You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa Mozilla Firefox

Sigurnosni nedostaci programskog paketa Mozilla Firefox

by ncert - 0
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: SUSE-SU-2014:0248-1
Rating: important
References: #859055 #861847
Cross-References: CVE-2014-1477 CVE-2014-1479 CVE-2014-1480
CVE-2014-1481 CVE-2014-1482 CVE-2014-1483
CVE-2014-1484 CVE-2014-1485 CVE-2014-1486
CVE-2014-1487 CVE-2014-1488 CVE-2014-1489
CVE-2014-1490 CVE-2014-1491
Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

An update that fixes 14 vulnerabilities is now available.
It includes two new package versions.

Description:

This updates the Mozilla Firefox browser to the 24.3.0ESR
security release. The Mozilla NSS libraries are now on
version 3.15.4.

The following security issues have been fixed:

*

MFSA 2014-01: Memory safety bugs fixed in Firefox ESR
24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)

*

MFSA 2014-02: Using XBL scopes its possible to
steal(clone) native anonymous content
(CVE-2014-1479)(bnc#862348)

*

MFSA 2014-03: Download “open file” dialog delay is
too quick, doesn’t prevent clickjacking (CVE-2014-1480)

*

MFSA 2014-04: Image decoding causing FireFox to crash
with Goo Create (CVE-2014-1482)(bnc#862356)

*

MFSA 2014-05: caretPositionFromPoint and
elementFromPoint leak information about iframe contents via
timing information (CVE-2014-1483)(bnc#862360)

*

MFSA 2014-06: Fennec leaks profile path to logcat
(CVE-2014-1484)

*

MFSA 2014-07: CSP should block XSLT as script, not as
style (CVE-2014-1485)

*

MFSA 2014-08: imgRequestProxy Use-After-Free Remote
Code Execution Vulnerability (CVE-2014-1486)

*

MFSA 2014-09: Cross-origin information disclosure
with error message of Web Workers (CVE-2014-1487)

*

MFSA 2014-10: settings & history ID bug
(CVE-2014-1489)

*

MFSA 2014-11: Firefox reproducibly crashes when using
asm.js code in workers and transferable objects
(CVE-2014-1488)

*

MFSA 2014-12: TOCTOU, potential use-after-free in
libssl’s session ticket processing
(CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH
value (CVE-2014-1491)(bnc#862289)

*

MFSA 2014-13: Inconsistent this value when invoking
getters on window (CVE-2014-1481)(bnc#862309)

Security Issue references:

* CVE-2014-1477
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477
>
* CVE-2014-1479
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479
>
* CVE-2014-1480
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1480
>
* CVE-2014-1481
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481
>
* CVE-2014-1482
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482
>
* CVE-2014-1483
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1483
>
* CVE-2014-1484
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1484
>
* CVE-2014-1485
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1485
>
* CVE-2014-1486
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486
>
* CVE-2014-1487
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487
>
* CVE-2014-1488
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1488
>
* CVE-2014-1489
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1489
>
* CVE-2014-1490
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1490
>
* CVE-2014-1491
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1491
>

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Software Development Kit 11 SP3:

zypper in -t patch sdksp3-firefox-201402-8879

– SUSE Linux Enterprise Server 11 SP3 for VMware:

zypper in -t patch slessp3-firefox-201402-8879

– SUSE Linux Enterprise Server 11 SP3:

zypper in -t patch slessp3-firefox-201402-8879

– SUSE Linux Enterprise Desktop 11 SP3:

zypper in -t patch sledsp3-firefox-201402-8879

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.15.4]:

MozillaFirefox-devel-24.3.0esr-0.8.1
mozilla-nss-devel-3.15.4-0.7.1

– SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.3.0esr and 3.15.4]:

MozillaFirefox-24.3.0esr-0.8.1
MozillaFirefox-translations-24.3.0esr-0.8.1
libfreebl3-3.15.4-0.7.1
libsoftokn3-3.15.4-0.7.1
mozilla-nss-3.15.4-0.7.1
mozilla-nss-tools-3.15.4-0.7.1

– SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.15.4]:

libfreebl3-32bit-3.15.4-0.7.1
libsoftokn3-32bit-3.15.4-0.7.1
mozilla-nss-32bit-3.15.4-0.7.1

– SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.3.0esr and 3.15.4]:

MozillaFirefox-24.3.0esr-0.8.1
MozillaFirefox-branding-SLED-24-0.7.14
MozillaFirefox-translations-24.3.0esr-0.8.1
libfreebl3-3.15.4-0.7.1
libsoftokn3-3.15.4-0.7.1
mozilla-nss-3.15.4-0.7.1
mozilla-nss-tools-3.15.4-0.7.1

– SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.15.4]:

libfreebl3-32bit-3.15.4-0.7.1
libsoftokn3-32bit-3.15.4-0.7.1
mozilla-nss-32bit-3.15.4-0.7.1

– SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.15.4]:

libfreebl3-x86-3.15.4-0.7.1
libsoftokn3-x86-3.15.4-0.7.1
mozilla-nss-x86-3.15.4-0.7.1

– SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.3.0esr and 3.15.4]:

MozillaFirefox-24.3.0esr-0.8.1
MozillaFirefox-branding-SLED-24-0.7.14
MozillaFirefox-translations-24.3.0esr-0.8.1
libfreebl3-3.15.4-0.7.1
libsoftokn3-3.15.4-0.7.1
mozilla-nss-3.15.4-0.7.1
mozilla-nss-tools-3.15.4-0.7.1

– SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.15.4]:

libfreebl3-32bit-3.15.4-0.7.1
libsoftokn3-32bit-3.15.4-0.7.1
mozilla-nss-32bit-3.15.4-0.7.1

References:

http://support.novell.com/security/cve/CVE-2014-1477.html
http://support.novell.com/security/cve/CVE-2014-1479.html
http://support.novell.com/security/cve/CVE-2014-1480.html
http://support.novell.com/security/cve/CVE-2014-1481.html
http://support.novell.com/security/cve/CVE-2014-1482.html
http://support.novell.com/security/cve/CVE-2014-1483.html
http://support.novell.com/security/cve/CVE-2014-1484.html
http://support.novell.com/security/cve/CVE-2014-1485.html
http://support.novell.com/security/cve/CVE-2014-1486.html
http://support.novell.com/security/cve/CVE-2014-1487.html
http://support.novell.com/security/cve/CVE-2014-1488.html
http://support.novell.com/security/cve/CVE-2014-1489.html
http://support.novell.com/security/cve/CVE-2014-1490.html
http://support.novell.com/security/cve/CVE-2014-1491.html
https://bugzilla.novell.com/859055
https://bugzilla.novell.com/861847
http://download.novell.com/patch/finder/?keywords=b12f5cfd95ec4eca119a488f5fb07f02


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

AutorMarko Stanec
Cert idNCERT-REF-2014-02-0002-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
Izvorhttp://www.adobe.com/
ncert
Top
More in Preporuke
Izdana nadogradnja programskog paketa chromium

Izdana je nadogradnja programskog paketa chromium za operacijski sustav openSUSE. Izdana nadogradnja ispravlja prethodno otkrivene nedostatke koji potencijalnim napadačima omogućuju...

Close