[security-announce] SUSE-SU-2015:2081-1: important: Security update for Mozilla Firefox

SUSE Security Update: Security update for Mozilla Firefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:2081-1 Rating: important References: #908275 #940806 #943557 #943558 #943608 #947003 #952810 Cross-References: CVE-2015-4473 CVE-2015-4474 CVE-2015-4475 CVE-2015-4478 CVE-2015-4479 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4497 CVE-2015-4498 CVE-2015-4500 CVE-2015-4501 CVE-2015-4506 CVE-2015-4509 CVE-2015-4511 CVE-2015-4513 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 43 vulnerabilities is now available. It includes three new package versions. Description: MozillaFirefox ESR was updated to version 38.4.0ESR to fix multiple security issues. * MFSA 2015-116/CVE-2015-4513 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) * MFSA 2015-122/CVE-2015-7188 Trailing whitespace in IP address hostnames can bypass same-origin policy * MFSA 2015-123/CVE-2015-7189 Buffer overflow during image interactions in canvas * MFSA 2015-127/CVE-2015-7193 CORS preflight is bypassed when non-standard Content-Type headers are received * MFSA 2015-128/CVE-2015-7194 Memory corruption in libjar through zip files * MFSA 2015-130/CVE-2015-7196 JavaScript garbage collection crash with Java applet * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 Vulnerabilities found through code inspection * MFSA 2015-132/CVE-2015-7197 Mixed content WebSocket policy bypass through workers * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 NSS and NSPR memory corruption issues It also includes fixes from 38.3.0ESR: * MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) * MFSA 2015-101/CVE-2015-4506 Buffer overflow in libvpx while parsing vp9 format video * MFSA 2015-105/CVE-2015-4511 Buffer overflow while decoding WebM video * MFSA 2015-106/CVE-2015-4509 Use-after-free while manipulating HTML media content * MFSA 2015-110/CVE-2015-4519 Dragging and dropping images exposes final URL after redirects * MFSA 2015-111/CVE-2015-4520 Errors in the handling of CORS preflight request headers * MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522 CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177 CVE-2015-7180 Vulnerabilities found through code inspection It also includes fixes from the Firefox 38.2.1ESR release: * MFSA 2015-94/CVE-2015-4497 (bsc#943557) Use-after-free when resizing canvas element during restyling * MFSA 2015-95/CVE-2015-4498 (bsc#943558) Add-on notification bypass through data URLs It also includes fixes from the Firefox 38.2.0ESR release: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) * MFSA 2015-80/CVE-2015-4475 Out-of-bounds read with malformed MP3 file * MFSA 2015-82/CVE-2015-4478 Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479 Overflow issues in libstagefright * MFSA 2015-87/CVE-2015-4484 Crash when using shared memory in JavaScript * MFSA 2015-88/CVE-2015-4491 Heap overflow in gdk-pixbuf when scaling bitmap images * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 Buffer overflows on Libvpx when decoding WebM video * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection * MFSA 2015-92/CVE-2015-4492 Use-after-free in XMLHttpRequest with shared workers Security Issues: * CVE-2015-4473 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473> * CVE-2015-4474 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4474> * CVE-2015-4475 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475> * CVE-2015-4478 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478> * CVE-2015-4479 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479> * CVE-2015-4484 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484> * CVE-2015-4485 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485> * CVE-2015-4486 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486> * CVE-2015-4487 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487> * CVE-2015-4488 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488> * CVE-2015-4489 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489> * CVE-2015-4491 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491> * CVE-2015-4492 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492> * CVE-2015-4497 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4497> * CVE-2015-4498 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4498> * CVE-2015-4500 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500> * CVE-2015-4501 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4501> * CVE-2015-4506 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4506> * CVE-2015-4509 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509> * CVE-2015-4511 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4511> * CVE-2015-4513 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4513> * CVE-2015-4517 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517> * CVE-2015-4519 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519> * CVE-2015-4520 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520> * CVE-2015-4521 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4521> * CVE-2015-4522 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4522> * CVE-2015-7174 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7174> * CVE-2015-7175 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7175> * CVE-2015-7176 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7176> * CVE-2015-7177 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7177> * CVE-2015-7180 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7180> * CVE-2015-7181 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7181> * CVE-2015-7182 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182> * CVE-2015-7183 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183> * CVE-2015-7188 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7188> * CVE-2015-7189 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7189> * CVE-2015-7193 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7193> * CVE-2015-7194 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7194> * CVE-2015-7196 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7196> * CVE-2015-7197 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7197> * CVE-2015-7198 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7198> * CVE-2015-7199 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7199> * CVE-2015-7200 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7200> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 3.19.2.1 and 4.10.10]: mozilla-nspr-4.10.10-0.5.1 mozilla-nspr-devel-4.10.10-0.5.1 mozilla-nss-3.19.2.1-0.5.1 mozilla-nss-devel-3.19.2.1-0.5.1 mozilla-nss-tools-3.19.2.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64) [New Version: 3.19.2.1 and 4.10.10]: mozilla-nspr-32bit-4.10.10-0.5.1 mozilla-nss-32bit-3.19.2.1-0.5.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x) [New Version: 38]: MozillaFirefox-38.4.0esr-0.7.1 MozillaFirefox-branding-SLED-38-0.5.3 MozillaFirefox-translations-38.4.0esr-0.7.1 References: https://www.suse.com/security/cve/CVE-2015-4473.html https://www.suse.com/security/cve/CVE-2015-4474.html https://www.suse.com/security/cve/CVE-2015-4475.html https://www.suse.com/security/cve/CVE-2015-4478.html https://www.suse.com/security/cve/CVE-2015-4479.html https://www.suse.com/security/cve/CVE-2015-4484.html https://www.suse.com/security/cve/CVE-2015-4485.html https://www.suse.com/security/cve/CVE-2015-4486.html https://www.suse.com/security/cve/CVE-2015-4487.html https://www.suse.com/security/cve/CVE-2015-4488.html https://www.suse.com/security/cve/CVE-2015-4489.html https://www.suse.com/security/cve/CVE-2015-4491.html https://www.suse.com/security/cve/CVE-2015-4492.html https://www.suse.com/security/cve/CVE-2015-4497.html https://www.suse.com/security/cve/CVE-2015-4498.html https://www.suse.com/security/cve/CVE-2015-4500.html https://www.suse.com/security/cve/CVE-2015-4501.html https://www.suse.com/security/cve/CVE-2015-4506.html https://www.suse.com/security/cve/CVE-2015-4509.html https://www.suse.com/security/cve/CVE-2015-4511.html https://www.suse.com/security/cve/CVE-2015-4513.html https://www.suse.com/security/cve/CVE-2015-4517.html https://www.suse.com/security/cve/CVE-2015-4519.html https://www.suse.com/security/cve/CVE-2015-4520.html https://www.suse.com/security/cve/CVE-2015-4521.html https://www.suse.com/security/cve/CVE-2015-4522.html https://www.suse.com/security/cve/CVE-2015-7174.html https://www.suse.com/security/cve/CVE-2015-7175.html https://www.suse.com/security/cve/CVE-2015-7176.html https://www.suse.com/security/cve/CVE-2015-7177.html https://www.suse.com/security/cve/CVE-2015-7180.html https://www.suse.com/security/cve/CVE-2015-7181.html https://www.suse.com/security/cve/CVE-2015-7182.html https://www.suse.com/security/cve/CVE-2015-7183.html https://www.suse.com/security/cve/CVE-2015-7188.html https://www.suse.com/security/cve/CVE-2015-7189.html https://www.suse.com/security/cve/CVE-2015-7193.html https://www.suse.com/security/cve/CVE-2015-7194.html https://www.suse.com/security/cve/CVE-2015-7196.html https://www.suse.com/security/cve/CVE-2015-7197.html https://www.suse.com/security/cve/CVE-2015-7198.html https://www.suse.com/security/cve/CVE-2015-7199.html https://www.suse.com/security/cve/CVE-2015-7200.html https://bugzilla.suse.com/908275 https://bugzilla.suse.com/940806 https://bugzilla.suse.com/943557 https://bugzilla.suse.com/943558 https://bugzilla.suse.com/943608 https://bugzilla.suse.com/947003 https://bugzilla.suse.com/952810 https://download.suse.com/patch/finder/?keywords=bb006e2ed6738badb2b7f4f52e5... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org