[security-announce] SUSE-SU-2014:0248-2: important: Security update for Mozilla Firefox

news · February 19, 2014

SUSE Security Update: Security update for Mozilla Firefox

______________________________________________________________________________

Announcement ID: SUSE-SU-2014:0248-2

Rating: important

References: #859055 #861847

Cross-References: CVE-2014-1477 CVE-2014-1479 CVE-2014-1480

CVE-2014-1481 CVE-2014-1482 CVE-2014-1483

CVE-2014-1484 CVE-2014-1485 CVE-2014-1486

CVE-2014-1487 CVE-2014-1488 CVE-2014-1489

CVE-2014-1490 CVE-2014-1491

Affected Products:

SUSE Linux Enterprise Server 11 SP2 LTSS

SUSE Linux Enterprise Server 11 SP1 LTSS

______________________________________________________________________________

An update that fixes 14 vulnerabilities is now available.

It includes four new package versions.

Description:

Mozilla Firefox was updated to the 24.3.0ESR security

release.

The following security issues have been fixed:

*

MFSA 2014-01: Memory safety bugs fixed in Firefox ESR

24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)

*

MFSA 2014-02: Using XBL scopes its possible to

steal(clone) native anonymous content

(CVE-2014-1479)(bnc#862348)

*

MFSA 2014-03: Download "open file" dialog delay is

too quick, doesn't prevent clickjacking (CVE-2014-1480)

*

MFSA 2014-04: Image decoding causing FireFox to crash

with Goo Create (CVE-2014-1482)(bnc#862356)

*

MFSA 2014-05: caretPositionFromPoint and

elementFromPoint leak information about iframe contents via

timing information (CVE-2014-1483)(bnc#862360)

*

MFSA 2014-06: Fennec leaks profile path to logcat

(CVE-2014-1484)

*

MFSA 2014-07: CSP should block XSLT as script, not as

style (CVE-2014-1485)

*

MFSA 2014-08: imgRequestProxy Use-After-Free Remote

Code Execution Vulnerability (CVE-2014-1486)

*

MFSA 2014-09: Cross-origin information disclosure

with error message of Web Workers (CVE-2014-1487)

*

MFSA 2014-10: settings & history ID bug

(CVE-2014-1489)

*

MFSA 2014-11: Firefox reproducibly crashes when using

asm.js code in workers and transferable objects

(CVE-2014-1488)

*

MFSA 2014-12: TOCTOU, potential use-after-free in

libssl's session ticket processing

(CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH

value (CVE-2014-1491)(bnc#862289)

*

MFSA 2014-13: Inconsistent this value when invoking

getters on window (CVE-2014-1481)(bnc#862309)

Also Mozilla NSS was updated to 3.15.4 release.

* required for Firefox 27

* regular CA root store update (1.96)

* some OSCP improvments

* other bugfixes

Security Issue references:

* CVE-2014-1477

* CVE-2014-1479

* CVE-2014-1480

* CVE-2014-1481

* CVE-2014-1482

* CVE-2014-1483

* CVE-2014-1484

* CVE-2014-1485

* CVE-2014-1486

* CVE-2014-1487

* CVE-2014-1488

* CVE-2014-1489

* CVE-2014-1490

* CVE-2014-1491

Patch Instructions:

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Server 11 SP2 LTSS:

zypper in -t patch slessp2-firefox-201402-8899

- SUSE Linux Enterprise Server 11 SP1 LTSS:

zypper in -t patch slessp1-firefox-201402-8898

To bring your system up-to-date, use "zypper patch".

Package List:

- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 24.3.0esr,3.15.4 and 4.10.2]:

MozillaFirefox-24.3.0esr-0.4.2.2

MozillaFirefox-branding-SLED-24-0.4.10.4

MozillaFirefox-translations-24.3.0esr-0.4.2.2

firefox-libgcc_s1-4.7.2_20130108-0.16.1

firefox-libstdc++6-4.7.2_20130108-0.16.1

libfreebl3-3.15.4-0.4.2.1

mozilla-nspr-4.10.2-0.3.2

mozilla-nss-3.15.4-0.4.2.1

mozilla-nss-tools-3.15.4-0.4.2.1

- SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.15.4 and 4.10.2]:

libfreebl3-32bit-3.15.4-0.4.2.1

mozilla-nspr-32bit-4.10.2-0.3.2

mozilla-nss-32bit-3.15.4-0.4.2.1

- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 24,24.3.0esr,3.15.4 and 4.10.2]:

MozillaFirefox-24.3.0esr-0.4.2.2

MozillaFirefox-branding-SLED-24-0.4.10.4

MozillaFirefox-translations-24.3.0esr-0.4.2.2

firefox-libgcc_s1-4.7.2_20130108-0.16.1

firefox-libstdc++6-4.7.2_20130108-0.16.1

libfreebl3-3.15.4-0.4.2.1

mozilla-nspr-4.10.2-0.3.2

mozilla-nss-3.15.4-0.4.2.1

mozilla-nss-tools-3.15.4-0.4.2.1

- SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.15.4 and 4.10.2]:

libfreebl3-32bit-3.15.4-0.4.2.1

mozilla-nspr-32bit-4.10.2-0.3.2

mozilla-nss-32bit-3.15.4-0.4.2.1

References:

http://support.novell.com/security/cve/CVE-2014-1477.html

http://support.novell.com/security/cve/CVE-2014-1479.html

http://support.novell.com/security/cve/CVE-2014-1480.html

http://support.novell.com/security/cve/CVE-2014-1481.html

http://support.novell.com/security/cve/CVE-2014-1482.html

http://support.novell.com/security/cve/CVE-2014-1483.html

http://support.novell.com/security/cve/CVE-2014-1484.html

http://support.novell.com/security/cve/CVE-2014-1485.html

http://support.novell.com/security/cve/CVE-2014-1486.html

http://support.novell.com/security/cve/CVE-2014-1487.html

http://support.novell.com/security/cve/CVE-2014-1488.html

http://support.novell.com/security/cve/CVE-2014-1489.html

http://support.novell.com/security/cve/CVE-2014-1490.html

http://support.novell.com/security/cve/CVE-2014-1491.html

https://bugzilla.novell.com/859055

https://bugzilla.novell.com/861847

http://download.novell.com/patch/finder/?keywords=30bede649a43f15d0ae5fd4070619ffe

http://download.novell.com/patch/finder/?keywords=aba5ed8a4574a80ca797b2dbd204522e

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

Sign In

[security-announce] SUSE-SU-2014:0248-2: important: Security update for Mozilla Firefox

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity