Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[security-announce] openSUSE-SU-2017:0358-1: important: Security update for MozillaFirefox

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

openSUSE Security Update: Security update for MozillaFirefox

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2017:0358-1

Rating: important

References: #1017174 #1021814 #1021817 #1021818 #1021819

#1021820 #1021821 #1021822 #1021823 #1021824

#1021826 #1021827 #1021828 #1021830 #1021831

#1021832 #1021833 #1021835 #1021837 #1021839

#1021840 #1021841

Cross-References: CVE-2017-5373 CVE-2017-5374 CVE-2017-5375

CVE-2017-5376 CVE-2017-5377 CVE-2017-5378

CVE-2017-5379 CVE-2017-5380 CVE-2017-5381

CVE-2017-5382 CVE-2017-5383 CVE-2017-5384

CVE-2017-5385 CVE-2017-5386 CVE-2017-5387

CVE-2017-5388 CVE-2017-5389 CVE-2017-5390

CVE-2017-5391 CVE-2017-5392 CVE-2017-5393

CVE-2017-5394 CVE-2017-5395 CVE-2017-5396

 

Affected Products:

openSUSE Leap 42.2

openSUSE Leap 42.1

______________________________________________________________________________

 

An update that fixes 24 vulnerabilities is now available.

 

Description:

 

This update for MozillaFirefox to version 51.0.1 fixes security issues and

bugs.

 

These security issues were fixed:

 

* CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and

DEP (bmo#1325200, boo#1021814)

* CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)

CVE-2017-5377: Memory corruption with transforms to create gradients in

Skia (bmo#1306883, boo#1021826)

* CVE-2017-5378: Pointer and frame data leakage of Javascript objects

(bmo#1312001, bmo#1330769, boo#1021818)

* CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827)

* CVE-2017-5380: Potential use-after-free during DOM manipulations

(bmo#1322107, boo#1021819)

* CVE-2017-5390: Insecure communication methods in Developer Tools JSON

viewer (bmo#1297361, boo#1021820)

* CVE-2017-5389: WebExtensions can install additional add-ons via modified

host requests (bmo#1308688, boo#1021828)

* CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403,

boo#1021821)

* CVE-2017-5381: Certificate Viewer exporting can be used to navigate and

save to arbitrary filesystem locations (bmo#1017616, boo#1021830)

* CVE-2017-5382: Feed preview can expose privileged content errors and

exceptions (bmo#1295322, boo#1021831)

* CVE-2017-5383: Location bar spoofing with unicode characters

(bmo#1323338, bmo#1324716, boo#1021822)

* CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)

(bmo#1255474, boo#1021832)

* CVE-2017-5385: Data sent in multipart channels ignores referrer-policy

response headers (bmo#1295945, boo#1021833)

* CVE-2017-5386: WebExtensions can use data: protocol to affect other

extensions (bmo#1319070, boo#1021823)

* CVE-2017-5391: Content about: pages can load privileged about: pages

(bmo#1309310, boo#1021835)

* CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for

mozAddonManager (bmo#1309282, boo#1021837)

* CVE-2017-5387: Disclosure of local file existence through TRACK tag

error messages (bmo#1295023, boo#1021839)

* CVE-2017-5388: WebRTC can be used to generate a large amount of UDP

traffic for DDOS attacks (bmo#1281482, boo#1021840)

* CVE-2017-5374: Memory safety bugs (boo#1021841)

* CVE-2017-5373: Memory safety bugs (boo#1021824)

 

These non-security issues in MozillaFirefox were fixed:

 

* Added support for FLAC (Free Lossless Audio Codec) playback

* Added support for WebGL 2

* Added Georgian (ka) and Kabyle (kab) locales

* Support saving passwords for forms without 'submit' events

* Improved video performance for users without GPU acceleration

* Zoom indicator is shown in the URL bar if the zoom level is not at

default level

* View passwords from the prompt before saving them

* Remove Belarusian (be) locale

* Use Skia for content rendering (Linux)

* Improve recognition of LANGUAGE env variable (boo#1017174)

* Multiprocess incompatibility did not correctly register with some

add-ons (bmo#1333423)

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE Leap 42.2:

 

zypper in -t patch openSUSE-2017-187=1

 

- openSUSE Leap 42.1:

 

zypper in -t patch openSUSE-2017-187=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE Leap 42.2 (i586 x86_64):

 

MozillaFirefox-51.0.1-50.2

MozillaFirefox-branding-upstream-51.0.1-50.2

MozillaFirefox-buildsymbols-51.0.1-50.2

MozillaFirefox-debuginfo-51.0.1-50.2

MozillaFirefox-debugsource-51.0.1-50.2

MozillaFirefox-devel-51.0.1-50.2

MozillaFirefox-translations-common-51.0.1-50.2

MozillaFirefox-translations-other-51.0.1-50.2

 

- openSUSE Leap 42.1 (x86_64):

 

MozillaFirefox-51.0.1-50.2

MozillaFirefox-branding-upstream-51.0.1-50.2

MozillaFirefox-buildsymbols-51.0.1-50.2

MozillaFirefox-debuginfo-51.0.1-50.2

MozillaFirefox-debugsource-51.0.1-50.2

MozillaFirefox-devel-51.0.1-50.2

MozillaFirefox-translations-common-51.0.1-50.2

MozillaFirefox-translations-other-51.0.1-50.2

 

 

References:

 

https://www.suse.com/security/cve/CVE-2017-5373.html

https://www.suse.com/security/cve/CVE-2017-5374.html

https://www.suse.com/security/cve/CVE-2017-5375.html

https://www.suse.com/security/cve/CVE-2017-5376.html

https://www.suse.com/security/cve/CVE-2017-5377.html

https://www.suse.com/security/cve/CVE-2017-5378.html

https://www.suse.com/security/cve/CVE-2017-5379.html

https://www.suse.com/security/cve/CVE-2017-5380.html

https://www.suse.com/security/cve/CVE-2017-5381.html

https://www.suse.com/security/cve/CVE-2017-5382.html

https://www.suse.com/security/cve/CVE-2017-5383.html

https://www.suse.com/security/cve/CVE-2017-5384.html

https://www.suse.com/security/cve/CVE-2017-5385.html

https://www.suse.com/security/cve/CVE-2017-5386.html

https://www.suse.com/security/cve/CVE-2017-5387.html

https://www.suse.com/security/cve/CVE-2017-5388.html

https://www.suse.com/security/cve/CVE-2017-5389.html

https://www.suse.com/security/cve/CVE-2017-5390.html

https://www.suse.com/security/cve/CVE-2017-5391.html

https://www.suse.com/security/cve/CVE-2017-5392.html

https://www.suse.com/security/cve/CVE-2017-5393.html

https://www.suse.com/security/cve/CVE-2017-5394.html

https://www.suse.com/security/cve/CVE-2017-5395.html

https://www.suse.com/security/cve/CVE-2017-5396.html

https://bugzilla.suse.com/1017174

https://bugzilla.suse.com/1021814

https://bugzilla.suse.com/1021817

https://bugzilla.suse.com/1021818

https://bugzilla.suse.com/1021819

https://bugzilla.suse.com/1021820

https://bugzilla.suse.com/1021821

https://bugzilla.suse.com/1021822

https://bugzilla.suse.com/1021823

https://bugzilla.suse.com/1021824

https://bugzilla.suse.com/1021826

https://bugzilla.suse.com/1021827

https://bugzilla.suse.com/1021828

https://bugzilla.suse.com/1021830

https://bugzilla.suse.com/1021831

https://bugzilla.suse.com/1021832

https://bugzilla.suse.com/1021833

https://bugzilla.suse.com/1021835

https://bugzilla.suse.com/1021837

https://bugzilla.suse.com/1021839

https://bugzilla.suse.com/1021840

https://bugzilla.suse.com/1021841

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×