[security-announce] openSUSE-SU-2017:1620-1: important: Security update for Mozilla based packages

[news 28]

openSUSE Security Update: Security update for Mozilla based packages

______________________________________________________________________________

 

Announcement ID: openSUSE-SU-2017:1620-1

Rating: important

References: #1040105 #1043960

Cross-References: CVE-2017-5470 CVE-2017-5472 CVE-2017-7749

CVE-2017-7750 CVE-2017-7751 CVE-2017-7752

CVE-2017-7754 CVE-2017-7755 CVE-2017-7756

CVE-2017-7757 CVE-2017-7758 CVE-2017-7760

CVE-2017-7761 CVE-2017-7764 CVE-2017-7765

CVE-2017-7766 CVE-2017-7767 CVE-2017-7768

CVE-2017-7771 CVE-2017-7772 CVE-2017-7773

CVE-2017-7774 CVE-2017-7775 CVE-2017-7776

CVE-2017-7777 CVE-2017-7778

Affected Products:

openSUSE Leap 42.2

______________________________________________________________________________

 

An update that fixes 26 vulnerabilities is now available.

 

Description:

 

This update for Mozilla Firefox, Thunderbird, and NSS fixes the following

issues:

 

Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16:

 

* CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when

regenerating trees

* CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading

* CVE-2017-7750 (bmo#1356558) Use-after-free with track elements

* CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners

* CVE-2017-7752 (bmo#1359547) Use-after-free with IME input

* CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo

object

* CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox

Installer with same directory DLL files (Windows only)

* CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging

XHR header errors

* CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB

* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,

CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,

CVE-2017-7777 Vulnerabilities in the Graphite 2 library

* CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder

* CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation

via callback parameter in Mozilla Windows Updater and Maintenance

Service (Windows only)

* CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation

through Mozilla Maintenance Service helper.exe application (Windows only)

* CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian

Syllabics and other unicode blocks

* CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving

executable files (Windows only)

* CVE-2017-7766 (bmo#1342742) File execution and privilege escalation

through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance

Service (Windows only)

* CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file

overwrites through Mozilla Windows Updater and Mozilla Maintenance

Service (Windows only)

* CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla

Maintenance Service (Windows only)

* CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

 

- remove -fno-inline-small-functions and explicitely optimize with

-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

 

Mozilla NSS was updated to NSS 3.28.5

* Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok

Sertifikasi - Surum 1. (bmo#1350859)

* March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA

certificates removed: O = Japanese Government, OU = ApplicationCA CN =

WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik

Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added:

CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi -

Surum 1

 

java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime

dependency.

 

 

Patch Instructions:

 

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- openSUSE Leap 42.2:

 

zypper in -t patch openSUSE-2017-712=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- openSUSE Leap 42.2 (i586 x86_64):

 

MozillaFirefox-52.2-57.12.2

MozillaFirefox-branding-upstream-52.2-57.12.2

MozillaFirefox-buildsymbols-52.2-57.12.2

MozillaFirefox-debuginfo-52.2-57.12.2

MozillaFirefox-debugsource-52.2-57.12.2

MozillaFirefox-devel-52.2-57.12.2

MozillaFirefox-translations-common-52.2-57.12.2

MozillaFirefox-translations-other-52.2-57.12.2

MozillaThunderbird-52.2-41.9.2

MozillaThunderbird-buildsymbols-52.2-41.9.2

MozillaThunderbird-debuginfo-52.2-41.9.2

MozillaThunderbird-debugsource-52.2-41.9.2

MozillaThunderbird-devel-52.2-41.9.2

MozillaThunderbird-translations-common-52.2-41.9.2

MozillaThunderbird-translations-other-52.2-41.9.2

java-1_8_0-openjdk-1.8.0.131-10.10.3

java-1_8_0-openjdk-accessibility-1.8.0.131-10.10.3

java-1_8_0-openjdk-debuginfo-1.8.0.131-10.10.3

java-1_8_0-openjdk-debugsource-1.8.0.131-10.10.3

java-1_8_0-openjdk-demo-1.8.0.131-10.10.3

java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-10.10.3

java-1_8_0-openjdk-devel-1.8.0.131-10.10.3

java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-10.10.3

java-1_8_0-openjdk-headless-1.8.0.131-10.10.3

java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-10.10.3

java-1_8_0-openjdk-src-1.8.0.131-10.10.3

libfreebl3-3.28.5-40.6.1

libfreebl3-debuginfo-3.28.5-40.6.1

libsoftokn3-3.28.5-40.6.1

libsoftokn3-debuginfo-3.28.5-40.6.1

mozilla-nss-3.28.5-40.6.1

mozilla-nss-certs-3.28.5-40.6.1

mozilla-nss-certs-debuginfo-3.28.5-40.6.1

mozilla-nss-debuginfo-3.28.5-40.6.1

mozilla-nss-debugsource-3.28.5-40.6.1

mozilla-nss-devel-3.28.5-40.6.1

mozilla-nss-sysinit-3.28.5-40.6.1

mozilla-nss-sysinit-debuginfo-3.28.5-40.6.1

mozilla-nss-tools-3.28.5-40.6.1

mozilla-nss-tools-debuginfo-3.28.5-40.6.1

 

- openSUSE Leap 42.2 (noarch):

 

java-1_8_0-openjdk-javadoc-1.8.0.131-10.10.3

 

- openSUSE Leap 42.2 (x86_64):

 

libfreebl3-32bit-3.28.5-40.6.1

libfreebl3-debuginfo-32bit-3.28.5-40.6.1

libsoftokn3-32bit-3.28.5-40.6.1

libsoftokn3-debuginfo-32bit-3.28.5-40.6.1

mozilla-nss-32bit-3.28.5-40.6.1

mozilla-nss-certs-32bit-3.28.5-40.6.1

mozilla-nss-certs-debuginfo-32bit-3.28.5-40.6.1

mozilla-nss-debuginfo-32bit-3.28.5-40.6.1

mozilla-nss-sysinit-32bit-3.28.5-40.6.1

mozilla-nss-sysinit-debuginfo-32bit-3.28.5-40.6.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2017-5470.html

https://www.suse.com/security/cve/CVE-2017-5472.html

https://www.suse.com/security/cve/CVE-2017-7749.html

https://www.suse.com/security/cve/CVE-2017-7750.html

https://www.suse.com/security/cve/CVE-2017-7751.html

https://www.suse.com/security/cve/CVE-2017-7752.html

https://www.suse.com/security/cve/CVE-2017-7754.html

https://www.suse.com/security/cve/CVE-2017-7755.html

https://www.suse.com/security/cve/CVE-2017-7756.html

https://www.suse.com/security/cve/CVE-2017-7757.html

https://www.suse.com/security/cve/CVE-2017-7758.html

https://www.suse.com/security/cve/CVE-2017-7760.html

https://www.suse.com/security/cve/CVE-2017-7761.html

https://www.suse.com/security/cve/CVE-2017-7764.html

https://www.suse.com/security/cve/CVE-2017-7765.html

https://www.suse.com/security/cve/CVE-2017-7766.html

https://www.suse.com/security/cve/CVE-2017-7767.html

https://www.suse.com/security/cve/CVE-2017-7768.html

https://www.suse.com/security/cve/CVE-2017-7771.html

https://www.suse.com/security/cve/CVE-2017-7772.html

https://www.suse.com/security/cve/CVE-2017-7773.html

https://www.suse.com/security/cve/CVE-2017-7774.html

https://www.suse.com/security/cve/CVE-2017-7775.html

https://www.suse.com/security/cve/CVE-2017-7776.html

https://www.suse.com/security/cve/CVE-2017-7777.html

https://www.suse.com/security/cve/CVE-2017-7778.html

https://bugzilla.suse.com/1040105

https://bugzilla.suse.com/1043960

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org