Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2015:0404-1: important: Security update for MozillaFirefox, mozilla-nss

Recommended Posts

openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2015:0404-1

Rating: important

References: #910647 #917597

Cross-References: CVE-2014-1569 CVE-2015-0819 CVE-2015-0820

CVE-2015-0821 CVE-2015-0822 CVE-2015-0823

CVE-2015-0824 CVE-2015-0825 CVE-2015-0826

CVE-2015-0827 CVE-2015-0828 CVE-2015-0829

CVE-2015-0830 CVE-2015-0831 CVE-2015-0832

CVE-2015-0834 CVE-2015-0835 CVE-2015-0836

 

Affected Products:

openSUSE 13.2

openSUSE 13.1

______________________________________________________________________________

 

An update that fixes 18 vulnerabilities is now available.

 

Description:

 

MozillaFirefox, mozilla-nss were updated to fix 18 security issues.

 

MozillaFirefox was updated to version 36.0. These security issues were

fixed:

- CVE-2015-0835, CVE-2015-0836: Miscellaneous memory safety hazards

- CVE-2015-0832: Appended period to hostnames can bypass HPKP and HSTS

protections

- CVE-2015-0830: Malicious WebGL content crash when writing strings

- CVE-2015-0834: TLS TURN and STUN connections silently fail to simple TCP

connections

- CVE-2015-0831: Use-after-free in IndexedDB

- CVE-2015-0829: Buffer overflow in libstagefright during MP4 video

playback

- CVE-2015-0828: Double-free when using non-default memory allocators with

a zero-length XHR

- CVE-2015-0827: Out-of-bounds read and write while rendering SVG content

- CVE-2015-0826: Buffer overflow during CSS restyling

- CVE-2015-0825: Buffer underflow during MP3 playback

- CVE-2015-0824: Crash using DrawTarget in Cairo graphics library

- CVE-2015-0823: Use-after-free in Developer Console date with OpenType

Sanitiser

- CVE-2015-0822: Reading of local files through manipulation of form

autocomplete

- CVE-2015-0821: Local files or privileged URLs in pages can be opened

into new tabs

- CVE-2015-0819: UI Tour whitelisted sites in background tab can spoof

foreground tabs

- CVE-2015-0820: Caja Compiler JavaScript sandbox bypass

 

mozilla-nss was updated to version 3.17.4 to fix the following issues:

- CVE-2014-1569: QuickDER decoder length issue (bnc#910647).

- bmo#1084986: If an SSL/TLS connection fails, because client and server

don't have any common protocol version enabled, NSS has been changed to

report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting

SSL_ERROR_NO_CYPHER_OVERLAP).

- bmo#1112461: libpkix was fixed to prefer the newest certificate, if

multiple certificates match.

- bmo#1094492: fixed a memory corruption issue during failure of keypair

generation.

- bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode.

- bmo#1119983: fixed interoperability of NSS server code with a LibreSSL

client.

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 13.2:

 

zypper in -t patch openSUSE-2015-185=1

 

- openSUSE 13.1:

 

zypper in -t patch openSUSE-2015-185=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 13.2 (i586 x86_64):

 

MozillaFirefox-36.0-14.2

MozillaFirefox-branding-upstream-36.0-14.2

MozillaFirefox-buildsymbols-36.0-14.2

MozillaFirefox-debuginfo-36.0-14.2

MozillaFirefox-debugsource-36.0-14.2

MozillaFirefox-devel-36.0-14.2

MozillaFirefox-translations-common-36.0-14.2

MozillaFirefox-translations-other-36.0-14.2

libfreebl3-3.17.4-9.1

libfreebl3-debuginfo-3.17.4-9.1

libsoftokn3-3.17.4-9.1

libsoftokn3-debuginfo-3.17.4-9.1

mozilla-nss-3.17.4-9.1

mozilla-nss-certs-3.17.4-9.1

mozilla-nss-certs-debuginfo-3.17.4-9.1

mozilla-nss-debuginfo-3.17.4-9.1

mozilla-nss-debugsource-3.17.4-9.1

mozilla-nss-devel-3.17.4-9.1

mozilla-nss-sysinit-3.17.4-9.1

mozilla-nss-sysinit-debuginfo-3.17.4-9.1

mozilla-nss-tools-3.17.4-9.1

mozilla-nss-tools-debuginfo-3.17.4-9.1

 

- openSUSE 13.2 (x86_64):

 

libfreebl3-32bit-3.17.4-9.1

libfreebl3-debuginfo-32bit-3.17.4-9.1

libsoftokn3-32bit-3.17.4-9.1

libsoftokn3-debuginfo-32bit-3.17.4-9.1

mozilla-nss-32bit-3.17.4-9.1

mozilla-nss-certs-32bit-3.17.4-9.1

mozilla-nss-certs-debuginfo-32bit-3.17.4-9.1

mozilla-nss-debuginfo-32bit-3.17.4-9.1

mozilla-nss-sysinit-32bit-3.17.4-9.1

mozilla-nss-sysinit-debuginfo-32bit-3.17.4-9.1

 

- openSUSE 13.1 (i586 x86_64):

 

MozillaFirefox-36.0-59.2

MozillaFirefox-branding-upstream-36.0-59.2

MozillaFirefox-buildsymbols-36.0-59.2

MozillaFirefox-debuginfo-36.0-59.2

MozillaFirefox-debugsource-36.0-59.2

MozillaFirefox-devel-36.0-59.2

MozillaFirefox-translations-common-36.0-59.2

MozillaFirefox-translations-other-36.0-59.2

libfreebl3-3.17.4-52.1

libfreebl3-debuginfo-3.17.4-52.1

libsoftokn3-3.17.4-52.1

libsoftokn3-debuginfo-3.17.4-52.1

mozilla-nss-3.17.4-52.1

mozilla-nss-certs-3.17.4-52.1

mozilla-nss-certs-debuginfo-3.17.4-52.1

mozilla-nss-debuginfo-3.17.4-52.1

mozilla-nss-debugsource-3.17.4-52.1

mozilla-nss-devel-3.17.4-52.1

mozilla-nss-sysinit-3.17.4-52.1

mozilla-nss-sysinit-debuginfo-3.17.4-52.1

mozilla-nss-tools-3.17.4-52.1

mozilla-nss-tools-debuginfo-3.17.4-52.1

 

- openSUSE 13.1 (x86_64):

 

libfreebl3-32bit-3.17.4-52.1

libfreebl3-debuginfo-32bit-3.17.4-52.1

libsoftokn3-32bit-3.17.4-52.1

libsoftokn3-debuginfo-32bit-3.17.4-52.1

mozilla-nss-32bit-3.17.4-52.1

mozilla-nss-certs-32bit-3.17.4-52.1

mozilla-nss-certs-debuginfo-32bit-3.17.4-52.1

mozilla-nss-debuginfo-32bit-3.17.4-52.1

mozilla-nss-sysinit-32bit-3.17.4-52.1

mozilla-nss-sysinit-debuginfo-32bit-3.17.4-52.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2014-1569.html

http://support.novell.com/security/cve/CVE-2015-0819.html

http://support.novell.com/security/cve/CVE-2015-0820.html

http://support.novell.com/security/cve/CVE-2015-0821.html

http://support.novell.com/security/cve/CVE-2015-0822.html

http://support.novell.com/security/cve/CVE-2015-0823.html

http://support.novell.com/security/cve/CVE-2015-0824.html

http://support.novell.com/security/cve/CVE-2015-0825.html

http://support.novell.com/security/cve/CVE-2015-0826.html

http://support.novell.com/security/cve/CVE-2015-0827.html

http://support.novell.com/security/cve/CVE-2015-0828.html

http://support.novell.com/security/cve/CVE-2015-0829.html

http://support.novell.com/security/cve/CVE-2015-0830.html

http://support.novell.com/security/cve/CVE-2015-0831.html

http://support.novell.com/security/cve/CVE-2015-0832.html

http://support.novell.com/security/cve/CVE-2015-0834.html

http://support.novell.com/security/cve/CVE-2015-0835.html

http://support.novell.com/security/cve/CVE-2015-0836.html

https://bugzilla.suse.com/910647

https://bugzilla.suse.com/917597

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×