[security-announce] openSUSE-SU-2015:0404-1: important: Security update for MozillaFirefox, mozilla-nss

1 Mar 2015

      openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2015:0404-1
Rating:             important
References:         #910647 #917597 
Cross-References:   CVE-2014-1569 CVE-2015-0819 CVE-2015-0820
                    CVE-2015-0821 CVE-2015-0822 CVE-2015-0823
                    CVE-2015-0824 CVE-2015-0825 CVE-2015-0826
                    CVE-2015-0827 CVE-2015-0828 CVE-2015-0829
                    CVE-2015-0830 CVE-2015-0831 CVE-2015-0832
                    CVE-2015-0834 CVE-2015-0835 CVE-2015-0836

Affected Products:
                    openSUSE 13.2
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes 18 vulnerabilities is now available.

Description:

   MozillaFirefox, mozilla-nss were updated to fix 18 security issues.

   MozillaFirefox was updated to version 36.0. These security issues were
   fixed:
   - CVE-2015-0835, CVE-2015-0836: Miscellaneous memory safety hazards
   - CVE-2015-0832: Appended period to hostnames can bypass HPKP and HSTS
     protections
   - CVE-2015-0830: Malicious WebGL content crash when writing strings
   - CVE-2015-0834: TLS TURN and STUN connections silently fail to simple TCP
     connections
   - CVE-2015-0831: Use-after-free in IndexedDB
   - CVE-2015-0829: Buffer overflow in libstagefright during MP4 video
     playback
   - CVE-2015-0828: Double-free when using non-default memory allocators with
     a zero-length XHR
   - CVE-2015-0827: Out-of-bounds read and write while rendering SVG content
   - CVE-2015-0826: Buffer overflow during CSS restyling
   - CVE-2015-0825: Buffer underflow during MP3 playback
   - CVE-2015-0824: Crash using DrawTarget in Cairo graphics library
   - CVE-2015-0823: Use-after-free in Developer Console date with OpenType
     Sanitiser
   - CVE-2015-0822: Reading of local files through manipulation of form
     autocomplete
   - CVE-2015-0821: Local files or privileged URLs in pages can be opened
     into new tabs
   - CVE-2015-0819: UI Tour whitelisted sites in background tab can spoof
     foreground tabs
   - CVE-2015-0820: Caja Compiler JavaScript sandbox bypass

   mozilla-nss was updated to version 3.17.4 to fix the following issues:
   - CVE-2014-1569: QuickDER decoder length issue (bnc#910647).
   - bmo#1084986: If an SSL/TLS connection fails, because client and server
     don't have any common protocol version enabled, NSS has been changed to
     report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
     SSL_ERROR_NO_CYPHER_OVERLAP).
   - bmo#1112461: libpkix was fixed to prefer the newest certificate, if
     multiple certificates match.
   - bmo#1094492: fixed a memory corruption issue during failure of keypair
     generation.
   - bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode.
   - bmo#1119983: fixed interoperability of NSS server code with a LibreSSL
     client.

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2015-185=1

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2015-185=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE 13.2 (i586 x86_64):

      MozillaFirefox-36.0-14.2
      MozillaFirefox-branding-upstream-36.0-14.2
      MozillaFirefox-buildsymbols-36.0-14.2
      MozillaFirefox-debuginfo-36.0-14.2
      MozillaFirefox-debugsource-36.0-14.2
      MozillaFirefox-devel-36.0-14.2
      MozillaFirefox-translations-common-36.0-14.2
      MozillaFirefox-translations-other-36.0-14.2
      libfreebl3-3.17.4-9.1
      libfreebl3-debuginfo-3.17.4-9.1
      libsoftokn3-3.17.4-9.1
      libsoftokn3-debuginfo-3.17.4-9.1
      mozilla-nss-3.17.4-9.1
      mozilla-nss-certs-3.17.4-9.1
      mozilla-nss-certs-debuginfo-3.17.4-9.1
      mozilla-nss-debuginfo-3.17.4-9.1
      mozilla-nss-debugsource-3.17.4-9.1
      mozilla-nss-devel-3.17.4-9.1
      mozilla-nss-sysinit-3.17.4-9.1
      mozilla-nss-sysinit-debuginfo-3.17.4-9.1
      mozilla-nss-tools-3.17.4-9.1
      mozilla-nss-tools-debuginfo-3.17.4-9.1

   - openSUSE 13.2 (x86_64):

      libfreebl3-32bit-3.17.4-9.1
      libfreebl3-debuginfo-32bit-3.17.4-9.1
      libsoftokn3-32bit-3.17.4-9.1
      libsoftokn3-debuginfo-32bit-3.17.4-9.1
      mozilla-nss-32bit-3.17.4-9.1
      mozilla-nss-certs-32bit-3.17.4-9.1
      mozilla-nss-certs-debuginfo-32bit-3.17.4-9.1
      mozilla-nss-debuginfo-32bit-3.17.4-9.1
      mozilla-nss-sysinit-32bit-3.17.4-9.1
      mozilla-nss-sysinit-debuginfo-32bit-3.17.4-9.1

   - openSUSE 13.1 (i586 x86_64):

      MozillaFirefox-36.0-59.2
      MozillaFirefox-branding-upstream-36.0-59.2
      MozillaFirefox-buildsymbols-36.0-59.2
      MozillaFirefox-debuginfo-36.0-59.2
      MozillaFirefox-debugsource-36.0-59.2
      MozillaFirefox-devel-36.0-59.2
      MozillaFirefox-translations-common-36.0-59.2
      MozillaFirefox-translations-other-36.0-59.2
      libfreebl3-3.17.4-52.1
      libfreebl3-debuginfo-3.17.4-52.1
      libsoftokn3-3.17.4-52.1
      libsoftokn3-debuginfo-3.17.4-52.1
      mozilla-nss-3.17.4-52.1
      mozilla-nss-certs-3.17.4-52.1
      mozilla-nss-certs-debuginfo-3.17.4-52.1
      mozilla-nss-debuginfo-3.17.4-52.1
      mozilla-nss-debugsource-3.17.4-52.1
      mozilla-nss-devel-3.17.4-52.1
      mozilla-nss-sysinit-3.17.4-52.1
      mozilla-nss-sysinit-debuginfo-3.17.4-52.1
      mozilla-nss-tools-3.17.4-52.1
      mozilla-nss-tools-debuginfo-3.17.4-52.1

   - openSUSE 13.1 (x86_64):

      libfreebl3-32bit-3.17.4-52.1
      libfreebl3-debuginfo-32bit-3.17.4-52.1
      libsoftokn3-32bit-3.17.4-52.1
      libsoftokn3-debuginfo-32bit-3.17.4-52.1
      mozilla-nss-32bit-3.17.4-52.1
      mozilla-nss-certs-32bit-3.17.4-52.1
      mozilla-nss-certs-debuginfo-32bit-3.17.4-52.1
      mozilla-nss-debuginfo-32bit-3.17.4-52.1
      mozilla-nss-sysinit-32bit-3.17.4-52.1
      mozilla-nss-sysinit-debuginfo-32bit-3.17.4-52.1

References:

   http://support.novell.com/security/cve/CVE-2014-1569.html
   http://support.novell.com/security/cve/CVE-2015-0819.html
   http://support.novell.com/security/cve/CVE-2015-0820.html
   http://support.novell.com/security/cve/CVE-2015-0821.html
   http://support.novell.com/security/cve/CVE-2015-0822.html
   http://support.novell.com/security/cve/CVE-2015-0823.html
   http://support.novell.com/security/cve/CVE-2015-0824.html
   http://support.novell.com/security/cve/CVE-2015-0825.html
   http://support.novell.com/security/cve/CVE-2015-0826.html
   http://support.novell.com/security/cve/CVE-2015-0827.html
   http://support.novell.com/security/cve/CVE-2015-0828.html
   http://support.novell.com/security/cve/CVE-2015-0829.html
   http://support.novell.com/security/cve/CVE-2015-0830.html
   http://support.novell.com/security/cve/CVE-2015-0831.html
   http://support.novell.com/security/cve/CVE-2015-0832.html
   http://support.novell.com/security/cve/CVE-2015-0834.html
   http://support.novell.com/security/cve/CVE-2015-0835.html
   http://support.novell.com/security/cve/CVE-2015-0836.html
   https://bugzilla.suse.com/910647
   https://bugzilla.suse.com/917597

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

[security-announce] openSUSE-SU-2015:0404-1: important: Security update for MozillaFirefox, mozilla-nss

opensuse-security＠opensuse.org