openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1557-1 Rating: important References: #980384 #981695 #983549 #983632 #983638 #983639 #983640 #983643 #983644 #983646 #983649 #983651 #983652 #983653 #983655 Cross-References: CVE-2016-1950 CVE-2016-2815 CVE-2016-2818 CVE-2016-2819 CVE-2016-2821 CVE-2016-2822 CVE-2016-2824 CVE-2016-2825 CVE-2016-2828 CVE-2016-2829 CVE-2016-2831 CVE-2016-2832 CVE-2016-2833 CVE-2016-2834 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that solves 14 vulnerabilities and has one errata is now available. Description: This update to Mozilla Firefox 47 fixes the following issues (boo#983549): Security fixes: - CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety hazards (boo#983638 MFSA 2016-49) - CVE-2016-2819: Buffer overflow parsing HTML5 fragments (boo#983655 MFSA 2016-50) - CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (boo#983653 MFSA 2016-51) - CVE-2016-2822: Addressbar spoofing though the SELECT element (boo#983652 MFSA 2016-52) - CVE-2016-2824: Out-of-bounds write with WebGL shader (boo#983651 MFSA 2016-53) - CVE-2016-2825: Partial same-origin-policy through setting location.host through data URI (boo#983649 MFSA 2016-54) - CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (boo#983646 MFSA 2016-56) - CVE-2016-2829: Incorrect icon displayed on permissions notifications (boo#983644 MFSA 2016-57) - CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (boo#983643 MFSA 2016-58) - CVE-2016-2832: Information disclosure of disabled plugins through CSS pseudo-classes (boo#983632 MFSA 2016-59) - CVE-2016-2833: Java applets bypass CSP protections (boo#983640 MFSA 2016-60) Mozilla NSS was updated to 3.23 to address the following vulnerabilities: - CVE-2016-2834: Memory safety bugs (boo#983639 MFSA-2016-61) The following non-security changes are included: - Enable VP9 video codec for users with fast machines - Embedded YouTube videos now play with HTML5 video if Flash is not installed - View and search open tabs from your smartphone or another computer in a sidebar - Allow no-cache on back/forward navigations for https resources The following packaging changes are included: - boo#981695: cleanup configure options, notably removing GStreamer support which is gone from FF - boo#980384: enable build with PIE and full relro on x86_64 The following new functionality is provided: - ChaCha20/Poly1305 cipher and TLS cipher suites now supported - The list of TLS extensions sent in the TLS handshake has been reordered to increase compatibility of the Extended Master Secret with with servers Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch 2016-714=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): MozillaFirefox-47.0-116.1 MozillaFirefox-branding-upstream-47.0-116.1 MozillaFirefox-buildsymbols-47.0-116.1 MozillaFirefox-debuginfo-47.0-116.1 MozillaFirefox-debugsource-47.0-116.1 MozillaFirefox-devel-47.0-116.1 MozillaFirefox-translations-common-47.0-116.1 MozillaFirefox-translations-other-47.0-116.1 libfreebl3-3.23-80.1 libfreebl3-debuginfo-3.23-80.1 libsoftokn3-3.23-80.1 libsoftokn3-debuginfo-3.23-80.1 mozilla-nss-3.23-80.1 mozilla-nss-certs-3.23-80.1 mozilla-nss-certs-debuginfo-3.23-80.1 mozilla-nss-debuginfo-3.23-80.1 mozilla-nss-debugsource-3.23-80.1 mozilla-nss-devel-3.23-80.1 mozilla-nss-sysinit-3.23-80.1 mozilla-nss-sysinit-debuginfo-3.23-80.1 mozilla-nss-tools-3.23-80.1 mozilla-nss-tools-debuginfo-3.23-80.1 - openSUSE 13.1 (x86_64): libfreebl3-32bit-3.23-80.1 libfreebl3-debuginfo-32bit-3.23-80.1 libsoftokn3-32bit-3.23-80.1 libsoftokn3-debuginfo-32bit-3.23-80.1 mozilla-nss-32bit-3.23-80.1 mozilla-nss-certs-32bit-3.23-80.1 mozilla-nss-certs-debuginfo-32bit-3.23-80.1 mozilla-nss-debuginfo-32bit-3.23-80.1 mozilla-nss-sysinit-32bit-3.23-80.1 mozilla-nss-sysinit-debuginfo-32bit-3.23-80.1 References: https://www.suse.com/security/cve/CVE-2016-1950.html https://www.suse.com/security/cve/CVE-2016-2815.html https://www.suse.com/security/cve/CVE-2016-2818.html https://www.suse.com/security/cve/CVE-2016-2819.html https://www.suse.com/security/cve/CVE-2016-2821.html https://www.suse.com/security/cve/CVE-2016-2822.html https://www.suse.com/security/cve/CVE-2016-2824.html https://www.suse.com/security/cve/CVE-2016-2825.html https://www.suse.com/security/cve/CVE-2016-2828.html https://www.suse.com/security/cve/CVE-2016-2829.html https://www.suse.com/security/cve/CVE-2016-2831.html https://www.suse.com/security/cve/CVE-2016-2832.html https://www.suse.com/security/cve/CVE-2016-2833.html https://www.suse.com/security/cve/CVE-2016-2834.html https://bugzilla.suse.com/980384 https://bugzilla.suse.com/981695 https://bugzilla.suse.com/983549 https://bugzilla.suse.com/983632 https://bugzilla.suse.com/983638 https://bugzilla.suse.com/983639 https://bugzilla.suse.com/983640 https://bugzilla.suse.com/983643 https://bugzilla.suse.com/983644 https://bugzilla.suse.com/983646 https://bugzilla.suse.com/983649 https://bugzilla.suse.com/983651 https://bugzilla.suse.com/983652 https://bugzilla.suse.com/983653 https://bugzilla.suse.com/983655 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org