Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2016:2368-1: important: Security update for MozillaFirefox, mozilla-nss

Recommended Posts

openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2016:2368-1

Rating: important

References: #999701

Cross-References: CVE-2016-2827 CVE-2016-5256 CVE-2016-5257

CVE-2016-5270 CVE-2016-5271 CVE-2016-5272

CVE-2016-5273 CVE-2016-5274 CVE-2016-5275

CVE-2016-5276 CVE-2016-5277 CVE-2016-5278

CVE-2016-5279 CVE-2016-5280 CVE-2016-5281

CVE-2016-5282 CVE-2016-5283 CVE-2016-5284

 

Affected Products:

openSUSE Leap 42.1

openSUSE 13.2

______________________________________________________________________________

 

An update that fixes 18 vulnerabilities is now available.

 

Description:

 

 

This update for MozillaFirefox and mozilla-nss fixes the following issues:

 

MozillaFirefox was updated to version 49.0 (boo#999701)

- New features

* Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP

logins.

* Added features to Reader Mode that make it easier on the eyes and the

ears

* Improved video performance for users on systems that support SSE3

without hardware acceleration

* Added context menu controls to HTML5 audio and video that let users

loops files or play files at 1.25x speed

* Improvements in about:memory reports for tracking font memory usage

- Security related fixes

* MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in

mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) -

Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString

CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in

PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad

cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in

mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276

(bmo#1287721) - Heap-use-after-free in

mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274

(bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState

CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in

nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) -

global-buffer-overflow in

mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278

(bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame

CVE-2016-5279 (bmo#1249522) - Full local path of files is available to

web pages after drag and drop CVE-2016-5280 (bmo#1289970) -

Use-after-free in

mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap

CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength

CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons

from non-whitelisted schemes CVE-2016-5283 (bmo#928187) -

fragment timing attack can reveal cross-origin data CVE-2016-5284

(bmo#1303127) - Add-on update site certificate pin expiration

CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 CVE-2016-5257 -

Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4

- requires NSS 3.25

 

- Mozilla Firefox 48.0.2:

* Mitigate a startup crash issue caused on Windows (bmo#1291738)

 

mozilla-nss was updated to NSS 3.25. New functionality:

* Implemented DHE key agreement for TLS 1.3

* Added support for ChaCha with TLS 1.3

* Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF

* In previous versions, when using client authentication with TLS 1.2,

NSS only supported certificate_verify messages that used the same

signature hash algorithm as used by the PRF. This limitation has been

removed.

* Several functions have been added to the public API of the NSS

Cryptoki Framework. New functions:

* NSSCKFWSlot_GetSlotID

* NSSCKFWSession_GetFWSlot

* NSSCKFWInstance_DestroySessionHandle

* NSSCKFWInstance_FindSessionHandle Notable changes:

* An SSL socket can no longer be configured to allow both TLS 1.3 and

SSLv3

* Regression fix: NSS no longer reports a failure if an application

attempts to disable the SSLv2 protocol.

* The list of trusted CA certificates has been updated to version 2.8

* The following CA certificate was Removed Sonera Class1 CA

* The following CA certificates were Added Hellenic Academic and

Research Institutions RootCA 2015 Hellenic Academic and Research

Institutions ECC RootCA 2015 Certplus Root CA G1 Certplus Root CA G2

OpenTrust Root CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE Leap 42.1:

 

zypper in -t patch openSUSE-2016-1119=1

 

- openSUSE 13.2:

 

zypper in -t patch openSUSE-2016-1119=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE Leap 42.1 (i586 x86_64):

 

MozillaFirefox-49.0-33.1

MozillaFirefox-branding-upstream-49.0-33.1

MozillaFirefox-buildsymbols-49.0-33.1

MozillaFirefox-debuginfo-49.0-33.1

MozillaFirefox-debugsource-49.0-33.1

MozillaFirefox-devel-49.0-33.1

MozillaFirefox-translations-common-49.0-33.1

MozillaFirefox-translations-other-49.0-33.1

libfreebl3-3.25-29.1

libfreebl3-debuginfo-3.25-29.1

libsoftokn3-3.25-29.1

libsoftokn3-debuginfo-3.25-29.1

mozilla-nss-3.25-29.1

mozilla-nss-certs-3.25-29.1

mozilla-nss-certs-debuginfo-3.25-29.1

mozilla-nss-debuginfo-3.25-29.1

mozilla-nss-debugsource-3.25-29.1

mozilla-nss-devel-3.25-29.1

mozilla-nss-sysinit-3.25-29.1

mozilla-nss-sysinit-debuginfo-3.25-29.1

mozilla-nss-tools-3.25-29.1

mozilla-nss-tools-debuginfo-3.25-29.1

 

- openSUSE Leap 42.1 (x86_64):

 

libfreebl3-32bit-3.25-29.1

libfreebl3-debuginfo-32bit-3.25-29.1

libsoftokn3-32bit-3.25-29.1

libsoftokn3-debuginfo-32bit-3.25-29.1

mozilla-nss-32bit-3.25-29.1

mozilla-nss-certs-32bit-3.25-29.1

mozilla-nss-certs-debuginfo-32bit-3.25-29.1

mozilla-nss-debuginfo-32bit-3.25-29.1

mozilla-nss-sysinit-32bit-3.25-29.1

mozilla-nss-sysinit-debuginfo-32bit-3.25-29.1

 

- openSUSE 13.2 (i586 x86_64):

 

MozillaFirefox-49.0-80.1

MozillaFirefox-branding-upstream-49.0-80.1

MozillaFirefox-buildsymbols-49.0-80.1

MozillaFirefox-debuginfo-49.0-80.1

MozillaFirefox-debugsource-49.0-80.1

MozillaFirefox-devel-49.0-80.1

MozillaFirefox-translations-common-49.0-80.1

MozillaFirefox-translations-other-49.0-80.1

libfreebl3-3.25-46.1

libfreebl3-debuginfo-3.25-46.1

libsoftokn3-3.25-46.1

libsoftokn3-debuginfo-3.25-46.1

mozilla-nss-3.25-46.1

mozilla-nss-certs-3.25-46.1

mozilla-nss-certs-debuginfo-3.25-46.1

mozilla-nss-debuginfo-3.25-46.1

mozilla-nss-debugsource-3.25-46.1

mozilla-nss-devel-3.25-46.1

mozilla-nss-sysinit-3.25-46.1

mozilla-nss-sysinit-debuginfo-3.25-46.1

mozilla-nss-tools-3.25-46.1

mozilla-nss-tools-debuginfo-3.25-46.1

 

- openSUSE 13.2 (x86_64):

 

libfreebl3-32bit-3.25-46.1

libfreebl3-debuginfo-32bit-3.25-46.1

libsoftokn3-32bit-3.25-46.1

libsoftokn3-debuginfo-32bit-3.25-46.1

mozilla-nss-32bit-3.25-46.1

mozilla-nss-certs-32bit-3.25-46.1

mozilla-nss-certs-debuginfo-32bit-3.25-46.1

mozilla-nss-debuginfo-32bit-3.25-46.1

mozilla-nss-sysinit-32bit-3.25-46.1

mozilla-nss-sysinit-debuginfo-32bit-3.25-46.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2016-2827.html

https://www.suse.com/security/cve/CVE-2016-5256.html

https://www.suse.com/security/cve/CVE-2016-5257.html

https://www.suse.com/security/cve/CVE-2016-5270.html

https://www.suse.com/security/cve/CVE-2016-5271.html

https://www.suse.com/security/cve/CVE-2016-5272.html

https://www.suse.com/security/cve/CVE-2016-5273.html

https://www.suse.com/security/cve/CVE-2016-5274.html

https://www.suse.com/security/cve/CVE-2016-5275.html

https://www.suse.com/security/cve/CVE-2016-5276.html

https://www.suse.com/security/cve/CVE-2016-5277.html

https://www.suse.com/security/cve/CVE-2016-5278.html

https://www.suse.com/security/cve/CVE-2016-5279.html

https://www.suse.com/security/cve/CVE-2016-5280.html

https://www.suse.com/security/cve/CVE-2016-5281.html

https://www.suse.com/security/cve/CVE-2016-5282.html

https://www.suse.com/security/cve/CVE-2016-5283.html

https://www.suse.com/security/cve/CVE-2016-5284.html

https://bugzilla.suse.com/999701

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×