openSUSE Security Update: Mozilla: February 2013 update round (Firefox 19) ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0323-1 Rating: important References: #796895 #804248 Cross-References: CVE-2013-0765 CVE-2013-0772 CVE-2013-0773 CVE-2013-0774 CVE-2013-0775 CVE-2013-0776 CVE-2013-0777 CVE-2013-0778 CVE-2013-0779 CVE-2013-0780 CVE-2013-0781 CVE-2013-0782 CVE-2013-0783 Affected Products: openSUSE 12.2 openSUSE 12.1 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: MozillaFirefox was updated to Firefox 19.0 (bnc#804248) MozillaThunderbird was updated to Thunderbird 17.0.3 (bnc#804248) seamonkey was updated to SeaMonkey 2.16 (bnc#804248) xulrunner was updated to 17.0.3esr (bnc#804248) chmsee was updated to version 2.0. Changes in MozillaFirefox 19.0: * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - added patch to fix session restore window order (bmo#712763) - update to Firefox 18.0.2 * blocklist and CTP updates * fixes in JS engine - update to Firefox 18.0.1 * blocklist updates * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions - Fix WebRTC to build on powerpc Changes in MozillaThunderbird: - update to Thunderbird 17.0.3 (bnc#804248) * MFSA 2013-21/CVE-2013-0783 Miscellaneous memory safety hazards * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - update Enigmail to 1.5.1 * The release fixes the regressions found in the past few weeks Changes in seamonkey: - update to SeaMonkey 2.16 (bnc#804248) * MFSA 2013-21/CVE-2013-0783/2013-0784 Miscellaneous memory safety hazards * MFSA 2013-22/CVE-2013-0772 (bmo#801366) Out-of-bounds read in image rendering * MFSA 2013-23/CVE-2013-0765 (bmo#830614) Wrapped WebIDL objects can be wrapped again * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782/CVE-2013-0777/ CVE-2013-0778/CVE-2013-0779/CVE-2013-0781 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer - removed obsolete patches * mozilla-webrtc.patch * mozilla-gstreamer-803287.patch - update to SeaMonkey 2.15.2 * Applications could not be removed from the "Application details" dialog under Preferences, Helper Applications (bmo#826771). * View / Message Body As could show menu items out of context (bmo#831348) - update to SeaMonkey 2.15.1 * backed out bmo#677092 (removed patch) * fixed problems involving HTTP proxy transactions - backed out restartless language packs as it broke multi-locale setup (bmo#677092, bmo#818468) Changes in xulrunner: - update to 17.0.3esr (bnc#804248) * MFSA 2013-21/CVE-2013-0783 Miscellaneous memory safety hazards * MFSA 2013-24/CVE-2013-0773 (bmo#809652) Web content bypass of COW and SOW security wrappers * MFSA 2013-25/CVE-2013-0774 (bmo#827193) Privacy leak in JavaScript Workers * MFSA 2013-26/CVE-2013-0775 (bmo#831095) Use-after-free in nsImageLoadingContent * MFSA 2013-27/CVE-2013-0776 (bmo#796475) Phishing on HTTPS connection through malicious proxy * MFSA 2013-28/CVE-2013-0780/CVE-2013-0782 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-141 - openSUSE 12.1: zypper in -t patch openSUSE-2013-141 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): MozillaFirefox-19.0-2.33.1 MozillaFirefox-branding-upstream-19.0-2.33.1 MozillaFirefox-buildsymbols-19.0-2.33.1 MozillaFirefox-debuginfo-19.0-2.33.1 MozillaFirefox-debugsource-19.0-2.33.1 MozillaFirefox-devel-19.0-2.33.1 MozillaFirefox-translations-common-19.0-2.33.1 MozillaFirefox-translations-other-19.0-2.33.1 MozillaThunderbird-17.0.3-49.31.1 MozillaThunderbird-buildsymbols-17.0.3-49.31.1 MozillaThunderbird-debuginfo-17.0.3-49.31.1 MozillaThunderbird-debugsource-17.0.3-49.31.1 MozillaThunderbird-devel-17.0.3-49.31.1 MozillaThunderbird-devel-debuginfo-17.0.3-49.31.1 MozillaThunderbird-translations-common-17.0.3-49.31.1 MozillaThunderbird-translations-other-17.0.3-49.31.1 chmsee-2.0-2.14.3 chmsee-debuginfo-2.0-2.14.3 chmsee-debugsource-2.0-2.14.3 enigmail-1.5.1+17.0.3-49.31.1 enigmail-debuginfo-1.5.1+17.0.3-49.31.1 mozilla-js-17.0.3-2.30.1 mozilla-js-debuginfo-17.0.3-2.30.1 seamonkey-2.16-2.34.2 seamonkey-debuginfo-2.16-2.34.2 seamonkey-debugsource-2.16-2.34.2 seamonkey-dom-inspector-2.16-2.34.2 seamonkey-irc-2.16-2.34.2 seamonkey-translations-common-2.16-2.34.2 seamonkey-translations-other-2.16-2.34.2 seamonkey-venkman-2.16-2.34.2 xulrunner-17.0.3-2.30.1 xulrunner-buildsymbols-17.0.3-2.30.1 xulrunner-debuginfo-17.0.3-2.30.1 xulrunner-debugsource-17.0.3-2.30.1 xulrunner-devel-17.0.3-2.30.1 xulrunner-devel-debuginfo-17.0.3-2.30.1 - openSUSE 12.2 (x86_64): mozilla-js-32bit-17.0.3-2.30.1 mozilla-js-debuginfo-32bit-17.0.3-2.30.1 xulrunner-32bit-17.0.3-2.30.1 xulrunner-debuginfo-32bit-17.0.3-2.30.1 - openSUSE 12.1 (i586 x86_64): MozillaFirefox-19.0-2.62.1 MozillaFirefox-branding-upstream-19.0-2.62.1 MozillaFirefox-buildsymbols-19.0-2.62.1 MozillaFirefox-debuginfo-19.0-2.62.1 MozillaFirefox-debugsource-19.0-2.62.1 MozillaFirefox-devel-19.0-2.62.1 MozillaFirefox-translations-common-19.0-2.62.1 MozillaFirefox-translations-other-19.0-2.62.1 MozillaThunderbird-17.0.3-33.51.1 MozillaThunderbird-buildsymbols-17.0.3-33.51.1 MozillaThunderbird-debuginfo-17.0.3-33.51.1 MozillaThunderbird-debugsource-17.0.3-33.51.1 MozillaThunderbird-devel-17.0.3-33.51.1 MozillaThunderbird-devel-debuginfo-17.0.3-33.51.1 MozillaThunderbird-translations-common-17.0.3-33.51.1 MozillaThunderbird-translations-other-17.0.3-33.51.1 chmsee-2.0-2.32.3 chmsee-debuginfo-2.0-2.32.3 chmsee-debugsource-2.0-2.32.3 enigmail-1.5.1+17.0.3-33.51.1 enigmail-debuginfo-1.5.1+17.0.3-33.51.1 mozilla-js-17.0.3-2.57.1 mozilla-js-debuginfo-17.0.3-2.57.1 seamonkey-2.16-2.53.1 seamonkey-debuginfo-2.16-2.53.1 seamonkey-debugsource-2.16-2.53.1 seamonkey-dom-inspector-2.16-2.53.1 seamonkey-irc-2.16-2.53.1 seamonkey-translations-common-2.16-2.53.1 seamonkey-translations-other-2.16-2.53.1 seamonkey-venkman-2.16-2.53.1 xulrunner-17.0.3-2.57.1 xulrunner-buildsymbols-17.0.3-2.57.1 xulrunner-debuginfo-17.0.3-2.57.1 xulrunner-debugsource-17.0.3-2.57.1 xulrunner-devel-17.0.3-2.57.1 xulrunner-devel-debuginfo-17.0.3-2.57.1 - openSUSE 12.1 (x86_64): mozilla-js-32bit-17.0.3-2.57.1 mozilla-js-debuginfo-32bit-17.0.3-2.57.1 xulrunner-32bit-17.0.3-2.57.1 xulrunner-debuginfo-32bit-17.0.3-2.57.1 - openSUSE 12.1 (ia64): mozilla-js-debuginfo-x86-17.0.3-2.57.1 mozilla-js-x86-17.0.3-2.57.1 xulrunner-debuginfo-x86-17.0.3-2.57.1 xulrunner-x86-17.0.3-2.57.1 References: http://support.novell.com/security/cve/CVE-2013-0765.html http://support.novell.com/security/cve/CVE-2013-0772.html http://support.novell.com/security/cve/CVE-2013-0773.html http://support.novell.com/security/cve/CVE-2013-0774.html http://support.novell.com/security/cve/CVE-2013-0775.html http://support.novell.com/security/cve/CVE-2013-0776.html http://support.novell.com/security/cve/CVE-2013-0777.html http://support.novell.com/security/cve/CVE-2013-0778.html http://support.novell.com/security/cve/CVE-2013-0779.html http://support.novell.com/security/cve/CVE-2013-0780.html http://support.novell.com/security/cve/CVE-2013-0781.html http://support.novell.com/security/cve/CVE-2013-0782.html http://support.novell.com/security/cve/CVE-2013-0783.html https://bugzilla.novell.com/796895 https://bugzilla.novell.com/804248 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org