openSUSE Security Update: update for firefox, mozilla-nspr, mozilla-nss and seamonkey ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1345-1 Rating: moderate References: #894370 #896624 #897890 #900941 #901213 Cross-References: CVE-2014-1554 CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1580 CVE-2014-1581 CVE-2014-1582 CVE-2014-1583 CVE-2014-1584 CVE-2014-1585 CVE-2014-1586 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: - update to Firefox 33.0 (bnc#900941) New features: * OpenH264 support (sandboxed) * Enhanced Tiles * Improved search experience through the location bar * Slimmer and faster JavaScript strings * New CSP (Content Security Policy) backend * Support for connecting to HTTP proxy over HTTPS * Improved reliability of the session restoration * Proprietary window.crypto properties/functions removed Security: * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) - requires NSPR 4.10.7 - requires NSS 3.17.1 - removed obsolete patches: * mozilla-ppc.patch * mozilla-libproxy-compat.patch - added basic appdata information - update to SeaMonkey 2.30 (bnc#900941) * venkman debugger removed from application and therefore obsolete package seamonkey-venkman * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video * MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality * MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps) - requires NSPR 4.10.7 - requires NSS 3.17.1 - removed obsolete patches: * mozilla-ppc.patch * mozilla-libproxy-compat.patch Changes in mozilla-nspr: - update to version 4.10.7 * bmo#836658: VC11+ defaults to SSE2 builds by default. * bmo#979278: TSan: data race nsprpub/pr/src/threads/prtpd.c:103 PR_NewThreadPrivateIndex. * bmo#1026129: Replace some manual declarations of MSVC intrinsics with #include <intrin.h>. * bmo#1026469: Use AC_CHECK_LIB instead of MOZ_CHECK_PTHREADS. Skip compiler checks when using MSVC, even when $CC is not literally "cl". * bmo#1034415: NSPR hardcodes the C compiler to cl on Windows. * bmo#1042408: Compilation fix for Android > API level 19. * bmo#1043082: NSPR's build system hardcodes -MD. Changes in mozilla-nss: - update to 3.17.1 (bnc#897890) * Change library's signature algorithm default to SHA256 * Add support for draft-ietf-tls-downgrade-scsv * Add clang-cl support to the NSS build system * Implement TLS 1.3: * Part 1. Negotiate TLS 1.3 * Part 2. Remove deprecated cipher suites andcompression. * Add support for little-endian powerpc64 - update to 3.17 * required for Firefox 33 New functionality: * When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros * SSL_REUSE_SERVER_ECDHE_KEY Notable Changes: * The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2. * On Windows, the new build variable USE_STATIC_RTL can be used to specify the static C runtime library should be used. By default the dynamic C runtime library is used. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-611 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): MozillaFirefox-33.0-46.2 MozillaFirefox-branding-upstream-33.0-46.2 MozillaFirefox-buildsymbols-33.0-46.2 MozillaFirefox-debuginfo-33.0-46.2 MozillaFirefox-debugsource-33.0-46.2 MozillaFirefox-devel-33.0-46.2 MozillaFirefox-translations-common-33.0-46.2 MozillaFirefox-translations-other-33.0-46.2 libfreebl3-3.17.1-43.1 libfreebl3-debuginfo-3.17.1-43.1 libsoftokn3-3.17.1-43.1 libsoftokn3-debuginfo-3.17.1-43.1 mozilla-nspr-4.10.7-16.1 mozilla-nspr-debuginfo-4.10.7-16.1 mozilla-nspr-debugsource-4.10.7-16.1 mozilla-nspr-devel-4.10.7-16.1 mozilla-nss-3.17.1-43.1 mozilla-nss-certs-3.17.1-43.1 mozilla-nss-certs-debuginfo-3.17.1-43.1 mozilla-nss-debuginfo-3.17.1-43.1 mozilla-nss-debugsource-3.17.1-43.1 mozilla-nss-devel-3.17.1-43.1 mozilla-nss-sysinit-3.17.1-43.1 mozilla-nss-sysinit-debuginfo-3.17.1-43.1 mozilla-nss-tools-3.17.1-43.1 mozilla-nss-tools-debuginfo-3.17.1-43.1 seamonkey-2.30-36.2 seamonkey-debuginfo-2.30-36.2 seamonkey-debugsource-2.30-36.2 seamonkey-dom-inspector-2.30-36.2 seamonkey-irc-2.30-36.2 seamonkey-translations-common-2.30-36.2 seamonkey-translations-other-2.30-36.2 - openSUSE 13.1 (x86_64): libfreebl3-32bit-3.17.1-43.1 libfreebl3-debuginfo-32bit-3.17.1-43.1 libsoftokn3-32bit-3.17.1-43.1 libsoftokn3-debuginfo-32bit-3.17.1-43.1 mozilla-nspr-32bit-4.10.7-16.1 mozilla-nspr-debuginfo-32bit-4.10.7-16.1 mozilla-nss-32bit-3.17.1-43.1 mozilla-nss-certs-32bit-3.17.1-43.1 mozilla-nss-certs-debuginfo-32bit-3.17.1-43.1 mozilla-nss-debuginfo-32bit-3.17.1-43.1 mozilla-nss-sysinit-32bit-3.17.1-43.1 mozilla-nss-sysinit-debuginfo-32bit-3.17.1-43.1 References: http://support.novell.com/security/cve/CVE-2014-1554.html http://support.novell.com/security/cve/CVE-2014-1574.html http://support.novell.com/security/cve/CVE-2014-1575.html http://support.novell.com/security/cve/CVE-2014-1576.html http://support.novell.com/security/cve/CVE-2014-1577.html http://support.novell.com/security/cve/CVE-2014-1578.html http://support.novell.com/security/cve/CVE-2014-1580.html http://support.novell.com/security/cve/CVE-2014-1581.html http://support.novell.com/security/cve/CVE-2014-1582.html http://support.novell.com/security/cve/CVE-2014-1583.html http://support.novell.com/security/cve/CVE-2014-1584.html http://support.novell.com/security/cve/CVE-2014-1585.html http://support.novell.com/security/cve/CVE-2014-1586.html https://bugzilla.suse.com/show_bug.cgi?id=894370 https://bugzilla.suse.com/show_bug.cgi?id=896624 https://bugzilla.suse.com/show_bug.cgi?id=897890 https://bugzilla.suse.com/show_bug.cgi?id=900941 https://bugzilla.suse.com/show_bug.cgi?id=901213