You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa Mozilla Firefox

Sigurnosni nedostaci programskog paketa Mozilla Firefox

openSUSE Security Update: Security update for Mozilla based packages
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:1620-1
Rating: important
References: #1040105 #1043960
Cross-References: CVE-2017-5470 CVE-2017-5472 CVE-2017-7749
CVE-2017-7750 CVE-2017-7751 CVE-2017-7752
CVE-2017-7754 CVE-2017-7755 CVE-2017-7756
CVE-2017-7757 CVE-2017-7758 CVE-2017-7760
CVE-2017-7761 CVE-2017-7764 CVE-2017-7765
CVE-2017-7766 CVE-2017-7767 CVE-2017-7768
CVE-2017-7771 CVE-2017-7772 CVE-2017-7773
CVE-2017-7774 CVE-2017-7775 CVE-2017-7776
CVE-2017-7777 CVE-2017-7778
Affected Products:
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes 26 vulnerabilities is now available.

Description:

This update for Mozilla Firefox, Thunderbird, and NSS fixes the following
issues:

Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16:

* CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when
regenerating trees
* CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558) Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547) Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo
object
* CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox
Installer with same directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging
XHR header errors
* CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777 Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation
via callback parameter in Mozilla Windows Updater and Maintenance
Service (Windows only)
* CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation
through Mozilla Maintenance Service helper.exe application (Windows only)
* CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian
Syllabics and other unicode blocks
* CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving
executable files (Windows only)
* CVE-2017-7766 (bmo#1342742) File execution and privilege escalation
through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance
Service (Windows only)
* CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file
overwrites through Mozilla Windows Updater and Mozilla Maintenance
Service (Windows only)
* CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla
Maintenance Service (Windows only)
* CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

– remove -fno-inline-small-functions and explicitely optimize with
-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

Mozilla NSS was updated to NSS 3.28.5
* Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok
Sertifikasi – Surum 1. (bmo#1350859)
* March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA
certificates removed: O = Japanese Government, OU = ApplicationCA CN =
WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik
Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added:
CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi –
Surum 1

java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime
dependency.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-712=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.2 (i586 x86_64):

MozillaFirefox-52.2-57.12.2
MozillaFirefox-branding-upstream-52.2-57.12.2
MozillaFirefox-buildsymbols-52.2-57.12.2
MozillaFirefox-debuginfo-52.2-57.12.2
MozillaFirefox-debugsource-52.2-57.12.2
MozillaFirefox-devel-52.2-57.12.2
MozillaFirefox-translations-common-52.2-57.12.2
MozillaFirefox-translations-other-52.2-57.12.2
MozillaThunderbird-52.2-41.9.2
MozillaThunderbird-buildsymbols-52.2-41.9.2
MozillaThunderbird-debuginfo-52.2-41.9.2
MozillaThunderbird-debugsource-52.2-41.9.2
MozillaThunderbird-devel-52.2-41.9.2
MozillaThunderbird-translations-common-52.2-41.9.2
MozillaThunderbird-translations-other-52.2-41.9.2
java-1_8_0-openjdk-1.8.0.131-10.10.3
java-1_8_0-openjdk-accessibility-1.8.0.131-10.10.3
java-1_8_0-openjdk-debuginfo-1.8.0.131-10.10.3
java-1_8_0-openjdk-debugsource-1.8.0.131-10.10.3
java-1_8_0-openjdk-demo-1.8.0.131-10.10.3
java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-10.10.3
java-1_8_0-openjdk-devel-1.8.0.131-10.10.3
java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-10.10.3
java-1_8_0-openjdk-headless-1.8.0.131-10.10.3
java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-10.10.3
java-1_8_0-openjdk-src-1.8.0.131-10.10.3
libfreebl3-3.28.5-40.6.1
libfreebl3-debuginfo-3.28.5-40.6.1
libsoftokn3-3.28.5-40.6.1
libsoftokn3-debuginfo-3.28.5-40.6.1
mozilla-nss-3.28.5-40.6.1
mozilla-nss-certs-3.28.5-40.6.1
mozilla-nss-certs-debuginfo-3.28.5-40.6.1
mozilla-nss-debuginfo-3.28.5-40.6.1
mozilla-nss-debugsource-3.28.5-40.6.1
mozilla-nss-devel-3.28.5-40.6.1
mozilla-nss-sysinit-3.28.5-40.6.1
mozilla-nss-sysinit-debuginfo-3.28.5-40.6.1
mozilla-nss-tools-3.28.5-40.6.1
mozilla-nss-tools-debuginfo-3.28.5-40.6.1

– openSUSE Leap 42.2 (noarch):

java-1_8_0-openjdk-javadoc-1.8.0.131-10.10.3

– openSUSE Leap 42.2 (x86_64):

libfreebl3-32bit-3.28.5-40.6.1
libfreebl3-debuginfo-32bit-3.28.5-40.6.1
libsoftokn3-32bit-3.28.5-40.6.1
libsoftokn3-debuginfo-32bit-3.28.5-40.6.1
mozilla-nss-32bit-3.28.5-40.6.1
mozilla-nss-certs-32bit-3.28.5-40.6.1
mozilla-nss-certs-debuginfo-32bit-3.28.5-40.6.1
mozilla-nss-debuginfo-32bit-3.28.5-40.6.1
mozilla-nss-sysinit-32bit-3.28.5-40.6.1
mozilla-nss-sysinit-debuginfo-32bit-3.28.5-40.6.1

References:

https://www.suse.com/security/cve/CVE-2017-5470.html
https://www.suse.com/security/cve/CVE-2017-5472.html
https://www.suse.com/security/cve/CVE-2017-7749.html
https://www.suse.com/security/cve/CVE-2017-7750.html
https://www.suse.com/security/cve/CVE-2017-7751.html
https://www.suse.com/security/cve/CVE-2017-7752.html
https://www.suse.com/security/cve/CVE-2017-7754.html
https://www.suse.com/security/cve/CVE-2017-7755.html
https://www.suse.com/security/cve/CVE-2017-7756.html
https://www.suse.com/security/cve/CVE-2017-7757.html
https://www.suse.com/security/cve/CVE-2017-7758.html
https://www.suse.com/security/cve/CVE-2017-7760.html
https://www.suse.com/security/cve/CVE-2017-7761.html
https://www.suse.com/security/cve/CVE-2017-7764.html
https://www.suse.com/security/cve/CVE-2017-7765.html
https://www.suse.com/security/cve/CVE-2017-7766.html
https://www.suse.com/security/cve/CVE-2017-7767.html
https://www.suse.com/security/cve/CVE-2017-7768.html
https://www.suse.com/security/cve/CVE-2017-7771.html
https://www.suse.com/security/cve/CVE-2017-7772.html
https://www.suse.com/security/cve/CVE-2017-7773.html
https://www.suse.com/security/cve/CVE-2017-7774.html
https://www.suse.com/security/cve/CVE-2017-7775.html
https://www.suse.com/security/cve/CVE-2017-7776.html
https://www.suse.com/security/cve/CVE-2017-7777.html
https://www.suse.com/security/cve/CVE-2017-7778.html
https://bugzilla.suse.com/1040105
https://bugzilla.suse.com/1043960


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke libnl3

Otkriven je sigurnosni nedostatak u programskoj biblioteci libnl3 za operacijski sustav Ubuntu 12.04 ESM. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje...

Close