Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[security-announce] openSUSE-SU-2015:1389-1: important: Security update for MozillaFirefox

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

openSUSE Security Update: Security update for MozillaFirefox

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2015:1389-1

Rating: important

References: #940806 #940918

Cross-References: CVE-2015-4473 CVE-2015-4474 CVE-2015-4475

CVE-2015-4477 CVE-2015-4478 CVE-2015-4479

CVE-2015-4480 CVE-2015-4481 CVE-2015-4482

CVE-2015-4483 CVE-2015-4484 CVE-2015-4485

CVE-2015-4486 CVE-2015-4487 CVE-2015-4488

CVE-2015-4489 CVE-2015-4490 CVE-2015-4491

CVE-2015-4492 CVE-2015-4493 CVE-2015-4495

 

Affected Products:

openSUSE 13.2

______________________________________________________________________________

 

An update that fixes 21 vulnerabilities is now available.

 

Description:

 

 

- update to Firefox 40.0 (bnc#940806)

* Added protection against unwanted software downloads

* Suggested Tiles show sites of interest, based on categories from your

recent browsing history

* Hello allows adding a link to conversations to provide context

on what the conversation will be about

* New style for add-on manager based on the in-content preferences style

* Improved scrolling, graphics, and video playback performance with off

main thread compositing (GNU/Linux only)

* Graphic blocklist mechanism improved: Firefox version ranges can be

specified, limiting the number of devices blocked security fixes:

* MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety

hazards

* MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with

malformed MP3 file

* MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream

playback

* MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of

non-configurable JavaScript object properties

* MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues

in libstagefright

* MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting

through Mozilla Maintenance Service with hard links (only affected

Windows)

* MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with

Updater and malicious MAR file (does not affect openSUSE RPM packages

which do not ship the updater)

* MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST

bypasses mixed content protections

* MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared

memory in JavaScript

* MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf

when scaling bitmap images

* MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)

Buffer overflows on Libvpx when decoding WebM video

* MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities

found through code inspection

* MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security

Policy allows for asterisk wildcards in violation of CSP specification

* MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in

XMLHttpRequest with shared workers

- added mozilla-no-stdcxx-check.patch

- removed obsolete patches

* mozilla-add-glibcxx_use_cxx11_abi.patch

* firefox-multilocale-chrome.patch

- rebased patches

- requires version 40 of the branding package

- removed browser/searchplugins/ location as it's not valid anymore

 

- includes security update to Firefox 39.0.3 (bnc#940918)

* MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin

violation and local file stealing via PDF reader

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE 13.2:

 

zypper in -t patch openSUSE-2015-548=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE 13.2 (i586 x86_64):

 

MozillaFirefox-40.0-38.1

MozillaFirefox-branding-openSUSE-40-4.3.1

MozillaFirefox-branding-upstream-40.0-38.1

MozillaFirefox-buildsymbols-40.0-38.1

MozillaFirefox-debuginfo-40.0-38.1

MozillaFirefox-debugsource-40.0-38.1

MozillaFirefox-devel-40.0-38.1

MozillaFirefox-translations-common-40.0-38.1

MozillaFirefox-translations-other-40.0-38.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-4473.html

https://www.suse.com/security/cve/CVE-2015-4474.html

https://www.suse.com/security/cve/CVE-2015-4475.html

https://www.suse.com/security/cve/CVE-2015-4477.html

https://www.suse.com/security/cve/CVE-2015-4478.html

https://www.suse.com/security/cve/CVE-2015-4479.html

https://www.suse.com/security/cve/CVE-2015-4480.html

https://www.suse.com/security/cve/CVE-2015-4481.html

https://www.suse.com/security/cve/CVE-2015-4482.html

https://www.suse.com/security/cve/CVE-2015-4483.html

https://www.suse.com/security/cve/CVE-2015-4484.html

https://www.suse.com/security/cve/CVE-2015-4485.html

https://www.suse.com/security/cve/CVE-2015-4486.html

https://www.suse.com/security/cve/CVE-2015-4487.html

https://www.suse.com/security/cve/CVE-2015-4488.html

https://www.suse.com/security/cve/CVE-2015-4489.html

https://www.suse.com/security/cve/CVE-2015-4490.html

https://www.suse.com/security/cve/CVE-2015-4491.html

https://www.suse.com/security/cve/CVE-2015-4492.html

https://www.suse.com/security/cve/CVE-2015-4493.html

https://www.suse.com/security/cve/CVE-2015-4495.html

https://bugzilla.suse.com/940806

https://bugzilla.suse.com/940918

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×