You are here
Home > Preporuke > Sigurnosni nedostaci Mozillinih programskih paketa Firefox, Thunderbird i mozilla-nspr

Sigurnosni nedostaci Mozillinih programskih paketa Firefox, Thunderbird i mozilla-nspr

openSUSE Security Update: Security update for MozillaFirefox, MozillaThunderbird, mozilla-nspr
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:0677-1
Rating: important
References: #925368 #925392 #925393 #925394 #925395 #925396
#925397 #925398 #925399 #925400 #925401 #925402
#926166
Cross-References: CVE-2015-0799 CVE-2015-0801 CVE-2015-0802
CVE-2015-0803 CVE-2015-0804 CVE-2015-0805
CVE-2015-0806 CVE-2015-0807 CVE-2015-0808
CVE-2015-0811 CVE-2015-0812 CVE-2015-0813
CVE-2015-0814 CVE-2015-0815 CVE-2015-0816

Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________

An update that fixes 15 vulnerabilities is now available.

Description:

Mozilla Firefox and Thunderbird were updated to fix several important
vulnerabilities.

Mozilla Firefox was updated to 37.0.1. Mozilla Thunderbird was updated to
31.6.0. mozilla-nspr was updated to 4.10.8 as a dependency.

The following vulnerabilities were fixed in Mozilla Firefox:

* Miscellaneous memory safety hazards (MFSA
2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)
* Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA
2015-31/CVE-2015-0813 bmo#1106596 boo#925393)
* Add-on lightweight theme installation approval bypassed through MITM
attack (MFSA 2015-32/CVE-2015-0812 bmo#1128126 boo#925394)
* resource:// documents can load privileged pages (MFSA
2015-33/CVE-2015-0816 bmo#1144991 boo#925395)
* Out of bounds read in QCMS library (MFSA-2015-34/CVE-2015-0811
bmo#1132468 boo#925396)
* Incorrect memory management for simple-type arrays in WebRTC
(MFSA-2015-36/CVE-2015-0808 bmo#1109552 boo#925397)
* CORS requests should not follow 30x redirections after preflight
(MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398)
* Memory corruption crashes in Off Main Thread Compositing
(MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 bmo#1135511 bmo#1099437
boo#925399)
* Use-after-free due to type confusion flaws
(MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (mo#1134560 boo#925400)
* Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801
bmo#1146339 boo#925401)
* Windows can retain access to privileged content on navigation to
unprivileged pages (MFSA-2015-42/CVE-2015-0802 bmo#1124898 boo#925402)

The following vulnerability was fixed in functionality that was not
released as an update to openSUSE:

* Certificate verification could be bypassed through the HTTP/2 Alt-Svc
header (MFSA 2015-44/CVE-2015-0799 bmo#1148328 bnc#926166)

The functionality added in 37.0 and thus removed in 37.0.1 was:

* Opportunistically encrypt HTTP traffic where the server supports HTTP/2
AltSvc

The following functionality was added or updated in Mozilla Firefox:

* Heartbeat user rating system
* Yandex set as default search provider for the Turkish locale
* Bing search now uses HTTPS for secure searching
* Improved protection against site impersonation via OneCRL centralized
certificate revocation
* some more behaviour changes for TLS

The following vulnerabilities were fixed in Mozilla Thunderbird:

* Miscellaneous memory safety hazards (MFSA
2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)
* Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA
2015-31/CVE-2015-0813 bmo#1106596 boo#925393)
* resource:// documents can load privileged pages (MFSA
2015-33/CVE-2015-0816 bmo#1144991 boo#925395)
* CORS requests should not follow 30x redirections after preflight
(MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398)
* Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801
bmo#1146339 boo#925401)

mozilla-nspr was updated to 4.10.8 as a dependency and received the
following changes:
* bmo#573192: remove the stack-based PRFileDesc cache.
* bmo#756047: check for _POSIX_THREAD_PRIORITY_SCHEDULING > 0 instead of
only checking if the identifier is defined.
* bmo#1089908: Fix variable shadowing in _PR_MD_LOCKFILE. Use
PR_ARRAY_SIZE to get the array size of _PR_RUNQ(t->cpu).
* bmo#1106600: Replace PR_ASSERT(!”foo”) with PR_NOT_REACHED(“foo”) to
fix clang -Wstring-conversion warnings.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE 13.2:

zypper in -t patch openSUSE-2015-290=1

– openSUSE 13.1:

zypper in -t patch openSUSE-2015-290=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE 13.2 (i586 x86_64):

MozillaFirefox-37.0.1-23.1
MozillaFirefox-branding-upstream-37.0.1-23.1
MozillaFirefox-buildsymbols-37.0.1-23.1
MozillaFirefox-debuginfo-37.0.1-23.1
MozillaFirefox-debugsource-37.0.1-23.1
MozillaFirefox-devel-37.0.1-23.1
MozillaFirefox-translations-common-37.0.1-23.1
MozillaFirefox-translations-other-37.0.1-23.1
MozillaThunderbird-31.6.0-15.3
MozillaThunderbird-buildsymbols-31.6.0-15.3
MozillaThunderbird-debuginfo-31.6.0-15.3
MozillaThunderbird-debugsource-31.6.0-15.3
MozillaThunderbird-devel-31.6.0-15.3
MozillaThunderbird-translations-common-31.6.0-15.3
MozillaThunderbird-translations-other-31.6.0-15.3
mozilla-nspr-4.10.8-6.1
mozilla-nspr-debuginfo-4.10.8-6.1
mozilla-nspr-debugsource-4.10.8-6.1
mozilla-nspr-devel-4.10.8-6.1

– openSUSE 13.2 (x86_64):

mozilla-nspr-32bit-4.10.8-6.1
mozilla-nspr-debuginfo-32bit-4.10.8-6.1

– openSUSE 13.1 (i586 x86_64):

MozillaFirefox-37.0.1-68.1
MozillaFirefox-branding-upstream-37.0.1-68.1
MozillaFirefox-buildsymbols-37.0.1-68.1
MozillaFirefox-debuginfo-37.0.1-68.1
MozillaFirefox-debugsource-37.0.1-68.1
MozillaFirefox-devel-37.0.1-68.1
MozillaFirefox-translations-common-37.0.1-68.1
MozillaFirefox-translations-other-37.0.1-68.1
MozillaThunderbird-31.6.0-70.50.2
MozillaThunderbird-buildsymbols-31.6.0-70.50.2
MozillaThunderbird-debuginfo-31.6.0-70.50.2
MozillaThunderbird-debugsource-31.6.0-70.50.2
MozillaThunderbird-devel-31.6.0-70.50.2
MozillaThunderbird-translations-common-31.6.0-70.50.2
MozillaThunderbird-translations-other-31.6.0-70.50.2
mozilla-nspr-4.10.8-22.1
mozilla-nspr-debuginfo-4.10.8-22.1
mozilla-nspr-debugsource-4.10.8-22.1
mozilla-nspr-devel-4.10.8-22.1

– openSUSE 13.1 (x86_64):

mozilla-nspr-32bit-4.10.8-22.1
mozilla-nspr-debuginfo-32bit-4.10.8-22.1

References:

https://www.suse.com/security/cve/CVE-2015-0799.html
https://www.suse.com/security/cve/CVE-2015-0801.html
https://www.suse.com/security/cve/CVE-2015-0802.html
https://www.suse.com/security/cve/CVE-2015-0803.html
https://www.suse.com/security/cve/CVE-2015-0804.html
https://www.suse.com/security/cve/CVE-2015-0805.html
https://www.suse.com/security/cve/CVE-2015-0806.html
https://www.suse.com/security/cve/CVE-2015-0807.html
https://www.suse.com/security/cve/CVE-2015-0808.html
https://www.suse.com/security/cve/CVE-2015-0811.html
https://www.suse.com/security/cve/CVE-2015-0812.html
https://www.suse.com/security/cve/CVE-2015-0813.html
https://www.suse.com/security/cve/CVE-2015-0814.html
https://www.suse.com/security/cve/CVE-2015-0815.html
https://www.suse.com/security/cve/CVE-2015-0816.html
https://bugzilla.suse.com/925368
https://bugzilla.suse.com/925392
https://bugzilla.suse.com/925393
https://bugzilla.suse.com/925394
https://bugzilla.suse.com/925395
https://bugzilla.suse.com/925396
https://bugzilla.suse.com/925397
https://bugzilla.suse.com/925398
https://bugzilla.suse.com/925399
https://bugzilla.suse.com/925400
https://bugzilla.suse.com/925401
https://bugzilla.suse.com/925402
https://bugzilla.suse.com/926166


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Nadogradnja za Safari

Apple je izdao nadogradnju za otklanjanje ranjivosti u web pregledniku Safari te u mehanizmu preglednika, WebKit. Ranjivosti bi mogle biti...

Close