Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2014:0939-1: important: MozillaFirefox: Update to Mozilla Firefox 31

Recommended Posts

openSUSE Security Update: MozillaFirefox: Update to Mozilla Firefox 31

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2014:0939-1

Rating: important

References: #887746

Cross-References: CVE-2014-1544 CVE-2014-1547 CVE-2014-1548

CVE-2014-1549 CVE-2014-1550 CVE-2014-1552

CVE-2014-1555 CVE-2014-1556 CVE-2014-1557

CVE-2014-1558 CVE-2014-1559 CVE-2014-1560

CVE-2014-1561

Affected Products:

openSUSE 13.1

openSUSE 12.3

______________________________________________________________________________

 

An update that fixes 13 vulnerabilities is now available.

 

Description:

 

 

MozillaFirefox was updated to version 31 to fix various security issues

and bugs:

 

* MFSA 2014-56/CVE-2014-1547/CVE-2014-1548 Miscellaneous memory safety

hazards

* MFSA 2014-57/CVE-2014-1549 (bmo#1020205) Buffer overflow during Web

Audio buffering for playback

* MFSA 2014-58/CVE-2014-1550 (bmo#1020411) Use-after-free in Web Audio due

to incorrect control message ordering

* MFSA 2014-60/CVE-2014-1561 (bmo#1000514, bmo#910375) Toolbar dialog

customization event spoofing

* MFSA 2014-61/CVE-2014-1555 (bmo#1023121) Use-after-free with

FireOnStateChange event

* MFSA 2014-62/CVE-2014-1556 (bmo#1028891) Exploitable WebGL crash with

Cesium JavaScript library

* MFSA 2014-63/CVE-2014-1544 (bmo#963150) Use-after-free while when

manipulating certificates in the trusted cache (solved with NSS 3.16.2

requirement)

* MFSA 2014-64/CVE-2014-1557 (bmo#913805) Crash in Skia library when

scaling high quality images

* MFSA 2014-65/CVE-2014-1558/CVE-2014-1559/CVE-2014-1560 (bmo#1015973,

bmo#1026022, bmo#997795) Certificate parsing broken by non-standard

character encoding

* MFSA 2014-66/CVE-2014-1552 (bmo#985135) IFRAME sandbox same-origin

access through redirect

 

Mozilla-nss was updated to 3.16.3: New Functions:

* CERT_GetGeneralNameTypeFromString (This function was already added in

NSS 3.16.2, however, it wasn't declared in a public header file.)

Notable Changes:

* The following 1024-bit CA certificates were removed

- Entrust.net Secure Server Certification Authority

- GTE CyberTrust Global Root

- ValiCert Class 1 Policy Validation Authority

- ValiCert Class 2 Policy Validation Authority

- ValiCert Class 3 Policy Validation Authority

* Additionally, the following CA certificate was removed as requested by

the CA:

- TDC Internet Root CA

* The following CA certificates were added:

- Certification Authority of WoSign

- CA 沃通根è¯Â书

- DigiCert Assured ID Root G2

- DigiCert Assured ID Root G3

- DigiCert Global Root G2

- DigiCert Global Root G3

- DigiCert Trusted Root G4

- QuoVadis Root CA 1 G3

- QuoVadis Root CA 2 G3

- QuoVadis Root CA 3 G3

* The Trust Bits were changed for the following CA certificates

- Class 3 Public Primary Certification Authority

- Class 3 Public Primary Certification Authority

- Class 2 Public Primary Certification Authority - G2

- VeriSign Class 2 Public Primary Certification Authority - G3

- AC Raíz Certicámara S.A.

- NetLock Uzleti (Class B) Tanusitvanykiado

- NetLock Expressz (Class C) Tanusitvanykiado changes in 3.16.2 New

functionality:

* DTLS 1.2 is supported.

* The TLS application layer protocol negotiation (ALPN) extension is also

supported on the server side.

* RSA-OEAP is supported. Use the new PK11_PrivDecrypt and PK11_PubEncrypt

functions with the CKM_RSA_PKCS_OAEP mechanism.

* New Intel AES assembly code for 32-bit and 64-bit Windows, contributed

by Shay Gueron and Vlad Krasnov of Intel. Notable Changes:

* The btoa command has a new command-line option -w suffix, which causes

the output to be wrapped in BEGIN/END lines with the given suffix

* The certutil commands supports additionals types of subject alt name

extensions.

* The certutil command supports generic certificate extensions, by loading

binary data from files, which have been prepared using external tools,

or which have been extracted from other existing certificates and dumped

to file.

* The certutil command supports three new certificate usage specifiers.

* The pp command supports printing UTF-8 (-u).

* On Linux, NSS is built with the -ffunction-sections -fdata-sections

compiler flags and the --gc-sections linker flag to allow unused

functions to be discarded. changes in 3.16.1 New functionality:

* Added the "ECC" flag for modutil to select the module used for elliptic

curve cryptography (ECC) operations. New Macros

* PUBLIC_MECH_ECC_FLAG a public mechanism flag for elliptic curve

cryptography (ECC)

operations

* SECMOD_ECC_FLAG an NSS-internal mechanism flag for elliptic curve

cryptography (ECC) operations. This macro has the same numeric value as

PUBLIC_MECH_ECC_FLAG. Notable Changes:

* Imposed name constraints on the French government root CA ANSSI (DCISS).

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 13.1:

 

zypper in -t patch openSUSE-2014-

 

- openSUSE 12.3:

 

zypper in -t patch openSUSE-2014-

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 13.1 (i586 x86_64):

 

MozillaFirefox-31.0-33.1

MozillaFirefox-branding-upstream-31.0-33.1

MozillaFirefox-buildsymbols-31.0-33.1

MozillaFirefox-debuginfo-31.0-33.1

MozillaFirefox-debugsource-31.0-33.1

MozillaFirefox-devel-31.0-33.1

MozillaFirefox-translations-common-31.0-33.1

MozillaFirefox-translations-other-31.0-33.1

libfreebl3-3.16.3-27.1

libfreebl3-debuginfo-3.16.3-27.1

libsoftokn3-3.16.3-27.1

libsoftokn3-debuginfo-3.16.3-27.1

mozilla-nss-3.16.3-27.1

mozilla-nss-certs-3.16.3-27.1

mozilla-nss-certs-debuginfo-3.16.3-27.1

mozilla-nss-debuginfo-3.16.3-27.1

mozilla-nss-debugsource-3.16.3-27.1

mozilla-nss-devel-3.16.3-27.1

mozilla-nss-sysinit-3.16.3-27.1

mozilla-nss-sysinit-debuginfo-3.16.3-27.1

mozilla-nss-tools-3.16.3-27.1

mozilla-nss-tools-debuginfo-3.16.3-27.1

 

- openSUSE 13.1 (x86_64):

 

libfreebl3-32bit-3.16.3-27.1

libfreebl3-debuginfo-32bit-3.16.3-27.1

libsoftokn3-32bit-3.16.3-27.1

libsoftokn3-debuginfo-32bit-3.16.3-27.1

mozilla-nss-32bit-3.16.3-27.1

mozilla-nss-certs-32bit-3.16.3-27.1

mozilla-nss-certs-debuginfo-32bit-3.16.3-27.1

mozilla-nss-debuginfo-32bit-3.16.3-27.1

mozilla-nss-sysinit-32bit-3.16.3-27.1

mozilla-nss-sysinit-debuginfo-32bit-3.16.3-27.1

 

- openSUSE 12.3 (i586 x86_64):

 

MozillaFirefox-31.0-1.72.1

MozillaFirefox-branding-upstream-31.0-1.72.1

MozillaFirefox-buildsymbols-31.0-1.72.1

MozillaFirefox-debuginfo-31.0-1.72.1

MozillaFirefox-debugsource-31.0-1.72.1

MozillaFirefox-devel-31.0-1.72.1

MozillaFirefox-translations-common-31.0-1.72.1

MozillaFirefox-translations-other-31.0-1.72.1

libfreebl3-3.16.3-1.43.1

libfreebl3-debuginfo-3.16.3-1.43.1

libsoftokn3-3.16.3-1.43.1

libsoftokn3-debuginfo-3.16.3-1.43.1

mozilla-nss-3.16.3-1.43.1

mozilla-nss-certs-3.16.3-1.43.1

mozilla-nss-certs-debuginfo-3.16.3-1.43.1

mozilla-nss-debuginfo-3.16.3-1.43.1

mozilla-nss-debugsource-3.16.3-1.43.1

mozilla-nss-devel-3.16.3-1.43.1

mozilla-nss-sysinit-3.16.3-1.43.1

mozilla-nss-sysinit-debuginfo-3.16.3-1.43.1

mozilla-nss-tools-3.16.3-1.43.1

mozilla-nss-tools-debuginfo-3.16.3-1.43.1

 

- openSUSE 12.3 (x86_64):

 

libfreebl3-32bit-3.16.3-1.43.1

libfreebl3-debuginfo-32bit-3.16.3-1.43.1

libsoftokn3-32bit-3.16.3-1.43.1

libsoftokn3-debuginfo-32bit-3.16.3-1.43.1

mozilla-nss-32bit-3.16.3-1.43.1

mozilla-nss-certs-32bit-3.16.3-1.43.1

mozilla-nss-certs-debuginfo-32bit-3.16.3-1.43.1

mozilla-nss-debuginfo-32bit-3.16.3-1.43.1

mozilla-nss-sysinit-32bit-3.16.3-1.43.1

mozilla-nss-sysinit-debuginfo-32bit-3.16.3-1.43.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2014-1544.html

http://support.novell.com/security/cve/CVE-2014-1547.html

http://support.novell.com/security/cve/CVE-2014-1548.html

http://support.novell.com/security/cve/CVE-2014-1549.html

http://support.novell.com/security/cve/CVE-2014-1550.html

http://support.novell.com/security/cve/CVE-2014-1552.html

http://support.novell.com/security/cve/CVE-2014-1555.html

http://support.novell.com/security/cve/CVE-2014-1556.html

http://support.novell.com/security/cve/CVE-2014-1557.html

http://support.novell.com/security/cve/CVE-2014-1558.html

http://support.novell.com/security/cve/CVE-2014-1559.html

http://support.novell.com/security/cve/CVE-2014-1560.html

http://support.novell.com/security/cve/CVE-2014-1561.html

https://bugzilla.novell.com/887746

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×