Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2013:0631-1: important: Mozilla Firefox and others: Update to 20.0/17.0.5 releases

Recommended Posts

openSUSE Security Update: Mozilla Firefox and others: Update to 20.0/17.0.5 releases

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2013:0631-1

Rating: important

References: #813026

Cross-References: CVE-2013-0788 CVE-2013-0789 CVE-2013-0792

CVE-2013-0793 CVE-2013-0794 CVE-2013-0795

CVE-2013-0796 CVE-2013-0800

Affected Products:

openSUSE 11.4

______________________________________________________________________________

 

An update that fixes 8 vulnerabilities is now available.

 

Description:

 

The Mozilla suite received security and bugfix updates:

 

Firefox was updated to version 20.0. Thunderbird was

updated to version 17.0.5. Seamonkey was updated to version

2.17 mozilla-nss was updated to version 3.14.3.

mozilla-nspr was updated to version 4.9.6.

 

mozilla-nspr was updated to version 4.9.6:

* aarch64 support

* added PL_SizeOfArenaPoolExcludingPool function

(bmo#807883)

* Auto detect android api version for x86 (bmo#782214)

* Initialize Windows CRITICAL_SECTIONs without debug info

and with nonzero spin count (bmo#812085) Previous update

to version 4.9.5

* bmo#634793: define NSPR's exact-width integer types

PRInt{N} and PRUint{N} types to match the

exact-width integer types int{N}_t and uint{N}_t.

* bmo#782815: passing 'int *' to parameter of type

'unsigned int *' in setsockopt().

* bmo#822932: Port bmo#802527 (NDK r8b support for x86) to

NSPR.

* bmo#824742: NSPR shouldn't require librt on Android.

* bmo#831793: data race on lib->refCount in

PR_UnloadLibrary.

 

mozilla-nss was updated to version 3.14.3:

* disable tests with expired certificates

* add SEC_PKCS7VerifyDetachedSignatureAtTime using patch

from mozilla tree to fulfill Firefox 21 requirements

 

* No new major functionality is introduced in this release.

This release is a patch release to address CVE-2013-1620

(bmo#822365)

* "certutil -a" was not correctly producing ASCII output as

requested. (bmo#840714)

* NSS 3.14.2 broke compilation with older versions of

sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file

control. NSS 3.14.3 now properly compiles when used with

older versions of sqlite (bmo#837799) - remove

system-sqlite.patch

* add aarch64 support

 

* added system-sqlite.patch (bmo#837799)

* do not depend on latest sqlite just for a #define

* enable system sqlite usage again

 

* update to 3.14.2

* required for Firefox >= 20

* removed obsolete nssckbi update patch

* MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds

array read in CERT_DecodeCertPackage

* disable system sqlite usage since we depend on 3.7.15

which is not provided in any openSUSE distribution

* add nss-sqlitename.patch to avoid any name clash

 

Changes in MozillaFirefox:

- update to Firefox 20.0 (bnc#813026)

* requires NSPR 4.9.5 and NSS 3.14.3

* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous

memory safety hazards

* MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds

write in Cairo library

* MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash

with Mesa graphics driver on Linux

* MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW

protections allows cloning of protected nodes

* MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of

tab-modal dialog origin disclosure

* MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site

scripting (XSS) using timed history navigations

* MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory

corruption while rendering grayscale PNG images

- use GStreamer 1.0 starting with 12.3

(mozilla-gstreamer-1.patch)

- build fixes for armv7hl:

* disable debug build as armv7hl does not have enough

memory

* disable webrtc on armv7hl as it is non-compiling

 

Changes in MozillaThunderbird:

- update to Thunderbird 17.0.5 (bnc#813026)

* requires NSPR 4.9.5 and NSS 3.14.3

* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous

memory safety hazards

* MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds

write in Cairo library

* MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash

with Mesa graphics driver on Linux

* MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW

protections allows cloning of protected nodes

* MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site

scripting (XSS) using timed history navigations

 

Changes in seamonkey:

- update to SeaMonkey 2.17 (bnc#813026)

* requires NSPR 4.9.5 and NSS 3.14.3

* MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous

memory safety hazards

* MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds

write in Cairo library

* MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash

with Mesa graphics driver on Linux

* MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW

protections allows cloning of protected nodes

* MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of

tab-modal dialog origin disclosure

* MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site

scripting (XSS) using timed history navigations

* MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory

corruption while rendering grayscale PNG images

- use GStreamer 1.0 starting with 12.3

(mozilla-gstreamer-1.patch)

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 11.4:

 

zypper in -t patch 2013-58

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 11.4 (i586 x86_64):

 

MozillaFirefox-20.0-69.1

MozillaFirefox-branding-upstream-20.0-69.1

MozillaFirefox-buildsymbols-20.0-69.1

MozillaFirefox-debuginfo-20.0-69.1

MozillaFirefox-debugsource-20.0-69.1

MozillaFirefox-devel-20.0-69.1

MozillaFirefox-translations-common-20.0-69.1

MozillaFirefox-translations-other-20.0-69.1

MozillaThunderbird-17.0.5-57.1

MozillaThunderbird-buildsymbols-17.0.5-57.1

MozillaThunderbird-debuginfo-17.0.5-57.1

MozillaThunderbird-debugsource-17.0.5-57.1

MozillaThunderbird-devel-17.0.5-57.1

MozillaThunderbird-devel-debuginfo-17.0.5-57.1

MozillaThunderbird-translations-common-17.0.5-57.1

MozillaThunderbird-translations-other-17.0.5-57.1

enigmail-1.5.1+17.0.5-57.1

enigmail-debuginfo-1.5.1+17.0.5-57.1

libfreebl3-3.14.3-58.1

libfreebl3-debuginfo-3.14.3-58.1

libsoftokn3-3.14.3-58.1

libsoftokn3-debuginfo-3.14.3-58.1

mozilla-nspr-4.9.6-24.1

mozilla-nspr-debuginfo-4.9.6-24.1

mozilla-nspr-debugsource-4.9.6-24.1

mozilla-nspr-devel-4.9.6-24.1

mozilla-nss-3.14.3-58.1

mozilla-nss-certs-3.14.3-58.1

mozilla-nss-certs-debuginfo-3.14.3-58.1

mozilla-nss-debuginfo-3.14.3-58.1

mozilla-nss-debugsource-3.14.3-58.1

mozilla-nss-devel-3.14.3-58.1

mozilla-nss-sysinit-3.14.3-58.1

mozilla-nss-sysinit-debuginfo-3.14.3-58.1

mozilla-nss-tools-3.14.3-58.1

mozilla-nss-tools-debuginfo-3.14.3-58.1

seamonkey-2.17-61.1

seamonkey-debuginfo-2.17-61.1

seamonkey-debugsource-2.17-61.1

seamonkey-dom-inspector-2.17-61.1

seamonkey-irc-2.17-61.1

seamonkey-translations-common-2.17-61.1

seamonkey-translations-other-2.17-61.1

seamonkey-venkman-2.17-61.1

 

- openSUSE 11.4 (x86_64):

 

libfreebl3-32bit-3.14.3-58.1

libfreebl3-debuginfo-32bit-3.14.3-58.1

libsoftokn3-32bit-3.14.3-58.1

libsoftokn3-debuginfo-32bit-3.14.3-58.1

mozilla-nspr-32bit-4.9.6-24.1

mozilla-nspr-debuginfo-32bit-4.9.6-24.1

mozilla-nss-32bit-3.14.3-58.1

mozilla-nss-certs-32bit-3.14.3-58.1

mozilla-nss-certs-debuginfo-32bit-3.14.3-58.1

mozilla-nss-debuginfo-32bit-3.14.3-58.1

mozilla-nss-sysinit-32bit-3.14.3-58.1

mozilla-nss-sysinit-debuginfo-32bit-3.14.3-58.1

 

- openSUSE 11.4 (ia64):

 

libfreebl3-debuginfo-x86-3.14.3-58.1

libfreebl3-x86-3.14.3-58.1

libsoftokn3-debuginfo-x86-3.14.3-58.1

libsoftokn3-x86-3.14.3-58.1

mozilla-nspr-debuginfo-x86-4.9.6-24.1

mozilla-nspr-x86-4.9.6-24.1

mozilla-nss-certs-debuginfo-x86-3.14.3-58.1

mozilla-nss-certs-x86-3.14.3-58.1

mozilla-nss-debuginfo-x86-3.14.3-58.1

mozilla-nss-sysinit-debuginfo-x86-3.14.3-58.1

mozilla-nss-sysinit-x86-3.14.3-58.1

mozilla-nss-x86-3.14.3-58.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2013-0788.html

http://support.novell.com/security/cve/CVE-2013-0789.html

http://support.novell.com/security/cve/CVE-2013-0792.html

http://support.novell.com/security/cve/CVE-2013-0793.html

http://support.novell.com/security/cve/CVE-2013-0794.html

http://support.novell.com/security/cve/CVE-2013-0795.html

http://support.novell.com/security/cve/CVE-2013-0796.html

http://support.novell.com/security/cve/CVE-2013-0800.html

https://bugzilla.novell.com/813026

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×