[opensuse-security] Re: [security-announce] openSUSE-SU-2013:0631-1: important: Mozilla Firefox and others: Update to 20.0/17.0.5 releases
Sehr geehrte Damen und Herren, wegen eines Auslandsaufenthaltes kann ich die Nachricht vermutlich bis zum 4.4. nicht lesen. In dringenden Fällen stehe ich Ihnen unter +49 177 7902970 telefonisch zur Verfügung. Mit freundlichen Grüßen W. Lisiewicz ------------- Szanowni Państwo, z powodu pobytu za granicą nie będę prawdopodobnie mógł przeczytać Państwa wiadomości do dnia 4.4. W pilnych przypadkach jestem dostępny pod numerem telefonu +49 177 7902970. Pozdrawiam serdecznie W. Lisiewicz Am 05.04.2013 um 18:06 schrieb opensuse-security@opensuse.org:
openSUSE Security Update: Mozilla Firefox and others: Update to 20.0/17.0.5 releases ______________________________________________________________________________
Announcement ID: openSUSE-SU-2013:0631-1 Rating: important References: #813026 Cross-References: CVE-2013-0788 CVE-2013-0789 CVE-2013-0792 CVE-2013-0793 CVE-2013-0794 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800 Affected Products: openSUSE 11.4 ______________________________________________________________________________
An update that fixes 8 vulnerabilities is now available.
Description:
The Mozilla suite received security and bugfix updates:
Firefox was updated to version 20.0. Thunderbird was updated to version 17.0.5. Seamonkey was updated to version 2.17 mozilla-nss was updated to version 3.14.3. mozilla-nspr was updated to version 4.9.6.
mozilla-nspr was updated to version 4.9.6: * aarch64 support * added PL_SizeOfArenaPoolExcludingPool function (bmo#807883) * Auto detect android api version for x86 (bmo#782214) * Initialize Windows CRITICAL_SECTIONs without debug info and with nonzero spin count (bmo#812085) Previous update to version 4.9.5 * bmo#634793: define NSPR's exact-width integer types PRInt{N} and PRUint{N} types to match the <stdint.h> exact-width integer types int{N}_t and uint{N}_t. * bmo#782815: passing 'int *' to parameter of type 'unsigned int *' in setsockopt(). * bmo#822932: Port bmo#802527 (NDK r8b support for x86) to NSPR. * bmo#824742: NSPR shouldn't require librt on Android. * bmo#831793: data race on lib->refCount in PR_UnloadLibrary.
mozilla-nss was updated to version 3.14.3: * disable tests with expired certificates * add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements
* No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch * add aarch64 support
* added system-sqlite.patch (bmo#837799) * do not depend on latest sqlite just for a #define * enable system sqlite usage again
* update to 3.14.2 * required for Firefox >= 20 * removed obsolete nssckbi update patch * MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage * disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution * add nss-sqlitename.patch to avoid any name clash
Changes in MozillaFirefox: - update to Firefox 20.0 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations * MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) - build fixes for armv7hl: * disable debug build as armv7hl does not have enough memory * disable webrtc on armv7hl as it is non-compiling
Changes in MozillaThunderbird: - update to Thunderbird 17.0.5 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations
Changes in seamonkey: - update to SeaMonkey 2.17 (bnc#813026) * requires NSPR 4.9.5 and NSS 3.14.3 * MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards * MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library * MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux * MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes * MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure * MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations * MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 11.4:
zypper in -t patch 2013-58
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 11.4 (i586 x86_64):
MozillaFirefox-20.0-69.1 MozillaFirefox-branding-upstream-20.0-69.1 MozillaFirefox-buildsymbols-20.0-69.1 MozillaFirefox-debuginfo-20.0-69.1 MozillaFirefox-debugsource-20.0-69.1 MozillaFirefox-devel-20.0-69.1 MozillaFirefox-translations-common-20.0-69.1 MozillaFirefox-translations-other-20.0-69.1 MozillaThunderbird-17.0.5-57.1 MozillaThunderbird-buildsymbols-17.0.5-57.1 MozillaThunderbird-debuginfo-17.0.5-57.1 MozillaThunderbird-debugsource-17.0.5-57.1 MozillaThunderbird-devel-17.0.5-57.1 MozillaThunderbird-devel-debuginfo-17.0.5-57.1 MozillaThunderbird-translations-common-17.0.5-57.1 MozillaThunderbird-translations-other-17.0.5-57.1 enigmail-1.5.1+17.0.5-57.1 enigmail-debuginfo-1.5.1+17.0.5-57.1 libfreebl3-3.14.3-58.1 libfreebl3-debuginfo-3.14.3-58.1 libsoftokn3-3.14.3-58.1 libsoftokn3-debuginfo-3.14.3-58.1 mozilla-nspr-4.9.6-24.1 mozilla-nspr-debuginfo-4.9.6-24.1 mozilla-nspr-debugsource-4.9.6-24.1 mozilla-nspr-devel-4.9.6-24.1 mozilla-nss-3.14.3-58.1 mozilla-nss-certs-3.14.3-58.1 mozilla-nss-certs-debuginfo-3.14.3-58.1 mozilla-nss-debuginfo-3.14.3-58.1 mozilla-nss-debugsource-3.14.3-58.1 mozilla-nss-devel-3.14.3-58.1 mozilla-nss-sysinit-3.14.3-58.1 mozilla-nss-sysinit-debuginfo-3.14.3-58.1 mozilla-nss-tools-3.14.3-58.1 mozilla-nss-tools-debuginfo-3.14.3-58.1 seamonkey-2.17-61.1 seamonkey-debuginfo-2.17-61.1 seamonkey-debugsource-2.17-61.1 seamonkey-dom-inspector-2.17-61.1 seamonkey-irc-2.17-61.1 seamonkey-translations-common-2.17-61.1 seamonkey-translations-other-2.17-61.1 seamonkey-venkman-2.17-61.1
- openSUSE 11.4 (x86_64):
libfreebl3-32bit-3.14.3-58.1 libfreebl3-debuginfo-32bit-3.14.3-58.1 libsoftokn3-32bit-3.14.3-58.1 libsoftokn3-debuginfo-32bit-3.14.3-58.1 mozilla-nspr-32bit-4.9.6-24.1 mozilla-nspr-debuginfo-32bit-4.9.6-24.1 mozilla-nss-32bit-3.14.3-58.1 mozilla-nss-certs-32bit-3.14.3-58.1 mozilla-nss-certs-debuginfo-32bit-3.14.3-58.1 mozilla-nss-debuginfo-32bit-3.14.3-58.1 mozilla-nss-sysinit-32bit-3.14.3-58.1 mozilla-nss-sysinit-debuginfo-32bit-3.14.3-58.1
- openSUSE 11.4 (ia64):
libfreebl3-debuginfo-x86-3.14.3-58.1 libfreebl3-x86-3.14.3-58.1 libsoftokn3-debuginfo-x86-3.14.3-58.1 libsoftokn3-x86-3.14.3-58.1 mozilla-nspr-debuginfo-x86-4.9.6-24.1 mozilla-nspr-x86-4.9.6-24.1 mozilla-nss-certs-debuginfo-x86-3.14.3-58.1 mozilla-nss-certs-x86-3.14.3-58.1 mozilla-nss-debuginfo-x86-3.14.3-58.1 mozilla-nss-sysinit-debuginfo-x86-3.14.3-58.1 mozilla-nss-sysinit-x86-3.14.3-58.1 mozilla-nss-x86-3.14.3-58.1
References:
http://support.novell.com/security/cve/CVE-2013-0788.html http://support.novell.com/security/cve/CVE-2013-0789.html http://support.novell.com/security/cve/CVE-2013-0792.html http://support.novell.com/security/cve/CVE-2013-0793.html http://support.novell.com/security/cve/CVE-2013-0794.html http://support.novell.com/security/cve/CVE-2013-0795.html http://support.novell.com/security/cve/CVE-2013-0796.html http://support.novell.com/security/cve/CVE-2013-0800.html https://bugzilla.novell.com/813026
-- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (1)
-
Wojciech Lisiewicz