openSUSE Security Update: update for firefox, mozilla-nspr, mozilla-nss and seamonkey
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1345-1
Rating: moderate
References: #894370 #896624 #897890 #900941 #901213
Cross-References: CVE-2014-1554 CVE-2014-1574 CVE-2014-1575
CVE-2014-1576 CVE-2014-1577 CVE-2014-1578
CVE-2014-1580 CVE-2014-1581 CVE-2014-1582
CVE-2014-1583 CVE-2014-1584 CVE-2014-1585
CVE-2014-1586
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
- update to Firefox 33.0 (bnc#900941) New features:
* OpenH264 support (sandboxed)
* Enhanced Tiles
* Improved search experience through the location bar
* Slimmer and faster JavaScript strings
* New CSP (Content Security Policy) backend
* Support for connecting to HTTP proxy over HTTPS
* Improved reliability of the session restoration
* Proprietary window.crypto properties/functions removed Security:
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety
hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory
use during GIF rendering
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
Key pinning bypasses
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API (only relevant for installed web apps)
- requires NSPR 4.10.7
- requires NSS 3.17.1
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch
- added basic appdata information
- update to SeaMonkey 2.30 (bnc#900941)
* venkman debugger removed from application and therefore obsolete
package seamonkey-venkman
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety
hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory
use during GIF rendering
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
Key pinning bypasses
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API (only relevant for installed web apps)
- requires NSPR 4.10.7
- requires NSS 3.17.1
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch
Changes in mozilla-nspr:
- update to version 4.10.7
* bmo#836658: VC11+ defaults to SSE2 builds by default.
* bmo#979278: TSan: data race nsprpub/pr/src/threads/prtpd.c:103
PR_NewThreadPrivateIndex.
* bmo#1026129: Replace some manual declarations of MSVC intrinsics with
#include