openSUSE Security Update: update for MozillaFirefox, MozillaThunderbird, mozilla-nspr, mozilla-nss, seamonkey, xulrunner
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:1348-1
Rating:             important
References:         #833389 
Cross-References:   CVE-2013-1701 CVE-2013-1702 CVE-2013-1704
                    CVE-2013-1705 CVE-2013-1708 CVE-2013-1709
                    CVE-2013-1710 CVE-2013-1711 CVE-2013-1713
                    CVE-2013-1714 CVE-2013-1717
Affected Products:
                    openSUSE 12.3
                    openSUSE 12.2
______________________________________________________________________________

   An update that fixes 11 vulnerabilities is now available.

Description:

   Changes in seamonkey:
   - update to SeaMonkey 2.20 (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
   memory safety hazards
   * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
   mutating DOM during SetBody
   * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer
   underflow when generating CRMF requests
   * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during
   WAV audio file decoding
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
   XrayWrappers using XBL Scopes
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system
   - requires NSPR 4.10 and NSS 3.15
   - removed obsolete seamonkey-shared-nss-db.patch

   Changes in seamonkey:
   - update to SeaMonkey 2.20 (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
   memory safety hazards
   * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
   mutating DOM during SetBody
   * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer
   underflow when generating CRMF requests
   * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during
   WAV audio file decoding
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
   XrayWrappers using XBL Scopes
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system
   - requires NSPR 4.10 and NSS 3.15
   - removed obsolete seamonkey-shared-nss-db.patch

   Changes in xulrunner:
   - update to 17.0.8esr (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
   hazards
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system

   Changes in xulrunner:
   - update to 17.0.8esr (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
   hazards
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system

   Changes in MozillaThunderbird:
   - update to Thunderbird 17.0.8 (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
   hazards
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system

   - update Enigmail to 1.5.2
   * bugfix release

   Changes in MozillaThunderbird:
   - update to Thunderbird 17.0.8 (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
   hazards
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system

   - update Enigmail to 1.5.2
   * bugfix release

   Changes in mozilla-nss:
   - fix 32bit requirement, it's without () actually

   - update to 3.15.1
   * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher
   suites (RFC 5246 and RFC 5289) are supported, allowing
   TLS to be used without MD5 and SHA-1. Note the
   following limitations: The hash function used in the
   signature for TLS 1.2 client authentication must be the
   hash function of the TLS 1.2 PRF, which is always
   SHA-256 in NSS 3.15.1. AES GCM cipher suites are not
   yet supported.
   * some bugfixes and improvements

   - require libnssckbi instead of mozilla-nss-certs so
   p11-kit can conflict with the latter (fate#314991)

   - update to 3.15
   * Packaging
   + removed obsolete patches
   * nss-disable-expired-testcerts.patch
   * bug-834091.patch
   * New Functionality
   + Support for OCSP Stapling (RFC 6066, Certificate
   Status Request) has been added for both client and server
   sockets. TLS client applications may enable this via a call
   to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
   + Added function SECITEM_ReallocItemV2. It replaces
   function SECITEM_ReallocItem, which is now declared as
   obsolete.
   + Support for single-operation (eg: not multi-part)
   symmetric key encryption and decryption, via PK11_Encrypt
   and PK11_Decrypt.
   + certutil has been updated to support creating name
   constraints extensions.
   * New Functions in ssl.h SSL_PeerStapledOCSPResponse -
   Returns the server's stapled OCSP response, when used
   with a TLS client socket that negotiated the
   status_request extension. SSL_SetStapledOCSPResponses -
   Set's a stapled OCSP response for a TLS server socket
   to return when clients send the status_request
   extension. in ocsp.h CERT_PostOCSPRequest - Primarily
   intended for testing, permits the sending and receiving
   of raw OCSP request/responses. in secpkcs7.h
   SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a
   PKCS#7 signature at a specific time other than the
   present time. in xconst.h
   CERT_EncodeNameConstraintsExtension - Matching function
   for CERT_DecodeNameConstraintsExtension, added in NSS
   3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray
   SECITEM_FreeArray SECITEM_ZfreeArray - Utility
   functions to handle the allocation and deallocation of
   SECItemArrays SECITEM_ReallocItemV2 - Replaces
   SECITEM_ReallocItem, which is now obsolete.
   SECITEM_ReallocItemV2 better matches caller
   expectations, in that it updates item->len on
   allocation. For more details of the issues with
   SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in
   pk11pub.h PK11_Decrypt - Performs decryption as a
   single PKCS#11 operation (eg: not multi-part). This is
   necessary for AES-GCM. PK11_Encrypt - Performs
   encryption as a single PKCS#11 operation (eg: not
   multi-part). This is necessary for AES-GCM.
   * New Types in secitem.h SECItemArray - Represents a
   variable-length array of SECItems.
   * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used
   with SSL_OptionSet to configure TLS client sockets to
   request the certificate_status extension (eg: OCSP
   stapling) when set to PR_TRUE
   * Notable changes
   + SECITEM_ReallocItem is now deprecated. Please
   consider using SECITEM_ReallocItemV2 in all future code.
   + The list of root CA certificates in the nssckbi
   module has been updated.
   + The default implementation of SSL_AuthCertificate has
   been updated to add certificate status responses stapled by
   the TLS server to the OCSP cache.
   * a lot of bugfixes

   - Add Source URL, see https://en.opensuse.org/SourceUrls

   Changes in mozilla-nss:
   - fix 32bit requirement, it's without () actually

   - update to 3.15.1
   * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher
   suites (RFC 5246 and RFC 5289) are supported, allowing
   TLS to be used without MD5 and SHA-1. Note the
   following limitations: The hash function used in the
   signature for TLS 1.2 client authentication must be the
   hash function of the TLS 1.2 PRF, which is always
   SHA-256 in NSS 3.15.1. AES GCM cipher suites are not
   yet supported.
   * some bugfixes and improvements

   - require libnssckbi instead of mozilla-nss-certs so
   p11-kit can conflict with the latter (fate#314991)

   - update to 3.15
   * Packaging
   + removed obsolete patches
   * nss-disable-expired-testcerts.patch
   * bug-834091.patch
   * New Functionality
   + Support for OCSP Stapling (RFC 6066, Certificate
   Status Request) has been added for both client and server
   sockets. TLS client applications may enable this via a call
   to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
   + Added function SECITEM_ReallocItemV2. It replaces
   function SECITEM_ReallocItem, which is now declared as
   obsolete.
   + Support for single-operation (eg: not multi-part)
   symmetric key encryption and decryption, via PK11_Encrypt
   and PK11_Decrypt.
   + certutil has been updated to support creating name
   constraints extensions.
   * New Functions in ssl.h SSL_PeerStapledOCSPResponse -
   Returns the server's stapled OCSP response, when used
   with a TLS client socket that negotiated the
   status_request extension. SSL_SetStapledOCSPResponses -
   Set's a stapled OCSP response for a TLS server socket
   to return when clients send the status_request
   extension. in ocsp.h CERT_PostOCSPRequest - Primarily
   intended for testing, permits the sending and receiving
   of raw OCSP request/responses. in secpkcs7.h
   SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a
   PKCS#7 signature at a specific time other than the
   present time. in xconst.h
   CERT_EncodeNameConstraintsExtension - Matching function
   for CERT_DecodeNameConstraintsExtension, added in NSS
   3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray
   SECITEM_FreeArray SECITEM_ZfreeArray - Utility
   functions to handle the allocation and deallocation of
   SECItemArrays SECITEM_ReallocItemV2 - Replaces
   SECITEM_ReallocItem, which is now obsolete.
   SECITEM_ReallocItemV2 better matches caller
   expectations, in that it updates item->len on
   allocation. For more details of the issues with
   SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in
   pk11pub.h PK11_Decrypt - Performs decryption as a
   single PKCS#11 operation (eg: not multi-part). This is
   necessary for AES-GCM. PK11_Encrypt - Performs
   encryption as a single PKCS#11 operation (eg: not
   multi-part). This is necessary for AES-GCM.
   * New Types in secitem.h SECItemArray - Represents a
   variable-length array of SECItems.
   * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used
   with SSL_OptionSet to configure TLS client sockets to
   request the certificate_status extension (eg: OCSP
   stapling) when set to PR_TRUE
   * Notable changes
   + SECITEM_ReallocItem is now deprecated. Please
   consider using SECITEM_ReallocItemV2 in all future code.
   + The list of root CA certificates in the nssckbi
   module has been updated.
   + The default implementation of SSL_AuthCertificate has
   been updated to add certificate status responses stapled by
   the TLS server to the OCSP cache.
   * a lot of bugfixes

   - Add Source URL, see https://en.opensuse.org/SourceUrls

   Changes in mozilla-nspr:
   - update to version 4.10
   * bmo#844513: Add AddressSanitizer (ASan) memory check
   annotations to PLArena.
   * bmo#849089: Simple changes to make NSPR's configure.in
   work with the current version of autoconf.
   * bmo#856196: Fix compiler warnings and clean up code in
   NSPR 4.10.
   * bmo#859066: Fix warning in
   nsprpub/pr/src/misc/prnetdb.c.
   * bmo#859830: Deprecate ANDROID_VERSION in favor of
   android/api-level.h.
   * bmo#861434: Make PR_SetThreadPriority() change
   priorities relatively to the main process instead of
   using absolute values on Linux.
   * bmo#871064L: _PR_InitThreads() should not call
   PR_SetThreadPriority.

   Changes in mozilla-nspr:
   - update to version 4.10
   * bmo#844513: Add AddressSanitizer (ASan) memory check
   annotations to PLArena.
   * bmo#849089: Simple changes to make NSPR's configure.in
   work with the current version of autoconf.
   * bmo#856196: Fix compiler warnings and clean up code in
   NSPR 4.10.
   * bmo#859066: Fix warning in
   nsprpub/pr/src/misc/prnetdb.c.
   * bmo#859830: Deprecate ANDROID_VERSION in favor of
   android/api-level.h.
   * bmo#861434: Make PR_SetThreadPriority() change
   priorities relatively to the main process instead of
   using absolute values on Linux.
   * bmo#871064L: _PR_InitThreads() should not call
   PR_SetThreadPriority.

   Changes in MozillaFirefox:
   - update to Firefox 23.0 (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
   memory safety hazards
   * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
   mutating DOM during SetBody
   * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer
   underflow when generating CRMF requests
   * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during
   WAV audio file decoding
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
   XrayWrappers using XBL Scopes
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system
   - requires NSPR 4.10 and NSS 3.15

   - fix build on ARM (/-g/ matches /-grecord-switches/)

   Changes in MozillaFirefox:
   - update to Firefox 23.0 (bnc#833389)
   * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
   memory safety hazards
   * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
   mutating DOM during SetBody
   * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer
   underflow when generating CRMF requests
   * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during
   WAV audio file decoding
   * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
   misrepresentation and masquerading
   * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
   allow for code execution and XSS attacks
   * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
   XrayWrappers using XBL Scopes
   * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
   used for validating URI for some Javascript components
   * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
   bypass with web workers and XMLHttpRequest
   * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
   Local Java applets may read contents of local file
   system
   - requires NSPR 4.10 and NSS 3.15

   - fix build on ARM (/-g/ matches /-grecord-switches/)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.3:

      zypper in -t patch openSUSE-2013-652

   - openSUSE 12.2:

      zypper in -t patch openSUSE-2013-652

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.3 (i586 x86_64):

      MozillaFirefox-23.0-1.29.1
      MozillaFirefox-branding-upstream-23.0-1.29.1
      MozillaFirefox-buildsymbols-23.0-1.29.1
      MozillaFirefox-debuginfo-23.0-1.29.1
      MozillaFirefox-debugsource-23.0-1.29.1
      MozillaFirefox-devel-23.0-1.29.1
      MozillaFirefox-translations-common-23.0-1.29.1
      MozillaFirefox-translations-other-23.0-1.29.1
      MozillaThunderbird-17.0.8-61.21.2
      MozillaThunderbird-buildsymbols-17.0.8-61.21.2
      MozillaThunderbird-debuginfo-17.0.8-61.21.2
      MozillaThunderbird-debugsource-17.0.8-61.21.2
      MozillaThunderbird-devel-17.0.8-61.21.2
      MozillaThunderbird-devel-debuginfo-17.0.8-61.21.2
      MozillaThunderbird-translations-common-17.0.8-61.21.2
      MozillaThunderbird-translations-other-17.0.8-61.21.2
      enigmail-1.5.2+17.0.8-61.21.2
      enigmail-debuginfo-1.5.2+17.0.8-61.21.2
      libfreebl3-3.15.1-1.12.1
      libfreebl3-debuginfo-3.15.1-1.12.1
      libsoftokn3-3.15.1-1.12.1
      libsoftokn3-debuginfo-3.15.1-1.12.1
      mozilla-js-17.0.8-1.24.1
      mozilla-js-debuginfo-17.0.8-1.24.1
      mozilla-nspr-4.10-1.14.1
      mozilla-nspr-debuginfo-4.10-1.14.1
      mozilla-nspr-debugsource-4.10-1.14.1
      mozilla-nspr-devel-4.10-1.14.1
      mozilla-nss-3.15.1-1.12.1
      mozilla-nss-certs-3.15.1-1.12.1
      mozilla-nss-certs-debuginfo-3.15.1-1.12.1
      mozilla-nss-debuginfo-3.15.1-1.12.1
      mozilla-nss-debugsource-3.15.1-1.12.1
      mozilla-nss-devel-3.15.1-1.12.1
      mozilla-nss-sysinit-3.15.1-1.12.1
      mozilla-nss-sysinit-debuginfo-3.15.1-1.12.1
      mozilla-nss-tools-3.15.1-1.12.1
      mozilla-nss-tools-debuginfo-3.15.1-1.12.1
      seamonkey-2.20-1.16.1
      seamonkey-debuginfo-2.20-1.16.1
      seamonkey-debugsource-2.20-1.16.1
      seamonkey-dom-inspector-2.20-1.16.1
      seamonkey-irc-2.20-1.16.1
      seamonkey-translations-common-2.20-1.16.1
      seamonkey-translations-other-2.20-1.16.1
      seamonkey-venkman-2.20-1.16.1
      xulrunner-17.0.8-1.24.1
      xulrunner-buildsymbols-17.0.8-1.24.1
      xulrunner-debuginfo-17.0.8-1.24.1
      xulrunner-debugsource-17.0.8-1.24.1
      xulrunner-devel-17.0.8-1.24.1
      xulrunner-devel-debuginfo-17.0.8-1.24.1

   - openSUSE 12.3 (x86_64):

      libfreebl3-32bit-3.15.1-1.12.1
      libfreebl3-debuginfo-32bit-3.15.1-1.12.1
      libsoftokn3-32bit-3.15.1-1.12.1
      libsoftokn3-debuginfo-32bit-3.15.1-1.12.1
      mozilla-js-32bit-17.0.8-1.24.1
      mozilla-js-debuginfo-32bit-17.0.8-1.24.1
      mozilla-nspr-32bit-4.10-1.14.1
      mozilla-nspr-debuginfo-32bit-4.10-1.14.1
      mozilla-nss-32bit-3.15.1-1.12.1
      mozilla-nss-certs-32bit-3.15.1-1.12.1
      mozilla-nss-certs-debuginfo-32bit-3.15.1-1.12.1
      mozilla-nss-debuginfo-32bit-3.15.1-1.12.1
      mozilla-nss-sysinit-32bit-3.15.1-1.12.1
      mozilla-nss-sysinit-debuginfo-32bit-3.15.1-1.12.1
      xulrunner-32bit-17.0.8-1.24.1
      xulrunner-debuginfo-32bit-17.0.8-1.24.1

   - openSUSE 12.2 (i586 x86_64):

      MozillaFirefox-23.0-2.55.1
      MozillaFirefox-branding-upstream-23.0-2.55.1
      MozillaFirefox-buildsymbols-23.0-2.55.1
      MozillaFirefox-debuginfo-23.0-2.55.1
      MozillaFirefox-debugsource-23.0-2.55.1
      MozillaFirefox-devel-23.0-2.55.1
      MozillaFirefox-translations-common-23.0-2.55.1
      MozillaFirefox-translations-other-23.0-2.55.1
      MozillaThunderbird-17.0.8-49.51.2
      MozillaThunderbird-buildsymbols-17.0.8-49.51.2
      MozillaThunderbird-debuginfo-17.0.8-49.51.2
      MozillaThunderbird-debugsource-17.0.8-49.51.2
      MozillaThunderbird-devel-17.0.8-49.51.2
      MozillaThunderbird-devel-debuginfo-17.0.8-49.51.2
      MozillaThunderbird-translations-common-17.0.8-49.51.2
      MozillaThunderbird-translations-other-17.0.8-49.51.2
      enigmail-1.5.2+17.0.8-49.51.2
      enigmail-debuginfo-1.5.2+17.0.8-49.51.2
      libfreebl3-3.15.1-2.23.1
      libfreebl3-debuginfo-3.15.1-2.23.1
      libsoftokn3-3.15.1-2.23.1
      libsoftokn3-debuginfo-3.15.1-2.23.1
      mozilla-js-17.0.8-2.50.1
      mozilla-js-debuginfo-17.0.8-2.50.1
      mozilla-nspr-4.10-1.16.1
      mozilla-nspr-debuginfo-4.10-1.16.1
      mozilla-nspr-debugsource-4.10-1.16.1
      mozilla-nspr-devel-4.10-1.16.1
      mozilla-nss-3.15.1-2.23.1
      mozilla-nss-certs-3.15.1-2.23.1
      mozilla-nss-certs-debuginfo-3.15.1-2.23.1
      mozilla-nss-debuginfo-3.15.1-2.23.1
      mozilla-nss-debugsource-3.15.1-2.23.1
      mozilla-nss-devel-3.15.1-2.23.1
      mozilla-nss-sysinit-3.15.1-2.23.1
      mozilla-nss-sysinit-debuginfo-3.15.1-2.23.1
      mozilla-nss-tools-3.15.1-2.23.1
      mozilla-nss-tools-debuginfo-3.15.1-2.23.1
      seamonkey-2.20-2.46.1
      seamonkey-debuginfo-2.20-2.46.1
      seamonkey-debugsource-2.20-2.46.1
      seamonkey-dom-inspector-2.20-2.46.1
      seamonkey-irc-2.20-2.46.1
      seamonkey-translations-common-2.20-2.46.1
      seamonkey-translations-other-2.20-2.46.1
      seamonkey-venkman-2.20-2.46.1
      xulrunner-17.0.8-2.50.1
      xulrunner-buildsymbols-17.0.8-2.50.1
      xulrunner-debuginfo-17.0.8-2.50.1
      xulrunner-debugsource-17.0.8-2.50.1
      xulrunner-devel-17.0.8-2.50.1
      xulrunner-devel-debuginfo-17.0.8-2.50.1

   - openSUSE 12.2 (x86_64):

      libfreebl3-32bit-3.15.1-2.23.1
      libfreebl3-debuginfo-32bit-3.15.1-2.23.1
      libsoftokn3-32bit-3.15.1-2.23.1
      libsoftokn3-debuginfo-32bit-3.15.1-2.23.1
      mozilla-js-32bit-17.0.8-2.50.1
      mozilla-js-debuginfo-32bit-17.0.8-2.50.1
      mozilla-nspr-32bit-4.10-1.16.1
      mozilla-nspr-debuginfo-32bit-4.10-1.16.1
      mozilla-nss-32bit-3.15.1-2.23.1
      mozilla-nss-certs-32bit-3.15.1-2.23.1
      mozilla-nss-certs-debuginfo-32bit-3.15.1-2.23.1
      mozilla-nss-debuginfo-32bit-3.15.1-2.23.1
      mozilla-nss-sysinit-32bit-3.15.1-2.23.1
      mozilla-nss-sysinit-debuginfo-32bit-3.15.1-2.23.1
      xulrunner-32bit-17.0.8-2.50.1
      xulrunner-debuginfo-32bit-17.0.8-2.50.1


References:

   https://www.suse.com/security/cve/CVE-2013-1701.html
   https://www.suse.com/security/cve/CVE-2013-1702.html
   https://www.suse.com/security/cve/CVE-2013-1704.html
   https://www.suse.com/security/cve/CVE-2013-1705.html
   https://www.suse.com/security/cve/CVE-2013-1708.html
   https://www.suse.com/security/cve/CVE-2013-1709.html
   https://www.suse.com/security/cve/CVE-2013-1710.html
   https://www.suse.com/security/cve/CVE-2013-1711.html
   https://www.suse.com/security/cve/CVE-2013-1713.html
   https://www.suse.com/security/cve/CVE-2013-1714.html
   https://www.suse.com/security/cve/CVE-2013-1717.html
   https://bugzilla.novell.com/833389

openSUSE: 2013:1348-1: important: MozillaFirefox, MozillaThunderbird, mozilla-nspr, mozilla-nss, seamonkey, xulrunner

August 16, 2013
An update that fixes 11 vulnerabilities is now available

Description

Changes in seamonkey: - update to SeaMonkey 2.20 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 - removed obsolete seamonkey-shared-nss-db.patch Changes in seamonkey: - update to SeaMonkey 2.20 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 - removed obsolete seamonkey-shared-nss-db.patch Changes in xulrunner: - update to 17.0.8esr (bnc#833389) * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety hazards * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system Changes in xulrunner: - update to 17.0.8esr (bnc#833389) * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety hazards * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system Changes in MozillaThunderbird: - update to Thunderbird 17.0.8 (bnc#833389) * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety hazards * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - update Enigmail to 1.5.2 * bugfix release Changes in MozillaThunderbird: - update to Thunderbird 17.0.8 (bnc#833389) * MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety hazards * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - update Enigmail to 1.5.2 * bugfix release Changes in mozilla-nss: - fix 32bit requirement, it's without () actually - update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements - require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991) - update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes - Add Source URL, see https://en.opensuse.org/SourceUrls Changes in mozilla-nss: - fix 32bit requirement, it's without () actually - update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements - require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991) - update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes - Add Source URL, see https://en.opensuse.org/SourceUrls Changes in mozilla-nspr: - update to version 4.10 * bmo#844513: Add AddressSanitizer (ASan) memory check annotations to PLArena. * bmo#849089: Simple changes to make NSPR's configure.in work with the current version of autoconf. * bmo#856196: Fix compiler warnings and clean up code in NSPR 4.10. * bmo#859066: Fix warning in nsprpub/pr/src/misc/prnetdb.c. * bmo#859830: Deprecate ANDROID_VERSION in favor of android/api-level.h. * bmo#861434: Make PR_SetThreadPriority() change priorities relatively to the main process instead of using absolute values on Linux. * bmo#871064L: _PR_InitThreads() should not call PR_SetThreadPriority. Changes in mozilla-nspr: - update to version 4.10 * bmo#844513: Add AddressSanitizer (ASan) memory check annotations to PLArena. * bmo#849089: Simple changes to make NSPR's configure.in work with the current version of autoconf. * bmo#856196: Fix compiler warnings and clean up code in NSPR 4.10. * bmo#859066: Fix warning in nsprpub/pr/src/misc/prnetdb.c. * bmo#859830: Deprecate ANDROID_VERSION in favor of android/api-level.h. * bmo#861434: Make PR_SetThreadPriority() change priorities relatively to the main process instead of using absolute values on Linux. * bmo#871064L: _PR_InitThreads() should not call PR_SetThreadPriority. Changes in MozillaFirefox: - update to Firefox 23.0 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 - fix build on ARM (/-g/ matches /-grecord-switches/) Changes in MozillaFirefox: - update to Firefox 23.0 (bnc#833389) * MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous memory safety hazards * MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free mutating DOM during SetBody * MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests * MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV audio file decoding * MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI misrepresentation and masquerading * MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests allow for code execution and XSS attacks * MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of XrayWrappers using XBL Scopes * MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal used for validating URI for some Javascript components * MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin bypass with web workers and XMLHttpRequest * MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397) Local Java applets may read contents of local file system - requires NSPR 4.10 and NSS 3.15 - fix build on ARM (/-g/ matches /-grecord-switches/)

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-652 - openSUSE 12.2: zypper in -t patch openSUSE-2013-652 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 12.3 (i586 x86_64): MozillaFirefox-23.0-1.29.1 MozillaFirefox-branding-upstream-23.0-1.29.1 MozillaFirefox-buildsymbols-23.0-1.29.1 MozillaFirefox-debuginfo-23.0-1.29.1 MozillaFirefox-debugsource-23.0-1.29.1 MozillaFirefox-devel-23.0-1.29.1 MozillaFirefox-translations-common-23.0-1.29.1 MozillaFirefox-translations-other-23.0-1.29.1 MozillaThunderbird-17.0.8-61.21.2 MozillaThunderbird-buildsymbols-17.0.8-61.21.2 MozillaThunderbird-debuginfo-17.0.8-61.21.2 MozillaThunderbird-debugsource-17.0.8-61.21.2 MozillaThunderbird-devel-17.0.8-61.21.2 MozillaThunderbird-devel-debuginfo-17.0.8-61.21.2 MozillaThunderbird-translations-common-17.0.8-61.21.2 MozillaThunderbird-translations-other-17.0.8-61.21.2 enigmail-1.5.2+17.0.8-61.21.2 enigmail-debuginfo-1.5.2+17.0.8-61.21.2 libfreebl3-3.15.1-1.12.1 libfreebl3-debuginfo-3.15.1-1.12.1 libsoftokn3-3.15.1-1.12.1 libsoftokn3-debuginfo-3.15.1-1.12.1 mozilla-js-17.0.8-1.24.1 mozilla-js-debuginfo-17.0.8-1.24.1 mozilla-nspr-4.10-1.14.1 mozilla-nspr-debuginfo-4.10-1.14.1 mozilla-nspr-debugsource-4.10-1.14.1 mozilla-nspr-devel-4.10-1.14.1 mozilla-nss-3.15.1-1.12.1 mozilla-nss-certs-3.15.1-1.12.1 mozilla-nss-certs-debuginfo-3.15.1-1.12.1 mozilla-nss-debuginfo-3.15.1-1.12.1 mozilla-nss-debugsource-3.15.1-1.12.1 mozilla-nss-devel-3.15.1-1.12.1 mozilla-nss-sysinit-3.15.1-1.12.1 mozilla-nss-sysinit-debuginfo-3.15.1-1.12.1 mozilla-nss-tools-3.15.1-1.12.1 mozilla-nss-tools-debuginfo-3.15.1-1.12.1 seamonkey-2.20-1.16.1 seamonkey-debuginfo-2.20-1.16.1 seamonkey-debugsource-2.20-1.16.1 seamonkey-dom-inspector-2.20-1.16.1 seamonkey-irc-2.20-1.16.1 seamonkey-translations-common-2.20-1.16.1 seamonkey-translations-other-2.20-1.16.1 seamonkey-venkman-2.20-1.16.1 xulrunner-17.0.8-1.24.1 xulrunner-buildsymbols-17.0.8-1.24.1 xulrunner-debuginfo-17.0.8-1.24.1 xulrunner-debugsource-17.0.8-1.24.1 xulrunner-devel-17.0.8-1.24.1 xulrunner-devel-debuginfo-17.0.8-1.24.1 - openSUSE 12.3 (x86_64): libfreebl3-32bit-3.15.1-1.12.1 libfreebl3-debuginfo-32bit-3.15.1-1.12.1 libsoftokn3-32bit-3.15.1-1.12.1 libsoftokn3-debuginfo-32bit-3.15.1-1.12.1 mozilla-js-32bit-17.0.8-1.24.1 mozilla-js-debuginfo-32bit-17.0.8-1.24.1 mozilla-nspr-32bit-4.10-1.14.1 mozilla-nspr-debuginfo-32bit-4.10-1.14.1 mozilla-nss-32bit-3.15.1-1.12.1 mozilla-nss-certs-32bit-3.15.1-1.12.1 mozilla-nss-certs-debuginfo-32bit-3.15.1-1.12.1 mozilla-nss-debuginfo-32bit-3.15.1-1.12.1 mozilla-nss-sysinit-32bit-3.15.1-1.12.1 mozilla-nss-sysinit-debuginfo-32bit-3.15.1-1.12.1 xulrunner-32bit-17.0.8-1.24.1 xulrunner-debuginfo-32bit-17.0.8-1.24.1 - openSUSE 12.2 (i586 x86_64): MozillaFirefox-23.0-2.55.1 MozillaFirefox-branding-upstream-23.0-2.55.1 MozillaFirefox-buildsymbols-23.0-2.55.1 MozillaFirefox-debuginfo-23.0-2.55.1 MozillaFirefox-debugsource-23.0-2.55.1 MozillaFirefox-devel-23.0-2.55.1 MozillaFirefox-translations-common-23.0-2.55.1 MozillaFirefox-translations-other-23.0-2.55.1 MozillaThunderbird-17.0.8-49.51.2 MozillaThunderbird-buildsymbols-17.0.8-49.51.2 MozillaThunderbird-debuginfo-17.0.8-49.51.2 MozillaThunderbird-debugsource-17.0.8-49.51.2 MozillaThunderbird-devel-17.0.8-49.51.2 MozillaThunderbird-devel-debuginfo-17.0.8-49.51.2 MozillaThunderbird-translations-common-17.0.8-49.51.2 MozillaThunderbird-translations-other-17.0.8-49.51.2 enigmail-1.5.2+17.0.8-49.51.2 enigmail-debuginfo-1.5.2+17.0.8-49.51.2 libfreebl3-3.15.1-2.23.1 libfreebl3-debuginfo-3.15.1-2.23.1 libsoftokn3-3.15.1-2.23.1 libsoftokn3-debuginfo-3.15.1-2.23.1 mozilla-js-17.0.8-2.50.1 mozilla-js-debuginfo-17.0.8-2.50.1 mozilla-nspr-4.10-1.16.1 mozilla-nspr-debuginfo-4.10-1.16.1 mozilla-nspr-debugsource-4.10-1.16.1 mozilla-nspr-devel-4.10-1.16.1 mozilla-nss-3.15.1-2.23.1 mozilla-nss-certs-3.15.1-2.23.1 mozilla-nss-certs-debuginfo-3.15.1-2.23.1 mozilla-nss-debuginfo-3.15.1-2.23.1 mozilla-nss-debugsource-3.15.1-2.23.1 mozilla-nss-devel-3.15.1-2.23.1 mozilla-nss-sysinit-3.15.1-2.23.1 mozilla-nss-sysinit-debuginfo-3.15.1-2.23.1 mozilla-nss-tools-3.15.1-2.23.1 mozilla-nss-tools-debuginfo-3.15.1-2.23.1 seamonkey-2.20-2.46.1 seamonkey-debuginfo-2.20-2.46.1 seamonkey-debugsource-2.20-2.46.1 seamonkey-dom-inspector-2.20-2.46.1 seamonkey-irc-2.20-2.46.1 seamonkey-translations-common-2.20-2.46.1 seamonkey-translations-other-2.20-2.46.1 seamonkey-venkman-2.20-2.46.1 xulrunner-17.0.8-2.50.1 xulrunner-buildsymbols-17.0.8-2.50.1 xulrunner-debuginfo-17.0.8-2.50.1 xulrunner-debugsource-17.0.8-2.50.1 xulrunner-devel-17.0.8-2.50.1 xulrunner-devel-debuginfo-17.0.8-2.50.1 - openSUSE 12.2 (x86_64): libfreebl3-32bit-3.15.1-2.23.1 libfreebl3-debuginfo-32bit-3.15.1-2.23.1 libsoftokn3-32bit-3.15.1-2.23.1 libsoftokn3-debuginfo-32bit-3.15.1-2.23.1 mozilla-js-32bit-17.0.8-2.50.1 mozilla-js-debuginfo-32bit-17.0.8-2.50.1 mozilla-nspr-32bit-4.10-1.16.1 mozilla-nspr-debuginfo-32bit-4.10-1.16.1 mozilla-nss-32bit-3.15.1-2.23.1 mozilla-nss-certs-32bit-3.15.1-2.23.1 mozilla-nss-certs-debuginfo-32bit-3.15.1-2.23.1 mozilla-nss-debuginfo-32bit-3.15.1-2.23.1 mozilla-nss-sysinit-32bit-3.15.1-2.23.1 mozilla-nss-sysinit-debuginfo-32bit-3.15.1-2.23.1 xulrunner-32bit-17.0.8-2.50.1 xulrunner-debuginfo-32bit-17.0.8-2.50.1


References

https://www.suse.com/security/cve/CVE-2013-1701.html https://www.suse.com/security/cve/CVE-2013-1702.html https://www.suse.com/security/cve/CVE-2013-1704.html https://www.suse.com/security/cve/CVE-2013-1705.html https://www.suse.com/security/cve/CVE-2013-1708.html https://www.suse.com/security/cve/CVE-2013-1709.html https://www.suse.com/security/cve/CVE-2013-1710.html https://www.suse.com/security/cve/CVE-2013-1711.html https://www.suse.com/security/cve/CVE-2013-1713.html https://www.suse.com/security/cve/CVE-2013-1714.html https://www.suse.com/security/cve/CVE-2013-1717.html https://bugzilla.novell.com/833389


Severity
Announcement ID: openSUSE-SU-2013:1348-1
Rating: important
Affected Products: openSUSE 12.3 openSUSE 12.2 .

Related News

Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered
Open Source Strategies for Enhancing Security in Digital Business Operations
5 - 9 min read
Digital transformation, powered by the principles of open-source security , is vital for businesses looking to excel in today's technology-driven
Microsoft Update Mayhem: Rescuing Linux Dual-Boot Systems from Secure Boot Woes
2 - 4 min read
Microsoft's recent patch, intended to strengthen Secure Boot defenses, has resulted in an unexpected setback for Linux-Windows dual-boot setups

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved