Mailinglist Archive: opensuse-updates (114 mails)

< Previous Next >
openSUSE-SU-2014:1344-1: moderate: update for firefox, mozilla-nspr, mozilla-nss
openSUSE Security Update: update for firefox, mozilla-nspr, mozilla-nss
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1344-1
Rating: moderate
References: #894370 #896624 #897890 #900941 #901213
Cross-References: CVE-2014-1554 CVE-2014-1574 CVE-2014-1575
CVE-2014-1576 CVE-2014-1577 CVE-2014-1578
CVE-2014-1580 CVE-2014-1581 CVE-2014-1582
CVE-2014-1583 CVE-2014-1584 CVE-2014-1585
CVE-2014-1586
Affected Products:
openSUSE 12.3
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:



- update to Firefox 33.0 (bnc#900941) New features:
* OpenH264 support (sandboxed)
* Enhanced Tiles
* Improved search experience through the location bar
* Slimmer and faster JavaScript strings
* New CSP (Content Security Policy) backend
* Support for connecting to HTTP proxy over HTTPS
* Improved reliability of the session restoration
* Proprietary window.crypto properties/functions removed Security:
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety
hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory
use during GIF rendering
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
Key pinning bypasses
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API (only relevant for installed web apps)
- requires NSPR 4.10.7
- requires NSS 3.17.1
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch
- added basic appdata information

- update to SeaMonkey 2.30 (bnc#900941)
* venkman debugger removed from application and therefore obsolete
package seamonkey-venkman
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety
hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory
use during GIF rendering
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
Key pinning bypasses
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API (only relevant for installed web apps)
- requires NSPR 4.10.7
- requires NSS 3.17.1
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch

Changes in mozilla-nss:
- update to 3.17.1 (bnc#897890)
* Change library's signature algorithm default to SHA256
* Add support for draft-ietf-tls-downgrade-scsv
* Add clang-cl support to the NSS build system
* Implement TLS 1.3:
* Part 1. Negotiate TLS 1.3
* Part 2. Remove deprecated cipher suites andcompression.
* Add support for little-endian powerpc64

- update to 3.17
* required for Firefox 33 New functionality:
* When using ECDHE, the TLS server code may be configured to generate a
fresh ephemeral ECDH key for each handshake, by setting the
SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
server's ephemeral ECDH key is reused for multiple handshakes. This
option does not affect the TLS client code, which always generates a
fresh ephemeral ECDH key for each handshake. New Macros
* SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
* The manual pages for the certutil and pp tools have been updated to
document the new parameters that had been added in NSS 3.16.2.
* On Windows, the new build variable USE_STATIC_RTL can be used to
specify the static C runtime library should be used. By default the
dynamic C runtime library is used. Changes in mozilla-nspr:
- update to version 4.10.7
* bmo#836658: VC11+ defaults to SSE2 builds by default.
* bmo#979278: TSan: data race nsprpub/pr/src/threads/prtpd.c:103
PR_NewThreadPrivateIndex.
* bmo#1026129: Replace some manual declarations of MSVC intrinsics with
#include <intrin.h>.
* bmo#1026469: Use AC_CHECK_LIB instead of MOZ_CHECK_PTHREADS. Skip
compiler checks when using MSVC, even when $CC is not literally "cl".
* bmo#1034415: NSPR hardcodes the C compiler to cl on Windows.
* bmo#1042408: Compilation fix for Android > API level 19.
* bmo#1043082: NSPR's build system hardcodes -MD.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-612

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.3 (i586 x86_64):

MozillaFirefox-33.0-1.90.1
MozillaFirefox-branding-upstream-33.0-1.90.1
MozillaFirefox-buildsymbols-33.0-1.90.1
MozillaFirefox-debuginfo-33.0-1.90.1
MozillaFirefox-debugsource-33.0-1.90.1
MozillaFirefox-devel-33.0-1.90.1
MozillaFirefox-translations-common-33.0-1.90.1
MozillaFirefox-translations-other-33.0-1.90.1
libfreebl3-3.17.1-1.59.1
libfreebl3-debuginfo-3.17.1-1.59.1
libsoftokn3-3.17.1-1.59.1
libsoftokn3-debuginfo-3.17.1-1.59.1
mozilla-nspr-4.10.7-1.34.1
mozilla-nspr-debuginfo-4.10.7-1.34.1
mozilla-nspr-debugsource-4.10.7-1.34.1
mozilla-nspr-devel-4.10.7-1.34.1
mozilla-nss-3.17.1-1.59.1
mozilla-nss-certs-3.17.1-1.59.1
mozilla-nss-certs-debuginfo-3.17.1-1.59.1
mozilla-nss-debuginfo-3.17.1-1.59.1
mozilla-nss-debugsource-3.17.1-1.59.1
mozilla-nss-devel-3.17.1-1.59.1
mozilla-nss-sysinit-3.17.1-1.59.1
mozilla-nss-sysinit-debuginfo-3.17.1-1.59.1
mozilla-nss-tools-3.17.1-1.59.1
mozilla-nss-tools-debuginfo-3.17.1-1.59.1
seamonkey-2.30-1.61.1
seamonkey-debuginfo-2.30-1.61.1
seamonkey-debugsource-2.30-1.61.1
seamonkey-dom-inspector-2.30-1.61.1
seamonkey-irc-2.30-1.61.1
seamonkey-translations-common-2.30-1.61.1
seamonkey-translations-other-2.30-1.61.1

- openSUSE 12.3 (x86_64):

libfreebl3-32bit-3.17.1-1.59.1
libfreebl3-debuginfo-32bit-3.17.1-1.59.1
libsoftokn3-32bit-3.17.1-1.59.1
libsoftokn3-debuginfo-32bit-3.17.1-1.59.1
mozilla-nspr-32bit-4.10.7-1.34.1
mozilla-nspr-debuginfo-32bit-4.10.7-1.34.1
mozilla-nss-32bit-3.17.1-1.59.1
mozilla-nss-certs-32bit-3.17.1-1.59.1
mozilla-nss-certs-debuginfo-32bit-3.17.1-1.59.1
mozilla-nss-debuginfo-32bit-3.17.1-1.59.1
mozilla-nss-sysinit-32bit-3.17.1-1.59.1
mozilla-nss-sysinit-debuginfo-32bit-3.17.1-1.59.1


References:

http://support.novell.com/security/cve/CVE-2014-1554.html
http://support.novell.com/security/cve/CVE-2014-1574.html
http://support.novell.com/security/cve/CVE-2014-1575.html
http://support.novell.com/security/cve/CVE-2014-1576.html
http://support.novell.com/security/cve/CVE-2014-1577.html
http://support.novell.com/security/cve/CVE-2014-1578.html
http://support.novell.com/security/cve/CVE-2014-1580.html
http://support.novell.com/security/cve/CVE-2014-1581.html
http://support.novell.com/security/cve/CVE-2014-1582.html
http://support.novell.com/security/cve/CVE-2014-1583.html
http://support.novell.com/security/cve/CVE-2014-1584.html
http://support.novell.com/security/cve/CVE-2014-1585.html
http://support.novell.com/security/cve/CVE-2014-1586.html
https://bugzilla.suse.com/show_bug.cgi?id=894370
https://bugzilla.suse.com/show_bug.cgi?id=896624
https://bugzilla.suse.com/show_bug.cgi?id=897890
https://bugzilla.suse.com/show_bug.cgi?id=900941
https://bugzilla.suse.com/show_bug.cgi?id=901213


< Previous Next >
This Thread
  • No further messages