malicious WebGL content crash when writing strings
- CVE-2015-0834: TLS TURN and STUN connections silently fail to simple TCP
connections
- CVE-2015-0831: Use-after-free in IndexedDB
- CVE-2015-0829: Buffer overflow in libstagefright during MP4 video
playback
- CVE-2015-0828: Double-free when using non-default memory allocators with
a zero-length XHR
- CVE-2015-0827: Out-of-bounds read and write while rendering SVG content
- CVE-2015-0826: Buffer overflow during CSS restyling
- CVE-2015-0825: Buffer underflow during MP3 playback
- CVE-2015-0824: Crash using DrawTarget in Cairo graphics library
- CVE-2015-0823: Use-after-free in Developer Console date with OpenType
Sanitiser
- CVE-2015-0822: Reading of local files through manipulation of form
autocomplete
- CVE-2015-0821: Local files or privileged URLs in pages can be opened
into new tabs
- CVE-2015-0819: UI Tour whitelisted sites in background tab can spoof
foreground tabs
- CVE-2015-0820: Caja Compiler JavaScript sandbox bypass

mozilla-nss was updated to version 3.17.4 to fix the following issues:
- CVE-2014-1569: QuickDER decoder length issue (bnc#910647).
- bmo#1084986: If an SSL/TLS connection fails, because client and server
don't have any common protocol version enabled, NSS has been changed to
report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
SSL_ERROR_NO_CYPHER_OVERLAP).
- bmo#1112461: libpkix was fixed to prefer the newest certificate, if
multiple certificates match.
- bmo#1094492: fixed a memory corruption issue during failure of keypair
generation.
- bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode.
- bmo#1119983: fixed interoperability of NSS server code with a LibreSSL
client.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2015-185=1

- openSUSE 13.1:

zypper in -t patch openSUSE-2015-185=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.2 (i586 x86_64):

MozillaFirefox-36.0-14.2
MozillaFirefox-branding-upstream-36.0-14.2
MozillaFirefox-buildsymbols-36.0-14.2
MozillaFirefox-debuginfo-36.0-14.2
MozillaFirefox-debugsource-36.0-14.2
MozillaFirefox-devel-36.0-14.2
MozillaFirefox-translations-common-36.0-14.2
MozillaFirefox-translations-other-36.0-14.2
libfreebl3-3.17.4-9.1
libfreebl3-debuginfo-3.17.4-9.1
libsoftokn3-3.17.4-9.1
libsoftokn3-debuginfo-3.17.4-9.1
mozilla-nss-3.17.4-9.1
mozilla-nss-certs-3.17.4-9.1
mozilla-nss-certs-debuginfo-3.17.4-9.1
mozilla-nss-debuginfo-3.17.4-9.1
mozilla-nss-debugsource-3.17.4-9.1
mozilla-nss-devel-3.17.4-9.1
mozilla-nss-sysinit-3.17.4-9.1
mozilla-nss-sysinit-debuginfo-3.17.4-9.1
mozilla-nss-tools-3.17.4-9.1
mozilla-nss-tools-debuginfo-3.17.4-9.1

- openSUSE 13.2 (x86_64):

libfreebl3-32bit-3.17.4-9.1
libfreebl3-debuginfo-32bit-3.17.4-9.1
libsoftokn3-32bit-3.17.4-9.1
libsoftokn3-debuginfo-32bit-3.17.4-9.1
mozilla-nss-32bit-3.17.4-9.1
mozilla-nss-certs-32bit-3.17.4-9.1
mozilla-nss-certs-debuginfo-32bit-3.17.4-9.1
mozilla-nss-debuginfo-32bit-3.17.4-9.1
mozilla-nss-sysinit-32bit-3.17.4-9.1
mozilla-nss-sysinit-debuginfo-32bit-3.17.4-9.1

- openSUSE 13.1 (i586 x86_64):

MozillaFirefox-36.0-59.2
MozillaFirefox-branding-upstream-36.0-59.2
MozillaFirefox-buildsymbols-36.0-59.2
MozillaFirefox-debuginfo-36.0-59.2
MozillaFirefox-debugsource-36.0-59.2
MozillaFirefox-devel-36.0-59.2
MozillaFirefox-translations-common-36.0-59.2
MozillaFirefox-translations-other-36.0-59.2
libfreebl3-3.17.4-52.1
libfreebl3-debuginfo-3.17.4-52.1
libsoftokn3-3.17.4-52.1
libsoftokn3-debuginfo-3.17.4-52.1
mozilla-nss-3.17.4-52.1
mozilla-nss-certs-3.17.4-52.1
mozilla-nss-certs-debuginfo-3.17.4-52.1
mozilla-nss-debuginfo-3.17.4-52.1
mozilla-nss-debugsource-3.17.4-52.1
mozilla-nss-devel-3.17.4-52.1
mozilla-nss-sysinit-3.17.4-52.1
mozilla-nss-sysinit-debuginfo-3.17.4-52.1
mozilla-nss-tools-3.17.4-52.1
mozilla-nss-tools-debuginfo-3.17.4-52.1

- openSUSE 13.1 (x86_64):

libfreebl3-32bit-3.17.4-52.1
libfreebl3-debuginfo-32bit-3.17.4-52.1
libsoftokn3-32bit-3.17.4-52.1
libsoftokn3-debuginfo-32bit-3.17.4-52.1
mozilla-nss-32bit-3.17.4-52.1
mozilla-nss-certs-32bit-3.17.4-52.1
mozilla-nss-certs-debuginfo-32bit-3.17.4-52.1
mozilla-nss-debuginfo-32bit-3.17.4-52.1
mozilla-nss-sysinit-32bit-3.17.4-52.1
mozilla-nss-sysinit-debuginfo-32bit-3.17.4-52.1


References:

http://support.novell.com/security/cve/CVE-2014-1569.html
http://support.novell.com/security/cve/CVE-2015-0819.html
http://support.novell.com/security/cve/CVE-2015-0820.html
http://support.novell.com/security/cve/CVE-2015-0821.html
http://support.novell.com/security/cve/CVE-2015-0822.html
http://support.novell.com/security/cve/CVE-2015-0823.html
http://support.novell.com/security/cve/CVE-2015-0824.html
http://support.novell.com/security/cve/CVE-2015-0825.html
http://support.novell.com/security/cve/CVE-2015-0826.html
http://support.novell.com/security/cve/CVE-2015-0827.html
http://support.novell.com/security/cve/CVE-2015-0828.html
http://support.novell.com/security/cve/CVE-2015-0829.html
http://support.novell.com/security/cve/CVE-2015-0830.html
http://support.novell.com/security/cve/CVE-2015-0831.html
http://support.novell.com/security/cve/CVE-2015-0832.html
http://support.novell.com/security/cve/CVE-2015-0834.html
http://support.novell.com/security/cve/CVE-2015-0835.html
http://support.novell.com/security/cve/CVE-2015-0836.html
https://bugzilla.suse.com/910647
https://bugzilla.suse.com/917597

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
This Thread
  • No further messages