openSUSE Security Update: MozillaFirefox, MozillaThunderbird, mozilla-nss, seamonkey, xulrunner: June ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0760-1 Rating: important References: #765204 Cross-References: CVE-2011-3101 CVE-2012-0441 CVE-2012-1937 CVE-2012-1938 CVE-2012-1940 CVE-2012-1941 CVE-2012-1944 CVE-2012-1945 CVE-2012-1946 CVE-2012-1947 Affected Products: openSUSE 12.1 openSUSE 11.4 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: Changes in MozillaFirefox: - update to Firefox 13.0 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - require NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - fix sound notifications when filename/path contains a whitespace (bmo#749739) - fix build on arm - reenabled crashreporter for Factory/12.2 (fix in mozilla-gcc47.patch) Changes in MozillaThunderbird: - update to Thunderbird 13.0 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - require NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - fix build with system NSPR (mozilla-system-nspr.patch) - add dependentlibs.list for improved XRE startup - update enigmail to 1.4.2 - reenabled crashreporter for Factory/12.2 (fix in mozilla-gcc47.patch) - update to Thunderbird 12.0.1 * fix regressions - POP3 filters (bmo#748090) - Message Body not loaded when using "Fetch Headers Only" (bmo#748865) - Received messages contain parts of other messages with movemail account (bmo#748726) - New mail notification issue (bmo#748997) - crash in nsMsgDatabase::MatchDbName (bmo#748432) - fixed build with gcc 4.7 Changes in seamonkey: - update to Seamonkey 2.10 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - requires NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - update to Seamonkey 2.9.1 * fix regressions - POP3 filters (bmo#748090) - Message Body not loaded when using "Fetch Headers Only" (bmo#748865) - Received messages contain parts of other messages with movemail account (bmo#748726) - New mail notification issue (bmo#748997) - crash in nsMsgDatabase::MatchDbName (bmo#748432) - fixed build with gcc 4.7 Changes in mozilla-nss: - update to 3.13.5 RTM - update to 3.13.4 RTM * fixed some bugs * fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2 Changes in xulrunner: - update to 13.0 (bnc#765204) * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101 Miscellaneous memory safety hazards * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content Security Policy inline-script bypass * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information disclosure though Windows file shares and shortcut files * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free while replacing/inserting a node in a document * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941 Buffer overflow and use-after-free issues found using Address Sanitizer - require NSS 3.13.4 * MFSA 2012-39/CVE-2012-0441 (bmo#715073) - reenabled crashreporter for Factory/12.2 (fixed in mozilla-gcc47.patch) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2012-333 - openSUSE 11.4: zypper in -t patch openSUSE-2012-333 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 ia64 x86_64): mozilla-nss-debugsource-3.13.5-9.16.1 xulrunner-debugsource-13.0-2.29.2 - openSUSE 12.1 (i586 x86_64): MozillaFirefox-13.0-2.30.1 MozillaFirefox-branding-upstream-13.0-2.30.1 MozillaFirefox-buildsymbols-13.0-2.30.1 MozillaFirefox-debuginfo-13.0-2.30.1 MozillaFirefox-debugsource-13.0-2.30.1 MozillaFirefox-devel-13.0-2.30.1 MozillaFirefox-translations-common-13.0-2.30.1 MozillaFirefox-translations-other-13.0-2.30.1 MozillaThunderbird-13.0-33.23.2 MozillaThunderbird-buildsymbols-13.0-33.23.2 MozillaThunderbird-debuginfo-13.0-33.23.2 MozillaThunderbird-debugsource-13.0-33.23.2 MozillaThunderbird-devel-13.0-33.23.2 MozillaThunderbird-translations-common-13.0-33.23.2 MozillaThunderbird-translations-other-13.0-33.23.2 chmsee-1.99.08-2.18.3 chmsee-debuginfo-1.99.08-2.18.3 chmsee-debugsource-1.99.08-2.18.3 enigmail-1.4.2+13.0-33.23.2 enigmail-debuginfo-1.4.2+13.0-33.23.2 libfreebl3-3.13.5-9.16.1 libfreebl3-debuginfo-3.13.5-9.16.1 libsoftokn3-3.13.5-9.16.1 libsoftokn3-debuginfo-3.13.5-9.16.1 mozilla-js-13.0-2.29.2 mozilla-js-debuginfo-13.0-2.29.2 mozilla-nss-3.13.5-9.16.1 mozilla-nss-certs-3.13.5-9.16.1 mozilla-nss-certs-debuginfo-3.13.5-9.16.1 mozilla-nss-debuginfo-3.13.5-9.16.1 mozilla-nss-devel-3.13.5-9.16.1 mozilla-nss-sysinit-3.13.5-9.16.1 mozilla-nss-sysinit-debuginfo-3.13.5-9.16.1 mozilla-nss-tools-3.13.5-9.16.1 mozilla-nss-tools-debuginfo-3.13.5-9.16.1 seamonkey-2.10-2.21.2 seamonkey-debuginfo-2.10-2.21.2 seamonkey-debugsource-2.10-2.21.2 seamonkey-dom-inspector-2.10-2.21.2 seamonkey-irc-2.10-2.21.2 seamonkey-translations-common-2.10-2.21.2 seamonkey-translations-other-2.10-2.21.2 seamonkey-venkman-2.10-2.21.2 xulrunner-13.0-2.29.2 xulrunner-buildsymbols-13.0-2.29.2 xulrunner-debuginfo-13.0-2.29.2 xulrunner-devel-13.0-2.29.2 xulrunner-devel-debuginfo-13.0-2.29.2 - openSUSE 12.1 (x86_64): libfreebl3-32bit-3.13.5-9.16.1 libfreebl3-debuginfo-32bit-3.13.5-9.16.1 libsoftokn3-32bit-3.13.5-9.16.1 libsoftokn3-debuginfo-32bit-3.13.5-9.16.1 mozilla-js-32bit-13.0-2.29.2 mozilla-js-debuginfo-32bit-13.0-2.29.2 mozilla-nss-32bit-3.13.5-9.16.1 mozilla-nss-certs-32bit-3.13.5-9.16.1 mozilla-nss-certs-debuginfo-32bit-3.13.5-9.16.1 mozilla-nss-debuginfo-32bit-3.13.5-9.16.1 mozilla-nss-sysinit-32bit-3.13.5-9.16.1 mozilla-nss-sysinit-debuginfo-32bit-3.13.5-9.16.1 xulrunner-32bit-13.0-2.29.2 xulrunner-debuginfo-32bit-13.0-2.29.2 - openSUSE 12.1 (ia64): libfreebl3-debuginfo-x86-3.13.5-9.16.1 libfreebl3-debuginfo-x86-debuginfo-3.13.5-9.16.1 libfreebl3-x86-3.13.5-9.16.1 libsoftokn3-debuginfo-x86-3.13.5-9.16.1 libsoftokn3-debuginfo-x86-debuginfo-3.13.5-9.16.1 libsoftokn3-x86-3.13.5-9.16.1 mozilla-js-debuginfo-x86-13.0-2.29.2 mozilla-js-debuginfo-x86-debuginfo-13.0-2.29.2 mozilla-js-x86-13.0-2.29.2 mozilla-nss-certs-debuginfo-x86-3.13.5-9.16.1 mozilla-nss-certs-debuginfo-x86-debuginfo-3.13.5-9.16.1 mozilla-nss-certs-x86-3.13.5-9.16.1 mozilla-nss-debuginfo-x86-3.13.5-9.16.1 mozilla-nss-debuginfo-x86-debuginfo-3.13.5-9.16.1 mozilla-nss-sysinit-debuginfo-x86-3.13.5-9.16.1 mozilla-nss-sysinit-debuginfo-x86-debuginfo-3.13.5-9.16.1 mozilla-nss-sysinit-x86-3.13.5-9.16.1 mozilla-nss-x86-3.13.5-9.16.1 xulrunner-debuginfo-x86-13.0-2.29.2 xulrunner-debuginfo-x86-debuginfo-13.0-2.29.2 xulrunner-x86-13.0-2.29.2 - openSUSE 11.4 (i586 ia64 x86_64): mozilla-nss-debugsource-3.13.5-44.1 - openSUSE 11.4 (i586 x86_64): MozillaFirefox-13.0-25.2 MozillaFirefox-branding-upstream-13.0-25.2 MozillaFirefox-buildsymbols-13.0-25.2 MozillaFirefox-debuginfo-13.0-25.2 MozillaFirefox-debugsource-13.0-25.2 MozillaFirefox-devel-13.0-25.2 MozillaFirefox-translations-common-13.0-25.2 MozillaFirefox-translations-other-13.0-25.2 MozillaThunderbird-13.0-21.2 MozillaThunderbird-buildsymbols-13.0-21.2 MozillaThunderbird-debuginfo-13.0-21.2 MozillaThunderbird-debugsource-13.0-21.2 MozillaThunderbird-devel-13.0-21.2 MozillaThunderbird-translations-common-13.0-21.2 MozillaThunderbird-translations-other-13.0-21.2 enigmail-1.4.2+13.0-21.2 enigmail-debuginfo-1.4.2+13.0-21.2 libfreebl3-3.13.5-44.1 libfreebl3-debuginfo-3.13.5-44.1 libsoftokn3-3.13.5-44.1 libsoftokn3-debuginfo-3.13.5-44.1 mozilla-nss-3.13.5-44.1 mozilla-nss-certs-3.13.5-44.1 mozilla-nss-certs-debuginfo-3.13.5-44.1 mozilla-nss-debuginfo-3.13.5-44.1 mozilla-nss-devel-3.13.5-44.1 mozilla-nss-sysinit-3.13.5-44.1 mozilla-nss-sysinit-debuginfo-3.13.5-44.1 mozilla-nss-tools-3.13.5-44.1 mozilla-nss-tools-debuginfo-3.13.5-44.1 seamonkey-2.10-21.2 seamonkey-debuginfo-2.10-21.2 seamonkey-debugsource-2.10-21.2 seamonkey-dom-inspector-2.10-21.2 seamonkey-irc-2.10-21.2 seamonkey-translations-common-2.10-21.2 seamonkey-translations-other-2.10-21.2 seamonkey-venkman-2.10-21.2 - openSUSE 11.4 (x86_64): libfreebl3-32bit-3.13.5-44.1 libfreebl3-debuginfo-32bit-3.13.5-44.1 libsoftokn3-32bit-3.13.5-44.1 libsoftokn3-debuginfo-32bit-3.13.5-44.1 mozilla-nss-32bit-3.13.5-44.1 mozilla-nss-certs-32bit-3.13.5-44.1 mozilla-nss-certs-debuginfo-32bit-3.13.5-44.1 mozilla-nss-debuginfo-32bit-3.13.5-44.1 mozilla-nss-sysinit-32bit-3.13.5-44.1 mozilla-nss-sysinit-debuginfo-32bit-3.13.5-44.1 - openSUSE 11.4 (ia64): libfreebl3-debuginfo-x86-3.13.5-44.1 libfreebl3-debuginfo-x86-debuginfo-3.13.5-44.1 libfreebl3-x86-3.13.5-44.1 libsoftokn3-debuginfo-x86-3.13.5-44.1 libsoftokn3-debuginfo-x86-debuginfo-3.13.5-44.1 libsoftokn3-x86-3.13.5-44.1 mozilla-nss-certs-debuginfo-x86-3.13.5-44.1 mozilla-nss-certs-debuginfo-x86-debuginfo-3.13.5-44.1 mozilla-nss-certs-x86-3.13.5-44.1 mozilla-nss-debuginfo-x86-3.13.5-44.1 mozilla-nss-debuginfo-x86-debuginfo-3.13.5-44.1 mozilla-nss-sysinit-debuginfo-x86-3.13.5-44.1 mozilla-nss-sysinit-debuginfo-x86-debuginfo-3.13.5-44.1 mozilla-nss-sysinit-x86-3.13.5-44.1 mozilla-nss-x86-3.13.5-44.1 References: http://support.novell.com/security/cve/CVE-2011-3101.html http://support.novell.com/security/cve/CVE-2012-0441.html http://support.novell.com/security/cve/CVE-2012-1937.html http://support.novell.com/security/cve/CVE-2012-1938.html http://support.novell.com/security/cve/CVE-2012-1940.html http://support.novell.com/security/cve/CVE-2012-1941.html http://support.novell.com/security/cve/CVE-2012-1944.html http://support.novell.com/security/cve/CVE-2012-1945.html http://support.novell.com/security/cve/CVE-2012-1946.html http://support.novell.com/security/cve/CVE-2012-1947.html https://bugzilla.novell.com/765204