openSUSE-SU-2014:1344-1: moderate: update for firefox, mozilla-nspr, mozilla-nss
openSUSE Security Update: update for firefox, mozilla-nspr, mozilla-nss
______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1344-1
Rating: moderate
References: #894370 #896624 #897890 #900941 #901213
Cross-References: CVE-2014-1554 CVE-2014-1574 CVE-2014-1575
CVE-2014-1576 CVE-2014-1577 CVE-2014-1578
CVE-2014-1580 CVE-2014-1581 CVE-2014-1582
CVE-2014-1583 CVE-2014-1584 CVE-2014-1585
CVE-2014-1586
Affected Products:
openSUSE 12.3
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
- update to Firefox 33.0 (bnc#900941) New features:
* OpenH264 support (sandboxed)
* Enhanced Tiles
* Improved search experience through the location bar
* Slimmer and faster JavaScript strings
* New CSP (Content Security Policy) backend
* Support for connecting to HTTP proxy over HTTPS
* Improved reliability of the session restoration
* Proprietary window.crypto properties/functions removed Security:
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety
hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory
use during GIF rendering
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
Key pinning bypasses
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API (only relevant for installed web apps)
- requires NSPR 4.10.7
- requires NSS 3.17.1
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch
- added basic appdata information
- update to SeaMonkey 2.30 (bnc#900941)
* venkman debugger removed from application and therefore obsolete
package seamonkey-venkman
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety
hazards
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory
use during GIF rendering
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190)
Key pinning bypasses
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API (only relevant for installed web apps)
- requires NSPR 4.10.7
- requires NSS 3.17.1
- removed obsolete patches:
* mozilla-ppc.patch
* mozilla-libproxy-compat.patch
Changes in mozilla-nss:
- update to 3.17.1 (bnc#897890)
* Change library's signature algorithm default to SHA256
* Add support for draft-ietf-tls-downgrade-scsv
* Add clang-cl support to the NSS build system
* Implement TLS 1.3:
* Part 1. Negotiate TLS 1.3
* Part 2. Remove deprecated cipher suites andcompression.
* Add support for little-endian powerpc64
- update to 3.17
* required for Firefox 33 New functionality:
* When using ECDHE, the TLS server code may be configured to generate a
fresh ephemeral ECDH key for each handshake, by setting the
SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
server's ephemeral ECDH key is reused for multiple handshakes. This
option does not affect the TLS client code, which always generates a
fresh ephemeral ECDH key for each handshake. New Macros
* SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
* The manual pages for the certutil and pp tools have been updated to
document the new parameters that had been added in NSS 3.16.2.
* On Windows, the new build variable USE_STATIC_RTL can be used to
specify the static C runtime library should be used. By default the
dynamic C runtime library is used. Changes in mozilla-nspr:
- update to version 4.10.7
* bmo#836658: VC11+ defaults to SSE2 builds by default.
* bmo#979278: TSan: data race nsprpub/pr/src/threads/prtpd.c:103
PR_NewThreadPrivateIndex.
* bmo#1026129: Replace some manual declarations of MSVC intrinsics with
#include
participants (1)
-
opensuse-security@opensuse.org