openSUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:0358-1 Rating: important References: #1017174 #1021814 #1021817 #1021818 #1021819 #1021820 #1021821 #1021822 #1021823 #1021824 #1021826 #1021827 #1021828 #1021830 #1021831 #1021832 #1021833 #1021835 #1021837 #1021839 #1021840 #1021841 Cross-References: CVE-2017-5373 CVE-2017-5374 CVE-2017-5375 CVE-2017-5376 CVE-2017-5377 CVE-2017-5378 CVE-2017-5379 CVE-2017-5380 CVE-2017-5381 CVE-2017-5382 CVE-2017-5383 CVE-2017-5384 CVE-2017-5385 CVE-2017-5386 CVE-2017-5387 CVE-2017-5388 CVE-2017-5389 CVE-2017-5390 CVE-2017-5391 CVE-2017-5392 CVE-2017-5393 CVE-2017-5394 CVE-2017-5395 CVE-2017-5396 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes 24 vulnerabilities is now available. Description: This update for MozillaFirefox to version 51.0.1 fixes security issues and bugs. These security issues were fixed: * CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814) * CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826) * CVE-2017-5378: Pointer and frame data leakage of Javascript objects (bmo#1312001, bmo#1330769, boo#1021818) * CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827) * CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819) * CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820) * CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828) * CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821) * CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830) * CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831) * CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822) * CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832) * CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833) * CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823) * CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835) * CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837) * CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839) * CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840) * CVE-2017-5374: Memory safety bugs (boo#1021841) * CVE-2017-5373: Memory safety bugs (boo#1021824) These non-security issues in MozillaFirefox were fixed: * Added support for FLAC (Free Lossless Audio Codec) playback * Added support for WebGL 2 * Added Georgian (ka) and Kabyle (kab) locales * Support saving passwords for forms without 'submit' events * Improved video performance for users without GPU acceleration * Zoom indicator is shown in the URL bar if the zoom level is not at default level * View passwords from the prompt before saving them * Remove Belarusian (be) locale * Use Skia for content rendering (Linux) * Improve recognition of LANGUAGE env variable (boo#1017174) * Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-187=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2017-187=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): MozillaFirefox-51.0.1-50.2 MozillaFirefox-branding-upstream-51.0.1-50.2 MozillaFirefox-buildsymbols-51.0.1-50.2 MozillaFirefox-debuginfo-51.0.1-50.2 MozillaFirefox-debugsource-51.0.1-50.2 MozillaFirefox-devel-51.0.1-50.2 MozillaFirefox-translations-common-51.0.1-50.2 MozillaFirefox-translations-other-51.0.1-50.2 - openSUSE Leap 42.1 (x86_64): MozillaFirefox-51.0.1-50.2 MozillaFirefox-branding-upstream-51.0.1-50.2 MozillaFirefox-buildsymbols-51.0.1-50.2 MozillaFirefox-debuginfo-51.0.1-50.2 MozillaFirefox-debugsource-51.0.1-50.2 MozillaFirefox-devel-51.0.1-50.2 MozillaFirefox-translations-common-51.0.1-50.2 MozillaFirefox-translations-other-51.0.1-50.2 References: https://www.suse.com/security/cve/CVE-2017-5373.html https://www.suse.com/security/cve/CVE-2017-5374.html https://www.suse.com/security/cve/CVE-2017-5375.html https://www.suse.com/security/cve/CVE-2017-5376.html https://www.suse.com/security/cve/CVE-2017-5377.html https://www.suse.com/security/cve/CVE-2017-5378.html https://www.suse.com/security/cve/CVE-2017-5379.html https://www.suse.com/security/cve/CVE-2017-5380.html https://www.suse.com/security/cve/CVE-2017-5381.html https://www.suse.com/security/cve/CVE-2017-5382.html https://www.suse.com/security/cve/CVE-2017-5383.html https://www.suse.com/security/cve/CVE-2017-5384.html https://www.suse.com/security/cve/CVE-2017-5385.html https://www.suse.com/security/cve/CVE-2017-5386.html https://www.suse.com/security/cve/CVE-2017-5387.html https://www.suse.com/security/cve/CVE-2017-5388.html https://www.suse.com/security/cve/CVE-2017-5389.html https://www.suse.com/security/cve/CVE-2017-5390.html https://www.suse.com/security/cve/CVE-2017-5391.html https://www.suse.com/security/cve/CVE-2017-5392.html https://www.suse.com/security/cve/CVE-2017-5393.html https://www.suse.com/security/cve/CVE-2017-5394.html https://www.suse.com/security/cve/CVE-2017-5395.html https://www.suse.com/security/cve/CVE-2017-5396.html https://bugzilla.suse.com/1017174 https://bugzilla.suse.com/1021814 https://bugzilla.suse.com/1021817 https://bugzilla.suse.com/1021818 https://bugzilla.suse.com/1021819 https://bugzilla.suse.com/1021820 https://bugzilla.suse.com/1021821 https://bugzilla.suse.com/1021822 https://bugzilla.suse.com/1021823 https://bugzilla.suse.com/1021824 https://bugzilla.suse.com/1021826 https://bugzilla.suse.com/1021827 https://bugzilla.suse.com/1021828 https://bugzilla.suse.com/1021830 https://bugzilla.suse.com/1021831 https://bugzilla.suse.com/1021832 https://bugzilla.suse.com/1021833 https://bugzilla.suse.com/1021835 https://bugzilla.suse.com/1021837 https://bugzilla.suse.com/1021839 https://bugzilla.suse.com/1021840 https://bugzilla.suse.com/1021841 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org