[security-announce] openSUSE-SU-2017:1620-1: important: Security update for Mozilla based packages

openSUSE Security Update: Security update for Mozilla based packages ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1620-1 Rating: important References: #1040105 #1043960 Cross-References: CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7755 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7760 CVE-2017-7761 CVE-2017-7764 CVE-2017-7765 CVE-2017-7766 CVE-2017-7767 CVE-2017-7768 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes 26 vulnerabilities is now available. Description: This update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues: Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16: * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - remove -fno-inline-small-functions and explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) Mozilla NSS was updated to NSS 3.28.5 * Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. (bmo#1350859) * March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA certificates removed: O = Japanese Government, OU = ApplicationCA CN = WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added: CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-712=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): MozillaFirefox-52.2-57.12.2 MozillaFirefox-branding-upstream-52.2-57.12.2 MozillaFirefox-buildsymbols-52.2-57.12.2 MozillaFirefox-debuginfo-52.2-57.12.2 MozillaFirefox-debugsource-52.2-57.12.2 MozillaFirefox-devel-52.2-57.12.2 MozillaFirefox-translations-common-52.2-57.12.2 MozillaFirefox-translations-other-52.2-57.12.2 MozillaThunderbird-52.2-41.9.2 MozillaThunderbird-buildsymbols-52.2-41.9.2 MozillaThunderbird-debuginfo-52.2-41.9.2 MozillaThunderbird-debugsource-52.2-41.9.2 MozillaThunderbird-devel-52.2-41.9.2 MozillaThunderbird-translations-common-52.2-41.9.2 MozillaThunderbird-translations-other-52.2-41.9.2 java-1_8_0-openjdk-1.8.0.131-10.10.3 java-1_8_0-openjdk-accessibility-1.8.0.131-10.10.3 java-1_8_0-openjdk-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-debugsource-1.8.0.131-10.10.3 java-1_8_0-openjdk-demo-1.8.0.131-10.10.3 java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-devel-1.8.0.131-10.10.3 java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-headless-1.8.0.131-10.10.3 java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-src-1.8.0.131-10.10.3 libfreebl3-3.28.5-40.6.1 libfreebl3-debuginfo-3.28.5-40.6.1 libsoftokn3-3.28.5-40.6.1 libsoftokn3-debuginfo-3.28.5-40.6.1 mozilla-nss-3.28.5-40.6.1 mozilla-nss-certs-3.28.5-40.6.1 mozilla-nss-certs-debuginfo-3.28.5-40.6.1 mozilla-nss-debuginfo-3.28.5-40.6.1 mozilla-nss-debugsource-3.28.5-40.6.1 mozilla-nss-devel-3.28.5-40.6.1 mozilla-nss-sysinit-3.28.5-40.6.1 mozilla-nss-sysinit-debuginfo-3.28.5-40.6.1 mozilla-nss-tools-3.28.5-40.6.1 mozilla-nss-tools-debuginfo-3.28.5-40.6.1 - openSUSE Leap 42.2 (noarch): java-1_8_0-openjdk-javadoc-1.8.0.131-10.10.3 - openSUSE Leap 42.2 (x86_64): libfreebl3-32bit-3.28.5-40.6.1 libfreebl3-debuginfo-32bit-3.28.5-40.6.1 libsoftokn3-32bit-3.28.5-40.6.1 libsoftokn3-debuginfo-32bit-3.28.5-40.6.1 mozilla-nss-32bit-3.28.5-40.6.1 mozilla-nss-certs-32bit-3.28.5-40.6.1 mozilla-nss-certs-debuginfo-32bit-3.28.5-40.6.1 mozilla-nss-debuginfo-32bit-3.28.5-40.6.1 mozilla-nss-sysinit-32bit-3.28.5-40.6.1 mozilla-nss-sysinit-debuginfo-32bit-3.28.5-40.6.1 References: https://www.suse.com/security/cve/CVE-2017-5470.html https://www.suse.com/security/cve/CVE-2017-5472.html https://www.suse.com/security/cve/CVE-2017-7749.html https://www.suse.com/security/cve/CVE-2017-7750.html https://www.suse.com/security/cve/CVE-2017-7751.html https://www.suse.com/security/cve/CVE-2017-7752.html https://www.suse.com/security/cve/CVE-2017-7754.html https://www.suse.com/security/cve/CVE-2017-7755.html https://www.suse.com/security/cve/CVE-2017-7756.html https://www.suse.com/security/cve/CVE-2017-7757.html https://www.suse.com/security/cve/CVE-2017-7758.html https://www.suse.com/security/cve/CVE-2017-7760.html https://www.suse.com/security/cve/CVE-2017-7761.html https://www.suse.com/security/cve/CVE-2017-7764.html https://www.suse.com/security/cve/CVE-2017-7765.html https://www.suse.com/security/cve/CVE-2017-7766.html https://www.suse.com/security/cve/CVE-2017-7767.html https://www.suse.com/security/cve/CVE-2017-7768.html https://www.suse.com/security/cve/CVE-2017-7771.html https://www.suse.com/security/cve/CVE-2017-7772.html https://www.suse.com/security/cve/CVE-2017-7773.html https://www.suse.com/security/cve/CVE-2017-7774.html https://www.suse.com/security/cve/CVE-2017-7775.html https://www.suse.com/security/cve/CVE-2017-7776.html https://www.suse.com/security/cve/CVE-2017-7777.html https://www.suse.com/security/cve/CVE-2017-7778.html https://bugzilla.suse.com/1040105 https://bugzilla.suse.com/1043960 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org