Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] openSUSE-SU-2016:0731-1: important: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss

Recommended Posts

openSUSE Security Update: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2016:0731-1

Rating: important

References: #969894

Cross-References: CVE-2016-1950 CVE-2016-1952 CVE-2016-1953

CVE-2016-1954 CVE-2016-1955 CVE-2016-1956

CVE-2016-1957 CVE-2016-1958 CVE-2016-1959

CVE-2016-1960 CVE-2016-1961 CVE-2016-1962

CVE-2016-1963 CVE-2016-1964 CVE-2016-1965

CVE-2016-1966 CVE-2016-1967 CVE-2016-1968

CVE-2016-1970 CVE-2016-1971 CVE-2016-1972

CVE-2016-1973 CVE-2016-1974 CVE-2016-1975

CVE-2016-1976 CVE-2016-1977 CVE-2016-1979

CVE-2016-2790 CVE-2016-2791 CVE-2016-2792

CVE-2016-2793 CVE-2016-2794 CVE-2016-2795

CVE-2016-2796 CVE-2016-2797 CVE-2016-2798

CVE-2016-2799 CVE-2016-2800 CVE-2016-2801

CVE-2016-2802

Affected Products:

openSUSE Leap 42.1

openSUSE 13.2

______________________________________________________________________________

 

An update that fixes 40 vulnerabilities is now available.

 

Description:

 

 

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the

following issues:

 

MozillaFirefox was updated to Firefox 45.0 (boo#969894)

* requires NSPR 4.12 / NSS 3.21.1

* Instant browser tab sharing through Hello

* Synced Tabs button in button bar

* Tabs synced via Firefox Accounts from other devices are now shown in

dropdown area of Awesome Bar when searching

* Introduce a new preference (network.dns.blockDotOnion) to allow blocking

.onion at the DNS level

* Tab Groups (Panorama) feature removed

* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety

hazards

* MFSA 2016-17/CVE-2016-1954 (bmo#1243178) Local file overwriting and

potential privilege escalation through CSP reports

* MFSA 2016-18/CVE-2016-1955 (bmo#1208946) CSP reports fail to strip

location information for embedded iframe pages

* MFSA 2016-19/CVE-2016-1956 (bmo#1199923) Linux video memory DOS with

Intel drivers

* MFSA 2016-20/CVE-2016-1957 (bmo#1227052) Memory leak in libstagefright

when deleting an array during MP4 processing

* MFSA 2016-21/CVE-2016-1958 (bmo#1228754) Displayed page address can be

overridden

* MFSA 2016-22/CVE-2016-1959 (bmo#1234949) Service Worker Manager

out-of-bounds read in Service Worker Manager

* MFSA 2016-23/CVE-2016-1960/ZDI-CAN-3545 (bmo#1246014) Use-after-free in

HTML5 string parser

* MFSA 2016-24/CVE-2016-1961/ZDI-CAN-3574 (bmo#1249377) Use-after-free in

SetBody

* MFSA 2016-25/CVE-2016-1962 (bmo#1240760) Use-after-free when using

multiple WebRTC data channels

* MFSA 2016-26/CVE-2016-1963 (bmo#1238440) Memory corruption when

modifying a file being read by FileReader

* MFSA 2016-27/CVE-2016-1964 (bmo#1243335) Use-after-free during XML

transformations

* MFSA 2016-28/CVE-2016-1965 (bmo#1245264) Addressbar spoofing though

history navigation and Location protocol property

* MFSA 2016-29/CVE-2016-1967 (bmo#1246956) Same-origin policy violation

using perfomance.getEntries and history navigation with session restore

* MFSA 2016-30/CVE-2016-1968 (bmo#1246742) Buffer overflow in Brotli

decompression

* MFSA 2016-31/CVE-2016-1966 (bmo#1246054) Memory corruption with

malicious NPAPI plugin

* MFSA 2016-32/CVE-2016-1970/CVE-2016-1971/CVE-2016-1975/

CVE-2016-1976/CVE-2016-1972 WebRTC and LibVPX vulnerabilities found

through code inspection

* MFSA 2016-33/CVE-2016-1973 (bmo#1219339) Use-after-free in

GetStaticInstance in WebRTC

* MFSA 2016-34/CVE-2016-1974 (bmo#1228103) Out-of-bounds read in HTML

parser following a failed allocation

* MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1

decoding in NSS (fixed by requiring 3.21.1)

* MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during

processing of DER encoded keys in NSS (fixed by requiring 3.21.1)

* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/

CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/

CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/

CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the

Graphite 2 library

 

mozilla-nspr was updated to version 4.12

* added a PR_GetEnvSecure function, which attempts to detect if the

program is being executed with elevated privileges, and returns NULL if

detected. It is recommended to use this function in general purpose

library code.

* fixed a memory allocation bug related to the PR_*printf functions

* exported API PR_DuplicateEnvironment, which had already been added in

NSPR 4.10.9

* added support for FreeBSD aarch64

* several minor correctness and compatibility fixes

 

mozilla-nss was updated to NSS 3.21.1 (bmo#969894)

* required for Firefox 45.0

* MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1

decoding in NSS (fixed by requiring 3.21.1)

* MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during

processing of DER encoded keys in NSS (fixed by requiring 3.21.1)

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE Leap 42.1:

 

zypper in -t patch openSUSE-2016-332=1

 

- openSUSE 13.2:

 

zypper in -t patch openSUSE-2016-332=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE Leap 42.1 (i586 x86_64):

 

MozillaFirefox-45.0-18.1

MozillaFirefox-branding-upstream-45.0-18.1

MozillaFirefox-buildsymbols-45.0-18.1

MozillaFirefox-debuginfo-45.0-18.1

MozillaFirefox-debugsource-45.0-18.1

MozillaFirefox-devel-45.0-18.1

MozillaFirefox-translations-common-45.0-18.1

MozillaFirefox-translations-other-45.0-18.1

libfreebl3-3.21.1-12.1

libfreebl3-debuginfo-3.21.1-12.1

libsoftokn3-3.21.1-12.1

libsoftokn3-debuginfo-3.21.1-12.1

mozilla-nspr-4.12-10.1

mozilla-nspr-debuginfo-4.12-10.1

mozilla-nspr-debugsource-4.12-10.1

mozilla-nspr-devel-4.12-10.1

mozilla-nss-3.21.1-12.1

mozilla-nss-certs-3.21.1-12.1

mozilla-nss-certs-debuginfo-3.21.1-12.1

mozilla-nss-debuginfo-3.21.1-12.1

mozilla-nss-debugsource-3.21.1-12.1

mozilla-nss-devel-3.21.1-12.1

mozilla-nss-sysinit-3.21.1-12.1

mozilla-nss-sysinit-debuginfo-3.21.1-12.1

mozilla-nss-tools-3.21.1-12.1

mozilla-nss-tools-debuginfo-3.21.1-12.1

 

- openSUSE Leap 42.1 (x86_64):

 

libfreebl3-32bit-3.21.1-12.1

libfreebl3-debuginfo-32bit-3.21.1-12.1

libsoftokn3-32bit-3.21.1-12.1

libsoftokn3-debuginfo-32bit-3.21.1-12.1

mozilla-nspr-32bit-4.12-10.1

mozilla-nspr-debuginfo-32bit-4.12-10.1

mozilla-nss-32bit-3.21.1-12.1

mozilla-nss-certs-32bit-3.21.1-12.1

mozilla-nss-certs-debuginfo-32bit-3.21.1-12.1

mozilla-nss-debuginfo-32bit-3.21.1-12.1

mozilla-nss-sysinit-32bit-3.21.1-12.1

mozilla-nss-sysinit-debuginfo-32bit-3.21.1-12.1

 

- openSUSE 13.2 (i586 x86_64):

 

MozillaFirefox-45.0-65.1

MozillaFirefox-branding-upstream-45.0-65.1

MozillaFirefox-buildsymbols-45.0-65.1

MozillaFirefox-debuginfo-45.0-65.1

MozillaFirefox-debugsource-45.0-65.1

MozillaFirefox-devel-45.0-65.1

MozillaFirefox-translations-common-45.0-65.1

MozillaFirefox-translations-other-45.0-65.1

libfreebl3-3.21.1-28.1

libfreebl3-debuginfo-3.21.1-28.1

libsoftokn3-3.21.1-28.1

libsoftokn3-debuginfo-3.21.1-28.1

mozilla-nspr-4.12-15.1

mozilla-nspr-debuginfo-4.12-15.1

mozilla-nspr-debugsource-4.12-15.1

mozilla-nspr-devel-4.12-15.1

mozilla-nss-3.21.1-28.1

mozilla-nss-certs-3.21.1-28.1

mozilla-nss-certs-debuginfo-3.21.1-28.1

mozilla-nss-debuginfo-3.21.1-28.1

mozilla-nss-debugsource-3.21.1-28.1

mozilla-nss-devel-3.21.1-28.1

mozilla-nss-sysinit-3.21.1-28.1

mozilla-nss-sysinit-debuginfo-3.21.1-28.1

mozilla-nss-tools-3.21.1-28.1

mozilla-nss-tools-debuginfo-3.21.1-28.1

 

- openSUSE 13.2 (x86_64):

 

libfreebl3-32bit-3.21.1-28.1

libfreebl3-debuginfo-32bit-3.21.1-28.1

libsoftokn3-32bit-3.21.1-28.1

libsoftokn3-debuginfo-32bit-3.21.1-28.1

mozilla-nspr-32bit-4.12-15.1

mozilla-nspr-debuginfo-32bit-4.12-15.1

mozilla-nss-32bit-3.21.1-28.1

mozilla-nss-certs-32bit-3.21.1-28.1

mozilla-nss-certs-debuginfo-32bit-3.21.1-28.1

mozilla-nss-debuginfo-32bit-3.21.1-28.1

mozilla-nss-sysinit-32bit-3.21.1-28.1

mozilla-nss-sysinit-debuginfo-32bit-3.21.1-28.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2016-1950.html

https://www.suse.com/security/cve/CVE-2016-1952.html

https://www.suse.com/security/cve/CVE-2016-1953.html

https://www.suse.com/security/cve/CVE-2016-1954.html

https://www.suse.com/security/cve/CVE-2016-1955.html

https://www.suse.com/security/cve/CVE-2016-1956.html

https://www.suse.com/security/cve/CVE-2016-1957.html

https://www.suse.com/security/cve/CVE-2016-1958.html

https://www.suse.com/security/cve/CVE-2016-1959.html

https://www.suse.com/security/cve/CVE-2016-1960.html

https://www.suse.com/security/cve/CVE-2016-1961.html

https://www.suse.com/security/cve/CVE-2016-1962.html

https://www.suse.com/security/cve/CVE-2016-1963.html

https://www.suse.com/security/cve/CVE-2016-1964.html

https://www.suse.com/security/cve/CVE-2016-1965.html

https://www.suse.com/security/cve/CVE-2016-1966.html

https://www.suse.com/security/cve/CVE-2016-1967.html

https://www.suse.com/security/cve/CVE-2016-1968.html

https://www.suse.com/security/cve/CVE-2016-1970.html

https://www.suse.com/security/cve/CVE-2016-1971.html

https://www.suse.com/security/cve/CVE-2016-1972.html

https://www.suse.com/security/cve/CVE-2016-1973.html

https://www.suse.com/security/cve/CVE-2016-1974.html

https://www.suse.com/security/cve/CVE-2016-1975.html

https://www.suse.com/security/cve/CVE-2016-1976.html

https://www.suse.com/security/cve/CVE-2016-1977.html

https://www.suse.com/security/cve/CVE-2016-1979.html

https://www.suse.com/security/cve/CVE-2016-2790.html

https://www.suse.com/security/cve/CVE-2016-2791.html

https://www.suse.com/security/cve/CVE-2016-2792.html

https://www.suse.com/security/cve/CVE-2016-2793.html

https://www.suse.com/security/cve/CVE-2016-2794.html

https://www.suse.com/security/cve/CVE-2016-2795.html

https://www.suse.com/security/cve/CVE-2016-2796.html

https://www.suse.com/security/cve/CVE-2016-2797.html

https://www.suse.com/security/cve/CVE-2016-2798.html

https://www.suse.com/security/cve/CVE-2016-2799.html

https://www.suse.com/security/cve/CVE-2016-2800.html

https://www.suse.com/security/cve/CVE-2016-2801.html

https://www.suse.com/security/cve/CVE-2016-2802.html

https://bugzilla.suse.com/969894

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×