openSUSE-SU-2015:0934-1: moderate: Security update for MozillaFirefox

openSUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0934-1 Rating: moderate References: #930622 Cross-References: CVE-2011-3079 CVE-2015-2708 CVE-2015-2709 CVE-2015-2710 CVE-2015-2711 CVE-2015-2712 CVE-2015-2713 CVE-2015-2715 CVE-2015-2716 CVE-2015-2717 CVE-2015-2718 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: The Mozilla Firefox web browser was updated to version 38.0.1 to fix several security and non-security issues. This update also includes a Mozilla Network Security Services (NSS) update to version 3.18.1. The following vulnerabilities and issues were fixed: Changes in Mozilla Firefox: - update to Firefox 38.0.1 stability and regression fixes * Systems with first generation NVidia Optimus graphics cards may crash on start-up * Users who import cookies from Google Chrome can end up with broken websites * Large animated images may fail to play and may stop other images from loading - update to Firefox 38.0 (bnc#930622) * New tab-based preferences * Ruby annotation support * more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/ security fixes: * MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous memory safety hazards * MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy ignored when links opened by middle-click and context menu * MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds read and write in asm.js validation * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free due to Media Decoder Thread creation during shutdown * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML * MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow and out-of-bounds read while parsing MP4 video metadata * MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site hosting trusted page can intercept webchannel responses * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages Changes in Mozilla NSS: - update to 3.18.1 * Firefox target release 38 * No new functionality is introduced in this release. Notable Changes: * The following CA certificate had the Websites and Code Signing trust bits restored to their original state to allow more time to develop a better transition strategy for affected sites: - OU = Equifax Secure Certificate Authority * The following CA certificate was removed: - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi * The following intermediate CA certificate has been added as actively distrusted because it was mis-used to issue certificates for domain names the holder did not own or control: - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG * The version number of the updated root CA list has been set to 2.4 - update to 3.18 * Firefox target release 38 New functionality: * When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. * The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-375=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-375=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): MozillaFirefox-38.0.1-30.1 MozillaFirefox-branding-upstream-38.0.1-30.1 MozillaFirefox-buildsymbols-38.0.1-30.1 MozillaFirefox-debuginfo-38.0.1-30.1 MozillaFirefox-debugsource-38.0.1-30.1 MozillaFirefox-devel-38.0.1-30.1 MozillaFirefox-translations-common-38.0.1-30.1 MozillaFirefox-translations-other-38.0.1-30.1 libfreebl3-3.18.1-12.1 libfreebl3-debuginfo-3.18.1-12.1 libsoftokn3-3.18.1-12.1 libsoftokn3-debuginfo-3.18.1-12.1 mozilla-nss-3.18.1-12.1 mozilla-nss-certs-3.18.1-12.1 mozilla-nss-certs-debuginfo-3.18.1-12.1 mozilla-nss-debuginfo-3.18.1-12.1 mozilla-nss-debugsource-3.18.1-12.1 mozilla-nss-devel-3.18.1-12.1 mozilla-nss-sysinit-3.18.1-12.1 mozilla-nss-sysinit-debuginfo-3.18.1-12.1 mozilla-nss-tools-3.18.1-12.1 mozilla-nss-tools-debuginfo-3.18.1-12.1 - openSUSE 13.2 (x86_64): libfreebl3-32bit-3.18.1-12.1 libfreebl3-debuginfo-32bit-3.18.1-12.1 libsoftokn3-32bit-3.18.1-12.1 libsoftokn3-debuginfo-32bit-3.18.1-12.1 mozilla-nss-32bit-3.18.1-12.1 mozilla-nss-certs-32bit-3.18.1-12.1 mozilla-nss-certs-debuginfo-32bit-3.18.1-12.1 mozilla-nss-debuginfo-32bit-3.18.1-12.1 mozilla-nss-sysinit-32bit-3.18.1-12.1 mozilla-nss-sysinit-debuginfo-32bit-3.18.1-12.1 - openSUSE 13.1 (i586 x86_64): MozillaFirefox-38.0.1-74.1 MozillaFirefox-branding-upstream-38.0.1-74.1 MozillaFirefox-buildsymbols-38.0.1-74.1 MozillaFirefox-debuginfo-38.0.1-74.1 MozillaFirefox-debugsource-38.0.1-74.1 MozillaFirefox-devel-38.0.1-74.1 MozillaFirefox-translations-common-38.0.1-74.1 MozillaFirefox-translations-other-38.0.1-74.1 libfreebl3-3.18.1-55.1 libfreebl3-debuginfo-3.18.1-55.1 libsoftokn3-3.18.1-55.1 libsoftokn3-debuginfo-3.18.1-55.1 mozilla-nss-3.18.1-55.1 mozilla-nss-certs-3.18.1-55.1 mozilla-nss-certs-debuginfo-3.18.1-55.1 mozilla-nss-debuginfo-3.18.1-55.1 mozilla-nss-debugsource-3.18.1-55.1 mozilla-nss-devel-3.18.1-55.1 mozilla-nss-sysinit-3.18.1-55.1 mozilla-nss-sysinit-debuginfo-3.18.1-55.1 mozilla-nss-tools-3.18.1-55.1 mozilla-nss-tools-debuginfo-3.18.1-55.1 - openSUSE 13.1 (x86_64): libfreebl3-32bit-3.18.1-55.1 libfreebl3-debuginfo-32bit-3.18.1-55.1 libsoftokn3-32bit-3.18.1-55.1 libsoftokn3-debuginfo-32bit-3.18.1-55.1 mozilla-nss-32bit-3.18.1-55.1 mozilla-nss-certs-32bit-3.18.1-55.1 mozilla-nss-certs-debuginfo-32bit-3.18.1-55.1 mozilla-nss-debuginfo-32bit-3.18.1-55.1 mozilla-nss-sysinit-32bit-3.18.1-55.1 mozilla-nss-sysinit-debuginfo-32bit-3.18.1-55.1 References: https://www.suse.com/security/cve/CVE-2011-3079.html https://www.suse.com/security/cve/CVE-2015-2708.html https://www.suse.com/security/cve/CVE-2015-2709.html https://www.suse.com/security/cve/CVE-2015-2710.html https://www.suse.com/security/cve/CVE-2015-2711.html https://www.suse.com/security/cve/CVE-2015-2712.html https://www.suse.com/security/cve/CVE-2015-2713.html https://www.suse.com/security/cve/CVE-2015-2715.html https://www.suse.com/security/cve/CVE-2015-2716.html https://www.suse.com/security/cve/CVE-2015-2717.html https://www.suse.com/security/cve/CVE-2015-2718.html https://bugzilla.suse.com/930622