You are here
Home > Preporuke > Sigurnosni nedostaci programskih paketa MozillaFirefox i mozilla-nss

Sigurnosni nedostaci programskih paketa MozillaFirefox i mozilla-nss

by ncert - 0

openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:2368-1
Rating: important
References: #999701
Cross-References: CVE-2016-2827 CVE-2016-5256 CVE-2016-5257
CVE-2016-5270 CVE-2016-5271 CVE-2016-5272
CVE-2016-5273 CVE-2016-5274 CVE-2016-5275
CVE-2016-5276 CVE-2016-5277 CVE-2016-5278
CVE-2016-5279 CVE-2016-5280 CVE-2016-5281
CVE-2016-5282 CVE-2016-5283 CVE-2016-5284

Affected Products:
openSUSE Leap 42.1
openSUSE 13.2
______________________________________________________________________________

An update that fixes 18 vulnerabilities is now available.

Description:

This update for MozillaFirefox and mozilla-nss fixes the following issues:

MozillaFirefox was updated to version 49.0 (boo#999701)
– New features
* Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP
logins.
* Added features to Reader Mode that make it easier on the eyes and the
ears
* Improved video performance for users on systems that support SSE3
without hardware acceleration
* Added context menu controls to HTML5 audio and video that let users
loops files or play files at 1.25x speed
* Improvements in about:memory reports for tracking font memory usage
– Security related fixes
* MFSA 2016-85 CVE-2016-2827 (bmo#1289085) – Out-of-bounds read in
mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) –
Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString
CVE-2016-5271 (bmo#1288946) – Out-of-bounds read in
PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) – Bad
cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) – crash in
mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276
(bmo#1287721) – Heap-use-after-free in
mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274
(bmo#1282076) – use-after-free in nsFrameManager::CaptureFrameState
CVE-2016-5277 (bmo#1291665) – Heap-use-after-free in
nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) –
global-buffer-overflow in
mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278
(bmo#1294677) – Heap-buffer-overflow in nsBMPEncoder::AddImageFrame
CVE-2016-5279 (bmo#1249522) – Full local path of files is available to
web pages after drag and drop CVE-2016-5280 (bmo#1289970) –
Use-after-free in
mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
CVE-2016-5281 (bmo#1284690) – use-after-free in DOMSVGLength
CVE-2016-5282 (bmo#932335) – Don’t allow content to request favicons
from non-whitelisted schemes CVE-2016-5283 (bmo#928187) – <iframe src>
fragment timing attack can reveal cross-origin data CVE-2016-5284
(bmo#1303127) – Add-on update site certificate pin expiration
CVE-2016-5256 – Memory safety bugs fixed in Firefox 49 CVE-2016-5257 –
Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
– requires NSS 3.25

– Mozilla Firefox 48.0.2:
* Mitigate a startup crash issue caused on Windows (bmo#1291738)

mozilla-nss was updated to NSS 3.25. New functionality:
* Implemented DHE key agreement for TLS 1.3
* Added support for ChaCha with TLS 1.3
* Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
* In previous versions, when using client authentication with TLS 1.2,
NSS only supported certificate_verify messages that used the same
signature hash algorithm as used by the PRF. This limitation has been
removed.
* Several functions have been added to the public API of the NSS
Cryptoki Framework. New functions:
* NSSCKFWSlot_GetSlotID
* NSSCKFWSession_GetFWSlot
* NSSCKFWInstance_DestroySessionHandle
* NSSCKFWInstance_FindSessionHandle Notable changes:
* An SSL socket can no longer be configured to allow both TLS 1.3 and
SSLv3
* Regression fix: NSS no longer reports a failure if an application
attempts to disable the SSLv2 protocol.
* The list of trusted CA certificates has been updated to version 2.8
* The following CA certificate was Removed Sonera Class1 CA
* The following CA certificates were Added Hellenic Academic and
Research Institutions RootCA 2015 Hellenic Academic and Research
Institutions ECC RootCA 2015 Certplus Root CA G1 Certplus Root CA G2
OpenTrust Root CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.1:

zypper in -t patch openSUSE-2016-1119=1

– openSUSE 13.2:

zypper in -t patch openSUSE-2016-1119=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.1 (i586 x86_64):

MozillaFirefox-49.0-33.1
MozillaFirefox-branding-upstream-49.0-33.1
MozillaFirefox-buildsymbols-49.0-33.1
MozillaFirefox-debuginfo-49.0-33.1
MozillaFirefox-debugsource-49.0-33.1
MozillaFirefox-devel-49.0-33.1
MozillaFirefox-translations-common-49.0-33.1
MozillaFirefox-translations-other-49.0-33.1
libfreebl3-3.25-29.1
libfreebl3-debuginfo-3.25-29.1
libsoftokn3-3.25-29.1
libsoftokn3-debuginfo-3.25-29.1
mozilla-nss-3.25-29.1
mozilla-nss-certs-3.25-29.1
mozilla-nss-certs-debuginfo-3.25-29.1
mozilla-nss-debuginfo-3.25-29.1
mozilla-nss-debugsource-3.25-29.1
mozilla-nss-devel-3.25-29.1
mozilla-nss-sysinit-3.25-29.1
mozilla-nss-sysinit-debuginfo-3.25-29.1
mozilla-nss-tools-3.25-29.1
mozilla-nss-tools-debuginfo-3.25-29.1

– openSUSE Leap 42.1 (x86_64):

libfreebl3-32bit-3.25-29.1
libfreebl3-debuginfo-32bit-3.25-29.1
libsoftokn3-32bit-3.25-29.1
libsoftokn3-debuginfo-32bit-3.25-29.1
mozilla-nss-32bit-3.25-29.1
mozilla-nss-certs-32bit-3.25-29.1
mozilla-nss-certs-debuginfo-32bit-3.25-29.1
mozilla-nss-debuginfo-32bit-3.25-29.1
mozilla-nss-sysinit-32bit-3.25-29.1
mozilla-nss-sysinit-debuginfo-32bit-3.25-29.1

– openSUSE 13.2 (i586 x86_64):

MozillaFirefox-49.0-80.1
MozillaFirefox-branding-upstream-49.0-80.1
MozillaFirefox-buildsymbols-49.0-80.1
MozillaFirefox-debuginfo-49.0-80.1
MozillaFirefox-debugsource-49.0-80.1
MozillaFirefox-devel-49.0-80.1
MozillaFirefox-translations-common-49.0-80.1
MozillaFirefox-translations-other-49.0-80.1
libfreebl3-3.25-46.1
libfreebl3-debuginfo-3.25-46.1
libsoftokn3-3.25-46.1
libsoftokn3-debuginfo-3.25-46.1
mozilla-nss-3.25-46.1
mozilla-nss-certs-3.25-46.1
mozilla-nss-certs-debuginfo-3.25-46.1
mozilla-nss-debuginfo-3.25-46.1
mozilla-nss-debugsource-3.25-46.1
mozilla-nss-devel-3.25-46.1
mozilla-nss-sysinit-3.25-46.1
mozilla-nss-sysinit-debuginfo-3.25-46.1
mozilla-nss-tools-3.25-46.1
mozilla-nss-tools-debuginfo-3.25-46.1

– openSUSE 13.2 (x86_64):

libfreebl3-32bit-3.25-46.1
libfreebl3-debuginfo-32bit-3.25-46.1
libsoftokn3-32bit-3.25-46.1
libsoftokn3-debuginfo-32bit-3.25-46.1
mozilla-nss-32bit-3.25-46.1
mozilla-nss-certs-32bit-3.25-46.1
mozilla-nss-certs-debuginfo-32bit-3.25-46.1
mozilla-nss-debuginfo-32bit-3.25-46.1
mozilla-nss-sysinit-32bit-3.25-46.1
mozilla-nss-sysinit-debuginfo-32bit-3.25-46.1

References:

https://www.suse.com/security/cve/CVE-2016-2827.html
https://www.suse.com/security/cve/CVE-2016-5256.html
https://www.suse.com/security/cve/CVE-2016-5257.html
https://www.suse.com/security/cve/CVE-2016-5270.html
https://www.suse.com/security/cve/CVE-2016-5271.html
https://www.suse.com/security/cve/CVE-2016-5272.html
https://www.suse.com/security/cve/CVE-2016-5273.html
https://www.suse.com/security/cve/CVE-2016-5274.html
https://www.suse.com/security/cve/CVE-2016-5275.html
https://www.suse.com/security/cve/CVE-2016-5276.html
https://www.suse.com/security/cve/CVE-2016-5277.html
https://www.suse.com/security/cve/CVE-2016-5278.html
https://www.suse.com/security/cve/CVE-2016-5279.html
https://www.suse.com/security/cve/CVE-2016-5280.html
https://www.suse.com/security/cve/CVE-2016-5281.html
https://www.suse.com/security/cve/CVE-2016-5282.html
https://www.suse.com/security/cve/CVE-2016-5283.html
https://www.suse.com/security/cve/CVE-2016-5284.html
https://bugzilla.suse.com/999701


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

 

 

   openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2016:2386-1
Rating:             important
References:         #999701
Cross-References:   CVE-2016-2827 CVE-2016-5256 CVE-2016-5257
                    CVE-2016-5270 CVE-2016-5271 CVE-2016-5272
                    CVE-2016-5273 CVE-2016-5274 CVE-2016-5275
                    CVE-2016-5276 CVE-2016-5277 CVE-2016-5278
                    CVE-2016-5279 CVE-2016-5280 CVE-2016-5281
                    CVE-2016-5282 CVE-2016-5283 CVE-2016-5284
                  
Affected Products:
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes 18 vulnerabilities is now available.

Description:

   MozillaFirefox was updated to version 49.0 (boo#999701)
      – New features
        * Updated Firefox Login Manager to allow HTTPS pages to use saved
   HTTP logins.
        * Added features to Reader Mode that make it easier on the eyes and
   the ears
        * Improved video performance for users on systems that support SSE3
   without hardware acceleration
        * Added context menu controls to HTML5 audio and video that let users
   loops files or play files at 1.25x speed
        * Improvements in about:memory reports for tracking font memory usage
      – Security related fixes
        * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) – Out-of-bounds read in
   mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) –
   Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString
   CVE-2016-5271 (bmo#1288946) – Out-of-bounds read in
   PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) – Bad
   cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) – crash in
   mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276
   (bmo#1287721) – Heap-use-after-free in
   mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274
   (bmo#1282076) – use-after-free in nsFrameManager::CaptureFrameState
   CVE-2016-5277 (bmo#1291665) – Heap-use-after-free in nsRefreshDriver::Tick
   CVE-2016-5275 (bmo#1287316) – global-buffer-overflow in
   mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278
   (bmo#1294677) – Heap-buffer-overflow in nsBMPEncoder::AddImageFrame
   CVE-2016-5279 (bmo#1249522) – Full local path of files is available to web
   pages after drag and drop CVE-2016-5280 (bmo#1289970) – Use-after-free in
   mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281
   (bmo#1284690) – use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335)
   – Don’t allow content to request favicons from non-whitelisted schemes
   CVE-2016-5283 (bmo#928187) – <iframe src> fragment timing attack can
   reveal cross-origin data CVE-2016-5284 (bmo#1303127) – Add-on update site
   certificate pin expiration CVE-2016-5256 – Memory safety bugs fixed in
   Firefox 49 CVE-2016-5257 – Memory safety bugs fixed in Firefox 49 and
   Firefox ESR 45.4
      – requires NSS 3.25

      – Mozilla Firefox 48.0.2:
        * Mitigate a startup crash issue caused on Windows (bmo#1291738)

      mozilla-nss was updated to NSS 3.25. New functionality:
        * Implemented DHE key agreement for TLS 1.3
        * Added support for ChaCha with TLS 1.3
        * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
        * In previous versions, when using client authentication with TLS
   1.2, NSS only supported certificate_verify messages that used the same
   signature hash algorithm as used by the PRF. This limitation has been
   removed.
        * Several functions have been added to the public API of the NSS
   Cryptoki Framework. New functions:
        * NSSCKFWSlot_GetSlotID
        * NSSCKFWSession_GetFWSlot
        * NSSCKFWInstance_DestroySessionHandle
        * NSSCKFWInstance_FindSessionHandle Notable changes:
        * An SSL socket can no longer be configured to allow both TLS 1.3 and
   SSLv3
        * Regression fix: NSS no longer reports a failure if an application
   attempts to disable the SSLv2 protocol.
        * The list of trusted CA certificates has been updated to version 2.8
        * The following CA certificate was Removed Sonera Class1 CA
        * The following CA certificates were Added Hellenic Academic and
   Research Institutions RootCA 2015 Hellenic Academic and Research
   Institutions ECC RootCA 2015 Certplus Root CA G1 Certplus Root CA G2
   OpenTrust Root CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   – openSUSE 13.1:

      zypper in -t patch 2016-1128=1

   To bring your system up-to-date, use “zypper patch”.

Package List:

   – openSUSE 13.1 (i586 x86_64):

      MozillaFirefox-49.0.1-125.2
      MozillaFirefox-branding-upstream-49.0.1-125.2
      MozillaFirefox-buildsymbols-49.0.1-125.2
      MozillaFirefox-debuginfo-49.0.1-125.2
      MozillaFirefox-debugsource-49.0.1-125.2
      MozillaFirefox-devel-49.0.1-125.2
      MozillaFirefox-translations-common-49.0.1-125.2
      MozillaFirefox-translations-other-49.0.1-125.2
      libfreebl3-3.25-91.1
      libfreebl3-debuginfo-3.25-91.1
      libsoftokn3-3.25-91.1
      libsoftokn3-debuginfo-3.25-91.1
      mozilla-nss-3.25-91.1
      mozilla-nss-certs-3.25-91.1
      mozilla-nss-certs-debuginfo-3.25-91.1
      mozilla-nss-debuginfo-3.25-91.1
      mozilla-nss-debugsource-3.25-91.1
      mozilla-nss-devel-3.25-91.1
      mozilla-nss-sysinit-3.25-91.1
      mozilla-nss-sysinit-debuginfo-3.25-91.1
      mozilla-nss-tools-3.25-91.1
      mozilla-nss-tools-debuginfo-3.25-91.1

   – openSUSE 13.1 (x86_64):

      libfreebl3-32bit-3.25-91.1
      libfreebl3-debuginfo-32bit-3.25-91.1
      libsoftokn3-32bit-3.25-91.1
      libsoftokn3-debuginfo-32bit-3.25-91.1
      mozilla-nss-32bit-3.25-91.1
      mozilla-nss-certs-32bit-3.25-91.1
      mozilla-nss-certs-debuginfo-32bit-3.25-91.1
      mozilla-nss-debuginfo-32bit-3.25-91.1
      mozilla-nss-sysinit-32bit-3.25-91.1
      mozilla-nss-sysinit-debuginfo-32bit-3.25-91.1

References:

   https://www.suse.com/security/cve/CVE-2016-2827.html
   https://www.suse.com/security/cve/CVE-2016-5256.html
   https://www.suse.com/security/cve/CVE-2016-5257.html
   https://www.suse.com/security/cve/CVE-2016-5270.html
   https://www.suse.com/security/cve/CVE-2016-5271.html
   https://www.suse.com/security/cve/CVE-2016-5272.html
   https://www.suse.com/security/cve/CVE-2016-5273.html
   https://www.suse.com/security/cve/CVE-2016-5274.html
   https://www.suse.com/security/cve/CVE-2016-5275.html
   https://www.suse.com/security/cve/CVE-2016-5276.html
   https://www.suse.com/security/cve/CVE-2016-5277.html
   https://www.suse.com/security/cve/CVE-2016-5278.html
   https://www.suse.com/security/cve/CVE-2016-5279.html
   https://www.suse.com/security/cve/CVE-2016-5280.html
   https://www.suse.com/security/cve/CVE-2016-5281.html
   https://www.suse.com/security/cve/CVE-2016-5282.html
   https://www.suse.com/security/cve/CVE-2016-5283.html
   https://www.suse.com/security/cve/CVE-2016-5284.html
   https://bugzilla.suse.com/999701


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
 

ncert
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa imagemagick

Otkriveni su sigurnosni nedostaci u programskom paketu imagemagick za Debian. Otkriveni nedostaci uzrokovani su raznim problemima oko upravljanja memorijom i...

Close