Mailinglist Archive: opensuse-updates (64 mails)

< Previous Next >
openSUSE-SU-2014:1099-1: moderate: MozillaFirefox to Firefox 32
openSUSE Security Update: MozillaFirefox to Firefox 32
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1099-1
Rating: moderate
References: #894201 #894370
Cross-References: CVE-2014-1553 CVE-2014-1562 CVE-2014-1563
CVE-2014-1564 CVE-2014-1565 CVE-2014-1567

Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:


Mozilla Firefox was updated to Firefox 32 fixing security issues and bugs.

Security issues fixed: MFSA 2014-72 / CVE-2014-1567: Security researcher
regenrecht reported, via TippingPoint's Zero Day Initiative, a
use-after-free during text layout when interacting with the setting of
text direction. This results in a use-after-free which can lead to
arbitrary code execution.

MFSA 2014-70 / CVE-2014-1565: Security researcher Holger Fuhrmannek
discovered an out-of-bounds read during the creation of an audio timeline
in Web Audio. This results in a crash and could allow for the reading of
random memory values.

MFSA 2014-69 / CVE-2014-1564: Google security researcher Michal Zalewski
discovered that when a malformated GIF image is rendered in certain
circumstances, memory is not properly initialized before use. The
resulting image then uses this memory during rendering. This could allow
for the a script in web content to access this unitialized memory using
the <canvas> feature.

MFSA 2014-68 / CVE-2014-1563: Security researcher Abhishek Arya (Inferno)
of the Google Chrome Security Team used the Address Sanitizer tool to
discover a use-after-free during cycle collection. This was found in
interactions with the SVG content through the document object model (DOM)
with animating SVG content. This leads to a potentially exploitable crash.

MFSA 2014-67: Mozilla developers and community identified and fixed
several memory safety bugs in the browser engine used in Firefox and other
Mozilla-based products. Some of these bugs showed evidence of memory
corruption under certain circumstances, and we presume that with enough
effort at least some of these could be exploited to run arbitrary code.

Jan de Mooij reported a memory safety problem that affects Firefox ESR
24.7, ESR 31 and Firefox 31. (CVE-2014-1562)

Christian Holler, Jan de Mooij, Karl Tomlinson, Randell Jesup, Gary Kwong,
Jesse Ruderman, and JW Wang reported memory safety problems and crashes
that affect Firefox ESR 31 and Firefox 31. (CVE-2014-1553)

Gary Kwong, Christian Holler, and David Weir reported memory safety
problems and crashes that affect Firefox 31. (CVE-2014-1554)


Mozilla NSS was updated to 3.16.4: Notable Changes:
* The following 1024-bit root CA certificate was restored to allow more
time to develop a better transition strategy for affected sites. It was
removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy
forum led to the decision to keep this root included longer in order to
give website administrators more time to update their web servers.
- CN = GTE CyberTrust Global Root
* In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification
Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit
intermediate CA certificate has been included, without explicit trust.
The intention is to mitigate the effects of the previous removal of the
1024-bit Entrust.net root certificate, because many public Internet
sites still use the "USERTrust Legacy Secure Server CA" intermediate
certificate that is signed by the 1024-bit Entrust.net root certificate.
The inclusion of the intermediate certificate is a temporary measure to
allow those sites to function, by allowing them to find a trust path to
another 2048-bit root CA certificate. The temporarily included
intermediate certificate expires November 1, 2015.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-530

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-530

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

MozillaFirefox-31.1.0-42.1
MozillaFirefox-branding-upstream-31.1.0-42.1
MozillaFirefox-buildsymbols-31.1.0-42.1
MozillaFirefox-debuginfo-31.1.0-42.1
MozillaFirefox-debugsource-31.1.0-42.1
MozillaFirefox-devel-31.1.0-42.1
MozillaFirefox-translations-common-31.1.0-42.1
MozillaFirefox-translations-other-31.1.0-42.1
libfreebl3-3.16.4-35.1
libfreebl3-debuginfo-3.16.4-35.1
libsoftokn3-3.16.4-35.1
libsoftokn3-debuginfo-3.16.4-35.1
mozilla-nss-3.16.4-35.1
mozilla-nss-certs-3.16.4-35.1
mozilla-nss-certs-debuginfo-3.16.4-35.1
mozilla-nss-debuginfo-3.16.4-35.1
mozilla-nss-debugsource-3.16.4-35.1
mozilla-nss-devel-3.16.4-35.1
mozilla-nss-sysinit-3.16.4-35.1
mozilla-nss-sysinit-debuginfo-3.16.4-35.1
mozilla-nss-tools-3.16.4-35.1
mozilla-nss-tools-debuginfo-3.16.4-35.1

- openSUSE 13.1 (x86_64):

libfreebl3-32bit-3.16.4-35.1
libfreebl3-debuginfo-32bit-3.16.4-35.1
libsoftokn3-32bit-3.16.4-35.1
libsoftokn3-debuginfo-32bit-3.16.4-35.1
mozilla-nss-32bit-3.16.4-35.1
mozilla-nss-certs-32bit-3.16.4-35.1
mozilla-nss-certs-debuginfo-32bit-3.16.4-35.1
mozilla-nss-debuginfo-32bit-3.16.4-35.1
mozilla-nss-sysinit-32bit-3.16.4-35.1
mozilla-nss-sysinit-debuginfo-32bit-3.16.4-35.1

- openSUSE 12.3 (i586 x86_64):

MozillaFirefox-31.1.0-1.86.1
MozillaFirefox-branding-upstream-31.1.0-1.86.1
MozillaFirefox-buildsymbols-31.1.0-1.86.1
MozillaFirefox-debuginfo-31.1.0-1.86.1
MozillaFirefox-debugsource-31.1.0-1.86.1
MozillaFirefox-devel-31.1.0-1.86.1
MozillaFirefox-translations-common-31.1.0-1.86.1
MozillaFirefox-translations-other-31.1.0-1.86.1
libfreebl3-3.16.4-1.51.1
libfreebl3-debuginfo-3.16.4-1.51.1
libsoftokn3-3.16.4-1.51.1
libsoftokn3-debuginfo-3.16.4-1.51.1
mozilla-nss-3.16.4-1.51.1
mozilla-nss-certs-3.16.4-1.51.1
mozilla-nss-certs-debuginfo-3.16.4-1.51.1
mozilla-nss-debuginfo-3.16.4-1.51.1
mozilla-nss-debugsource-3.16.4-1.51.1
mozilla-nss-devel-3.16.4-1.51.1
mozilla-nss-sysinit-3.16.4-1.51.1
mozilla-nss-sysinit-debuginfo-3.16.4-1.51.1
mozilla-nss-tools-3.16.4-1.51.1
mozilla-nss-tools-debuginfo-3.16.4-1.51.1

- openSUSE 12.3 (x86_64):

libfreebl3-32bit-3.16.4-1.51.1
libfreebl3-debuginfo-32bit-3.16.4-1.51.1
libsoftokn3-32bit-3.16.4-1.51.1
libsoftokn3-debuginfo-32bit-3.16.4-1.51.1
mozilla-nss-32bit-3.16.4-1.51.1
mozilla-nss-certs-32bit-3.16.4-1.51.1
mozilla-nss-certs-debuginfo-32bit-3.16.4-1.51.1
mozilla-nss-debuginfo-32bit-3.16.4-1.51.1
mozilla-nss-sysinit-32bit-3.16.4-1.51.1
mozilla-nss-sysinit-debuginfo-32bit-3.16.4-1.51.1


References:

http://support.novell.com/security/cve/CVE-2014-1553.html
http://support.novell.com/security/cve/CVE-2014-1562.html
http://support.novell.com/security/cve/CVE-2014-1563.html
http://support.novell.com/security/cve/CVE-2014-1564.html
http://support.novell.com/security/cve/CVE-2014-1565.html
http://support.novell.com/security/cve/CVE-2014-1567.html
https://bugzilla.novell.com/894201
https://bugzilla.novell.com/894370


< Previous Next >
This Thread
  • No further messages