openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________
Announcement ID: openSUSE-SU-2017:0358-1
Rating: important
References: #1017174 #1021814 #1021817 #1021818 #1021819
#1021820 #1021821 #1021822 #1021823 #1021824
#1021826 #1021827 #1021828 #1021830 #1021831
#1021832 #1021833 #1021835 #1021837 #1021839
#1021840 #1021841
Cross-References: CVE-2017-5373 CVE-2017-5374 CVE-2017-5375
CVE-2017-5376 CVE-2017-5377 CVE-2017-5378
CVE-2017-5379 CVE-2017-5380 CVE-2017-5381
CVE-2017-5382 CVE-2017-5383 CVE-2017-5384
CVE-2017-5385 CVE-2017-5386 CVE-2017-5387
CVE-2017-5388 CVE-2017-5389 CVE-2017-5390
CVE-2017-5391 CVE-2017-5392 CVE-2017-5393
CVE-2017-5394 CVE-2017-5395 CVE-2017-5396
Affected Products:
openSUSE Leap 42.2
openSUSE Leap 42.1
______________________________________________________________________________
An update that fixes 24 vulnerabilities is now available.
Description:
This update for MozillaFirefox to version 51.0.1 fixes security issues and
bugs.
These security issues were fixed:
* CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and
DEP (bmo#1325200, boo#1021814)
* CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817)
CVE-2017-5377: Memory corruption with transforms to create gradients in
Skia (bmo#1306883, boo#1021826)
* CVE-2017-5378: Pointer and frame data leakage of Javascript objects
(bmo#1312001, bmo#1330769, boo#1021818)
* CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827)
* CVE-2017-5380: Potential use-after-free during DOM manipulations
(bmo#1322107, boo#1021819)
* CVE-2017-5390: Insecure communication methods in Developer Tools JSON
viewer (bmo#1297361, boo#1021820)
* CVE-2017-5389: WebExtensions can install additional add-ons via modified
host requests (bmo#1308688, boo#1021828)
* CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403,
boo#1021821)
* CVE-2017-5381: Certificate Viewer exporting can be used to navigate and
save to arbitrary filesystem locations (bmo#1017616, boo#1021830)
* CVE-2017-5382: Feed preview can expose privileged content errors and
exceptions (bmo#1295322, boo#1021831)
* CVE-2017-5383: Location bar spoofing with unicode characters
(bmo#1323338, bmo#1324716, boo#1021822)
* CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
(bmo#1255474, boo#1021832)
* CVE-2017-5385: Data sent in multipart channels ignores referrer-policy
response headers (bmo#1295945, boo#1021833)
* CVE-2017-5386: WebExtensions can use data: protocol to affect other
extensions (bmo#1319070, boo#1021823)
* CVE-2017-5391: Content about: pages can load privileged about: pages
(bmo#1309310, boo#1021835)
* CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for
mozAddonManager (bmo#1309282, boo#1021837)
* CVE-2017-5387: Disclosure of local file existence through TRACK tag
error messages (bmo#1295023, boo#1021839)
* CVE-2017-5388: WebRTC can be used to generate a large amount of UDP
traffic for DDOS attacks (bmo#1281482, boo#1021840)
* CVE-2017-5374: Memory safety bugs (boo#1021841)
* CVE-2017-5373: Memory safety bugs (boo#1021824)
These non-security issues in MozillaFirefox were fixed:
* Added support for FLAC (Free Lossless Audio Codec) playback
* Added support for WebGL 2
* Added Georgian (ka) and Kabyle (kab) locales
* Support saving passwords for forms without ‘submit’ events
* Improved video performance for users without GPU acceleration
* Zoom indicator is shown in the URL bar if the zoom level is not at
default level
* View passwords from the prompt before saving them
* Remove Belarusian (be) locale
* Use Skia for content rendering (Linux)
* Improve recognition of LANGUAGE env variable (boo#1017174)
* Multiprocess incompatibility did not correctly register with some
add-ons (bmo#1333423)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
– openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-187=1
– openSUSE Leap 42.1:
zypper in -t patch openSUSE-2017-187=1
To bring your system up-to-date, use “zypper patch”.
Package List:
– openSUSE Leap 42.2 (i586 x86_64):
MozillaFirefox-51.0.1-50.2
MozillaFirefox-branding-upstream-51.0.1-50.2
MozillaFirefox-buildsymbols-51.0.1-50.2
MozillaFirefox-debuginfo-51.0.1-50.2
MozillaFirefox-debugsource-51.0.1-50.2
MozillaFirefox-devel-51.0.1-50.2
MozillaFirefox-translations-common-51.0.1-50.2
MozillaFirefox-translations-other-51.0.1-50.2
– openSUSE Leap 42.1 (x86_64):
MozillaFirefox-51.0.1-50.2
MozillaFirefox-branding-upstream-51.0.1-50.2
MozillaFirefox-buildsymbols-51.0.1-50.2
MozillaFirefox-debuginfo-51.0.1-50.2
MozillaFirefox-debugsource-51.0.1-50.2
MozillaFirefox-devel-51.0.1-50.2
MozillaFirefox-translations-common-51.0.1-50.2
MozillaFirefox-translations-other-51.0.1-50.2
References:
https://www.suse.com/security/cve/CVE-2017-5373.html
https://www.suse.com/security/cve/CVE-2017-5374.html
https://www.suse.com/security/cve/CVE-2017-5375.html
https://www.suse.com/security/cve/CVE-2017-5376.html
https://www.suse.com/security/cve/CVE-2017-5377.html
https://www.suse.com/security/cve/CVE-2017-5378.html
https://www.suse.com/security/cve/CVE-2017-5379.html
https://www.suse.com/security/cve/CVE-2017-5380.html
https://www.suse.com/security/cve/CVE-2017-5381.html
https://www.suse.com/security/cve/CVE-2017-5382.html
https://www.suse.com/security/cve/CVE-2017-5383.html
https://www.suse.com/security/cve/CVE-2017-5384.html
https://www.suse.com/security/cve/CVE-2017-5385.html
https://www.suse.com/security/cve/CVE-2017-5386.html
https://www.suse.com/security/cve/CVE-2017-5387.html
https://www.suse.com/security/cve/CVE-2017-5388.html
https://www.suse.com/security/cve/CVE-2017-5389.html
https://www.suse.com/security/cve/CVE-2017-5390.html
https://www.suse.com/security/cve/CVE-2017-5391.html
https://www.suse.com/security/cve/CVE-2017-5392.html
https://www.suse.com/security/cve/CVE-2017-5393.html
https://www.suse.com/security/cve/CVE-2017-5394.html
https://www.suse.com/security/cve/CVE-2017-5395.html
https://www.suse.com/security/cve/CVE-2017-5396.html
https://bugzilla.suse.com/1017174
https://bugzilla.suse.com/1021814
https://bugzilla.suse.com/1021817
https://bugzilla.suse.com/1021818
https://bugzilla.suse.com/1021819
https://bugzilla.suse.com/1021820
https://bugzilla.suse.com/1021821
https://bugzilla.suse.com/1021822
https://bugzilla.suse.com/1021823
https://bugzilla.suse.com/1021824
https://bugzilla.suse.com/1021826
https://bugzilla.suse.com/1021827
https://bugzilla.suse.com/1021828
https://bugzilla.suse.com/1021830
https://bugzilla.suse.com/1021831
https://bugzilla.suse.com/1021832
https://bugzilla.suse.com/1021833
https://bugzilla.suse.com/1021835
https://bugzilla.suse.com/1021837
https://bugzilla.suse.com/1021839
https://bugzilla.suse.com/1021840
https://bugzilla.suse.com/1021841
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org