- Detalji os-a: LSU
- Važnost: IMP
- Operativni sustavi: L
- Kategorije: LSU
openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0404-1
Rating: important
References: #910647 #917597
Cross-References: CVE-2014-1569 CVE-2015-0819 CVE-2015-0820
CVE-2015-0821 CVE-2015-0822 CVE-2015-0823
CVE-2015-0824 CVE-2015-0825 CVE-2015-0826
CVE-2015-0827 CVE-2015-0828 CVE-2015-0829
CVE-2015-0830 CVE-2015-0831 CVE-2015-0832
CVE-2015-0834 CVE-2015-0835 CVE-2015-0836
Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________
An update that fixes 18 vulnerabilities is now available.
Description:
MozillaFirefox, mozilla-nss were updated to fix 18 security issues.
MozillaFirefox was updated to version 36.0. These security issues were
fixed:
– CVE-2015-0835, CVE-2015-0836: Miscellaneous memory safety hazards
– CVE-2015-0832: Appended period to hostnames can bypass HPKP and HSTS
protections
– CVE-2015-0830: Malicious WebGL content crash when writing strings
– CVE-2015-0834: TLS TURN and STUN connections silently fail to simple TCP
connections
– CVE-2015-0831: Use-after-free in IndexedDB
– CVE-2015-0829: Buffer overflow in libstagefright during MP4 video
playback
– CVE-2015-0828: Double-free when using non-default memory allocators with
a zero-length XHR
– CVE-2015-0827: Out-of-bounds read and write while rendering SVG content
– CVE-2015-0826: Buffer overflow during CSS restyling
– CVE-2015-0825: Buffer underflow during MP3 playback
– CVE-2015-0824: Crash using DrawTarget in Cairo graphics library
– CVE-2015-0823: Use-after-free in Developer Console date with OpenType
Sanitiser
– CVE-2015-0822: Reading of local files through manipulation of form
autocomplete
– CVE-2015-0821: Local files or privileged URLs in pages can be opened
into new tabs
– CVE-2015-0819: UI Tour whitelisted sites in background tab can spoof
foreground tabs
– CVE-2015-0820: Caja Compiler JavaScript sandbox bypass
mozilla-nss was updated to version 3.17.4 to fix the following issues:
– CVE-2014-1569: QuickDER decoder length issue (bnc#910647).
– bmo#1084986: If an SSL/TLS connection fails, because client and server
don’t have any common protocol version enabled, NSS has been changed to
report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
SSL_ERROR_NO_CYPHER_OVERLAP).
– bmo#1112461: libpkix was fixed to prefer the newest certificate, if
multiple certificates match.
– bmo#1094492: fixed a memory corruption issue during failure of keypair
generation.
– bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode.
– bmo#1119983: fixed interoperability of NSS server code with a LibreSSL
client.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
– openSUSE 13.2:
zypper in -t patch openSUSE-2015-185=1
– openSUSE 13.1:
zypper in -t patch openSUSE-2015-185=1
To bring your system up-to-date, use “zypper patch”.
Package List:
– openSUSE 13.2 (i586 x86_64):
MozillaFirefox-36.0-14.2
MozillaFirefox-branding-upstream-36.0-14.2
MozillaFirefox-buildsymbols-36.0-14.2
MozillaFirefox-debuginfo-36.0-14.2
MozillaFirefox-debugsource-36.0-14.2
MozillaFirefox-devel-36.0-14.2
MozillaFirefox-translations-common-36.0-14.2
MozillaFirefox-translations-other-36.0-14.2
libfreebl3-3.17.4-9.1
libfreebl3-debuginfo-3.17.4-9.1
libsoftokn3-3.17.4-9.1
libsoftokn3-debuginfo-3.17.4-9.1
mozilla-nss-3.17.4-9.1
mozilla-nss-certs-3.17.4-9.1
mozilla-nss-certs-debuginfo-3.17.4-9.1
mozilla-nss-debuginfo-3.17.4-9.1
mozilla-nss-debugsource-3.17.4-9.1
mozilla-nss-devel-3.17.4-9.1
mozilla-nss-sysinit-3.17.4-9.1
mozilla-nss-sysinit-debuginfo-3.17.4-9.1
mozilla-nss-tools-3.17.4-9.1
mozilla-nss-tools-debuginfo-3.17.4-9.1
– openSUSE 13.2 (x86_64):
libfreebl3-32bit-3.17.4-9.1
libfreebl3-debuginfo-32bit-3.17.4-9.1
libsoftokn3-32bit-3.17.4-9.1
libsoftokn3-debuginfo-32bit-3.17.4-9.1
mozilla-nss-32bit-3.17.4-9.1
mozilla-nss-certs-32bit-3.17.4-9.1
mozilla-nss-certs-debuginfo-32bit-3.17.4-9.1
mozilla-nss-debuginfo-32bit-3.17.4-9.1
mozilla-nss-sysinit-32bit-3.17.4-9.1
mozilla-nss-sysinit-debuginfo-32bit-3.17.4-9.1
– openSUSE 13.1 (i586 x86_64):
MozillaFirefox-36.0-59.2
MozillaFirefox-branding-upstream-36.0-59.2
MozillaFirefox-buildsymbols-36.0-59.2
MozillaFirefox-debuginfo-36.0-59.2
MozillaFirefox-debugsource-36.0-59.2
MozillaFirefox-devel-36.0-59.2
MozillaFirefox-translations-common-36.0-59.2
MozillaFirefox-translations-other-36.0-59.2
libfreebl3-3.17.4-52.1
libfreebl3-debuginfo-3.17.4-52.1
libsoftokn3-3.17.4-52.1
libsoftokn3-debuginfo-3.17.4-52.1
mozilla-nss-3.17.4-52.1
mozilla-nss-certs-3.17.4-52.1
mozilla-nss-certs-debuginfo-3.17.4-52.1
mozilla-nss-debuginfo-3.17.4-52.1
mozilla-nss-debugsource-3.17.4-52.1
mozilla-nss-devel-3.17.4-52.1
mozilla-nss-sysinit-3.17.4-52.1
mozilla-nss-sysinit-debuginfo-3.17.4-52.1
mozilla-nss-tools-3.17.4-52.1
mozilla-nss-tools-debuginfo-3.17.4-52.1
– openSUSE 13.1 (x86_64):
libfreebl3-32bit-3.17.4-52.1
libfreebl3-debuginfo-32bit-3.17.4-52.1
libsoftokn3-32bit-3.17.4-52.1
libsoftokn3-debuginfo-32bit-3.17.4-52.1
mozilla-nss-32bit-3.17.4-52.1
mozilla-nss-certs-32bit-3.17.4-52.1
mozilla-nss-certs-debuginfo-32bit-3.17.4-52.1
mozilla-nss-debuginfo-32bit-3.17.4-52.1
mozilla-nss-sysinit-32bit-3.17.4-52.1
mozilla-nss-sysinit-debuginfo-32bit-3.17.4-52.1
References:
http://support.novell.com/security/cve/CVE-2014-1569.html
http://support.novell.com/security/cve/CVE-2015-0819.html
http://support.novell.com/security/cve/CVE-2015-0820.html
http://support.novell.com/security/cve/CVE-2015-0821.html
http://support.novell.com/security/cve/CVE-2015-0822.html
http://support.novell.com/security/cve/CVE-2015-0823.html
http://support.novell.com/security/cve/CVE-2015-0824.html
http://support.novell.com/security/cve/CVE-2015-0825.html
http://support.novell.com/security/cve/CVE-2015-0826.html
http://support.novell.com/security/cve/CVE-2015-0827.html
http://support.novell.com/security/cve/CVE-2015-0828.html
http://support.novell.com/security/cve/CVE-2015-0829.html
http://support.novell.com/security/cve/CVE-2015-0830.html
http://support.novell.com/security/cve/CVE-2015-0831.html
http://support.novell.com/security/cve/CVE-2015-0832.html
http://support.novell.com/security/cve/CVE-2015-0834.html
http://support.novell.com/security/cve/CVE-2015-0835.html
http://support.novell.com/security/cve/CVE-2015-0836.html
https://bugzilla.suse.com/910647
https://bugzilla.suse.com/917597
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
7e
| Autor | Tomislav Protega |
| Cert id | NCERT-REF-2015-03-0005-ADV |
| Cve | CVE-2014-1569 CVE-2015-0819 CVE-2015-0820 CVE-2015-0821 CVE-2015-0822 CVE-2015-0823 CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0827 CVE-2015-0828 CVE-2015-0829 CVE-2015-0830 CVE-2015-0831 CVE-2015-0832 CVE-2015-0834 CVE-2015-0835 CVE-2015-0836 |
| ID izvornika | openSUSE-SU-2015:0404-1 |
| Proizvod | Security update for MozillaFirefox, mozilla-nss |
| Izvor | http://www.suse.com |
