openSUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1581-1 Rating: moderate References: #900639 #908009 Cross-References: CVE-2014-1587 CVE-2014-1588 CVE-2014-1589 CVE-2014-1590 CVE-2014-1591 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 Affected Products: openSUSE 13.2 openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This MozillaFirefox update fixes several security and non security issues. Changes in MozillaFirefox: - update to Firefox 34.0.5 (bnc#908009) * Default search engine changed to Yahoo! for North America * Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales * Improved search bar (en-US only) * Firefox Hello real-time communication client * Easily switch themes/personas directly in the Customizing mode * Implementation of HTTP/2 (draft14) and ALPN * Disabled SSLv3 * MFSA 2014-83/CVE-2014-1587/CVE-2014-1588 Miscellaneous memory safety hazards * MFSA 2014-84/CVE-2014-1589 (bmo#1043787) XBL bindings accessible via improper CSS declarations * MFSA 2014-85/CVE-2014-1590 (bmo#1087633) XMLHttpRequest crashes with some input streams * MFSA 2014-86/CVE-2014-1591 (bmo#1069762) CSP leaks redirect data via violation reports * MFSA 2014-87/CVE-2014-1592 (bmo#1088635) Use-after-free during HTML5 parsing * MFSA 2014-88/CVE-2014-1593 (bmo#1085175) Buffer overflow while parsing media content * MFSA 2014-89/CVE-2014-1594 (bmo#1074280) Bad casting from the BasicThebesLayer to BasicContainerLayer - rebased patches - limit linker memory usage for %ix86 - update to Firefox 33.1 * Adding DuckDuckGo as a search option (upstream) * Forget Button added * Enhanced Tiles * Privacy tour introduced - fix typo in GStreamer Recommends - Disable elf-hack for aarch64 - Enable EGL for aarch64 - Limit RAM usage during link for %arm - Fix _constraints for ARM - use proper macros for ARM - use '--disable-optimize' not only on 32-bit x86, but on 32-bit arm too to fix compiling. - pass '-Wl,--no-keep-memory' to linker to reduce required memory during linking on arm. - update to Firefox 33.0.2 * Fix a startup crash with some combination of hardware and drivers 33.0.1 * Firefox displays a black screen at start-up with certain graphics drivers - adjusted _constraints for ARM - added mozilla-bmo1088588.patch to fix build with EGL (bmo#1088588) - define /usr/share/myspell as additional dictionary location and remove add-plugins.sh finally (bnc#900639) - use Firefox default optimization flags instead of -Os - specfile cleanup Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-746 - openSUSE 13.1: zypper in -t patch openSUSE-2014-746 - openSUSE 12.3: zypper in -t patch openSUSE-2014-746 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): MozillaFirefox-34.0.5-5.4 MozillaFirefox-branding-upstream-34.0.5-5.4 MozillaFirefox-buildsymbols-34.0.5-5.4 MozillaFirefox-debuginfo-34.0.5-5.4 MozillaFirefox-debugsource-34.0.5-5.4 MozillaFirefox-devel-34.0.5-5.4 MozillaFirefox-translations-common-34.0.5-5.4 MozillaFirefox-translations-other-34.0.5-5.4 libfreebl3-3.17.2-4.2 libfreebl3-debuginfo-3.17.2-4.2 libsoftokn3-3.17.2-4.2 libsoftokn3-debuginfo-3.17.2-4.2 mozilla-nspr-4.10.7-3.1 mozilla-nspr-debuginfo-4.10.7-3.1 mozilla-nspr-debugsource-4.10.7-3.1 mozilla-nspr-devel-4.10.7-3.1 mozilla-nss-3.17.2-4.2 mozilla-nss-certs-3.17.2-4.2 mozilla-nss-certs-debuginfo-3.17.2-4.2 mozilla-nss-debuginfo-3.17.2-4.2 mozilla-nss-debugsource-3.17.2-4.2 mozilla-nss-devel-3.17.2-4.2 mozilla-nss-sysinit-3.17.2-4.2 mozilla-nss-sysinit-debuginfo-3.17.2-4.2 mozilla-nss-tools-3.17.2-4.2 mozilla-nss-tools-debuginfo-3.17.2-4.2 - openSUSE 13.2 (x86_64): libfreebl3-32bit-3.17.2-4.2 libfreebl3-debuginfo-32bit-3.17.2-4.2 libsoftokn3-32bit-3.17.2-4.2 libsoftokn3-debuginfo-32bit-3.17.2-4.2 mozilla-nspr-32bit-4.10.7-3.1 mozilla-nspr-debuginfo-32bit-4.10.7-3.1 mozilla-nss-32bit-3.17.2-4.2 mozilla-nss-certs-32bit-3.17.2-4.2 mozilla-nss-certs-debuginfo-32bit-3.17.2-4.2 mozilla-nss-debuginfo-32bit-3.17.2-4.2 mozilla-nss-sysinit-32bit-3.17.2-4.2 mozilla-nss-sysinit-debuginfo-32bit-3.17.2-4.2 - openSUSE 13.1 (i586 x86_64): MozillaFirefox-34.0.5-50.3 MozillaFirefox-branding-upstream-34.0.5-50.3 MozillaFirefox-buildsymbols-34.0.5-50.3 MozillaFirefox-debuginfo-34.0.5-50.3 MozillaFirefox-debugsource-34.0.5-50.3 MozillaFirefox-devel-34.0.5-50.3 MozillaFirefox-translations-common-34.0.5-50.3 MozillaFirefox-translations-other-34.0.5-50.3 libfreebl3-3.17.2-47.2 libfreebl3-debuginfo-3.17.2-47.2 libsoftokn3-3.17.2-47.2 libsoftokn3-debuginfo-3.17.2-47.2 mozilla-nspr-4.10.7-19.1 mozilla-nspr-debuginfo-4.10.7-19.1 mozilla-nspr-debugsource-4.10.7-19.1 mozilla-nspr-devel-4.10.7-19.1 mozilla-nss-3.17.2-47.2 mozilla-nss-certs-3.17.2-47.2 mozilla-nss-certs-debuginfo-3.17.2-47.2 mozilla-nss-debuginfo-3.17.2-47.2 mozilla-nss-debugsource-3.17.2-47.2 mozilla-nss-devel-3.17.2-47.2 mozilla-nss-sysinit-3.17.2-47.2 mozilla-nss-sysinit-debuginfo-3.17.2-47.2 mozilla-nss-tools-3.17.2-47.2 mozilla-nss-tools-debuginfo-3.17.2-47.2 - openSUSE 13.1 (x86_64): libfreebl3-32bit-3.17.2-47.2 libfreebl3-debuginfo-32bit-3.17.2-47.2 libsoftokn3-32bit-3.17.2-47.2 libsoftokn3-debuginfo-32bit-3.17.2-47.2 mozilla-nspr-32bit-4.10.7-19.1 mozilla-nspr-debuginfo-32bit-4.10.7-19.1 mozilla-nss-32bit-3.17.2-47.2 mozilla-nss-certs-32bit-3.17.2-47.2 mozilla-nss-certs-debuginfo-32bit-3.17.2-47.2 mozilla-nss-debuginfo-32bit-3.17.2-47.2 mozilla-nss-sysinit-32bit-3.17.2-47.2 mozilla-nss-sysinit-debuginfo-32bit-3.17.2-47.2 - openSUSE 12.3 (i586 x86_64): MozillaFirefox-34.0.5-1.94.3 MozillaFirefox-branding-upstream-34.0.5-1.94.3 MozillaFirefox-buildsymbols-34.0.5-1.94.3 MozillaFirefox-debuginfo-34.0.5-1.94.3 MozillaFirefox-debugsource-34.0.5-1.94.3 MozillaFirefox-devel-34.0.5-1.94.3 MozillaFirefox-translations-common-34.0.5-1.94.3 MozillaFirefox-translations-other-34.0.5-1.94.3 libfreebl3-3.17.2-1.63.2 libfreebl3-debuginfo-3.17.2-1.63.2 libsoftokn3-3.17.2-1.63.2 libsoftokn3-debuginfo-3.17.2-1.63.2 mozilla-nspr-4.10.7-1.37.1 mozilla-nspr-debuginfo-4.10.7-1.37.1 mozilla-nspr-debugsource-4.10.7-1.37.1 mozilla-nspr-devel-4.10.7-1.37.1 mozilla-nss-3.17.2-1.63.2 mozilla-nss-certs-3.17.2-1.63.2 mozilla-nss-certs-debuginfo-3.17.2-1.63.2 mozilla-nss-debuginfo-3.17.2-1.63.2 mozilla-nss-debugsource-3.17.2-1.63.2 mozilla-nss-devel-3.17.2-1.63.2 mozilla-nss-sysinit-3.17.2-1.63.2 mozilla-nss-sysinit-debuginfo-3.17.2-1.63.2 mozilla-nss-tools-3.17.2-1.63.2 mozilla-nss-tools-debuginfo-3.17.2-1.63.2 - openSUSE 12.3 (x86_64): libfreebl3-32bit-3.17.2-1.63.2 libfreebl3-debuginfo-32bit-3.17.2-1.63.2 libsoftokn3-32bit-3.17.2-1.63.2 libsoftokn3-debuginfo-32bit-3.17.2-1.63.2 mozilla-nspr-32bit-4.10.7-1.37.1 mozilla-nspr-debuginfo-32bit-4.10.7-1.37.1 mozilla-nss-32bit-3.17.2-1.63.2 mozilla-nss-certs-32bit-3.17.2-1.63.2 mozilla-nss-certs-debuginfo-32bit-3.17.2-1.63.2 mozilla-nss-debuginfo-32bit-3.17.2-1.63.2 mozilla-nss-sysinit-32bit-3.17.2-1.63.2 mozilla-nss-sysinit-debuginfo-32bit-3.17.2-1.63.2 References: http://support.novell.com/security/cve/CVE-2014-1587.html http://support.novell.com/security/cve/CVE-2014-1588.html http://support.novell.com/security/cve/CVE-2014-1589.html http://support.novell.com/security/cve/CVE-2014-1590.html http://support.novell.com/security/cve/CVE-2014-1591.html http://support.novell.com/security/cve/CVE-2014-1592.html http://support.novell.com/security/cve/CVE-2014-1593.html http://support.novell.com/security/cve/CVE-2014-1594.html https://bugzilla.suse.com/show_bug.cgi?id=900639 https://bugzilla.suse.com/show_bug.cgi?id=908009