openSUSE Security Update: Mozilla Firefox 27 release
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2014:0212-1
Rating:             important
References:         
Affected Products:
                    openSUSE 13.1
                    openSUSE 12.3
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:


   Mozilla Firefox was updated to version 27. Mozilla
   Seamonkey was updated to 2.24, fixing similar issues as
   Firefox 27. Mozilla Thunderbird was updated to 24.3.0,
   fixing similar issues as Firefox 27.

   The Firefox 27 release brings TLS 1.2 support as a major
   security feature.

   It also fixes following security issues:
   * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous
   memory safety hazards (rv:27.0 / rv:24.3)
   * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected
   content with XBL scopes
   * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection
   timeout missing on download prompts
   * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use
   of discarded images by RasterImage
   * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information
   disclosure with *FromPoint on iframes
   * MFSA 2014-06/CVE-2014-1484 (bmo#953993) Profile path
   leaks to Android system log
   * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT
   stylesheets treated as styles in Content Security Policy
   * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free
   with imgRequestProxy and image proccessing
   * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin
   information leak through web workers   * MFSA 2014-10/CVE-2014-1489 (bmo#959531) Firefox default
   start page UI content invokable by script
   * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when
   using web workers with asm.js
   * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545,
   bmo#930874, bmo#930857) NSS ticket handling issues
   * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent
   JavaScript handling of access to Window objects

   Mozilla NSS was updated to 3.15.4:
   * required for Firefox 27
   * regular CA root store update (1.96)
   * Reordered the cipher suites offered in SSL/TLS client
   hello messages to match modern best practices.
   * Improved SSL/TLS false start. In addition to enabling
   the SSL_ENABLE_FALSE_START option, an application must
   now register a callback using the
   SSL_SetCanFalseStartCallback function.
   * When false start is enabled, libssl will sometimes
   return unencrypted, unauthenticated data from PR_Recv
   (CVE-2013-1740, bmo#919877)
   * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket
   handling issues New functionality
   * Implemented OCSP querying using the HTTP GET method,
   which is the new default, and will fall back to the
   HTTP POST method.
   * Implemented OCSP server functionality for testing
   purposes (httpserv utility).
   * Support SHA-1 signatures with TLS 1.2 client
   authentication.
   * Added the --empty-password command-line option to
   certutil, to be used with -N: use an empty password
   when creating a new database.
   * Added the -w command-line option to pp: don't wrap long
   output lines.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2014-119

   - openSUSE 12.3:

      zypper in -t patch openSUSE-2014-119

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.1 (i586 x86_64):

      MozillaFirefox-27.0-8.1
      MozillaFirefox-branding-upstream-27.0-8.1
      MozillaFirefox-buildsymbols-27.0-8.1
      MozillaFirefox-debuginfo-27.0-8.1
      MozillaFirefox-debugsource-27.0-8.1
      MozillaFirefox-devel-27.0-8.1
      MozillaFirefox-translations-common-27.0-8.1
      MozillaFirefox-translations-other-27.0-8.1
      MozillaThunderbird-24.3.0-70.11.1
      MozillaThunderbird-buildsymbols-24.3.0-70.11.1
      MozillaThunderbird-debuginfo-24.3.0-70.11.1
      MozillaThunderbird-debugsource-24.3.0-70.11.1
      MozillaThunderbird-devel-24.3.0-70.11.1
      MozillaThunderbird-translations-common-24.3.0-70.11.1
      MozillaThunderbird-translations-other-24.3.0-70.11.1
      enigmail-1.6.0+24.3.0-70.11.1
      enigmail-debuginfo-1.6.0+24.3.0-70.11.1
      libfreebl3-3.15.4-12.1
      libfreebl3-debuginfo-3.15.4-12.1
      libsoftokn3-3.15.4-12.1
      libsoftokn3-debuginfo-3.15.4-12.1
      mozilla-nss-3.15.4-12.1
      mozilla-nss-certs-3.15.4-12.1
      mozilla-nss-certs-debuginfo-3.15.4-12.1
      mozilla-nss-debuginfo-3.15.4-12.1
      mozilla-nss-debugsource-3.15.4-12.1
      mozilla-nss-devel-3.15.4-12.1
      mozilla-nss-sysinit-3.15.4-12.1
      mozilla-nss-sysinit-debuginfo-3.15.4-12.1
      mozilla-nss-tools-3.15.4-12.1
      mozilla-nss-tools-debuginfo-3.15.4-12.1
      seamonkey-2.24-8.1
      seamonkey-debuginfo-2.24-8.1
      seamonkey-debugsource-2.24-8.1
      seamonkey-dom-inspector-2.24-8.1
      seamonkey-irc-2.24-8.1
      seamonkey-translations-common-2.24-8.1
      seamonkey-translations-other-2.24-8.1
      seamonkey-venkman-2.24-8.1

   - openSUSE 13.1 (x86_64):

      libfreebl3-32bit-3.15.4-12.1
      libfreebl3-debuginfo-32bit-3.15.4-12.1
      libsoftokn3-32bit-3.15.4-12.1
      libsoftokn3-debuginfo-32bit-3.15.4-12.1
      mozilla-nss-32bit-3.15.4-12.1
      mozilla-nss-certs-32bit-3.15.4-12.1
      mozilla-nss-certs-debuginfo-32bit-3.15.4-12.1
      mozilla-nss-debuginfo-32bit-3.15.4-12.1
      mozilla-nss-sysinit-32bit-3.15.4-12.1
      mozilla-nss-sysinit-debuginfo-32bit-3.15.4-12.1

   - openSUSE 12.3 (i586 x86_64):

      MozillaFirefox-27.0-1.47.2
      MozillaFirefox-branding-upstream-27.0-1.47.2
      MozillaFirefox-buildsymbols-27.0-1.47.2
      MozillaFirefox-debuginfo-27.0-1.47.2
      MozillaFirefox-debugsource-27.0-1.47.2
      MozillaFirefox-devel-27.0-1.47.2
      MozillaFirefox-translations-common-27.0-1.47.2
      MozillaFirefox-translations-other-27.0-1.47.2
      MozillaThunderbird-24.3.0-61.39.2
      MozillaThunderbird-buildsymbols-24.3.0-61.39.2
      MozillaThunderbird-debuginfo-24.3.0-61.39.2
      MozillaThunderbird-debugsource-24.3.0-61.39.2
      MozillaThunderbird-devel-24.3.0-61.39.2
      MozillaThunderbird-translations-common-24.3.0-61.39.2
      MozillaThunderbird-translations-other-24.3.0-61.39.2
      enigmail-1.6.0+24.3.0-61.39.2
      enigmail-debuginfo-1.6.0+24.3.0-61.39.2
      libfreebl3-3.15.4-1.28.1
      libfreebl3-debuginfo-3.15.4-1.28.1
      libsoftokn3-3.15.4-1.28.1
      libsoftokn3-debuginfo-3.15.4-1.28.1
      mozilla-nss-3.15.4-1.28.1
      mozilla-nss-certs-3.15.4-1.28.1
      mozilla-nss-certs-debuginfo-3.15.4-1.28.1
      mozilla-nss-debuginfo-3.15.4-1.28.1
      mozilla-nss-debugsource-3.15.4-1.28.1
      mozilla-nss-devel-3.15.4-1.28.1
      mozilla-nss-sysinit-3.15.4-1.28.1
      mozilla-nss-sysinit-debuginfo-3.15.4-1.28.1
      mozilla-nss-tools-3.15.4-1.28.1
      mozilla-nss-tools-debuginfo-3.15.4-1.28.1
      seamonkey-2.24-1.33.2
      seamonkey-debuginfo-2.24-1.33.2
      seamonkey-debugsource-2.24-1.33.2
      seamonkey-dom-inspector-2.24-1.33.2
      seamonkey-irc-2.24-1.33.2
      seamonkey-translations-common-2.24-1.33.2
      seamonkey-translations-other-2.24-1.33.2
      seamonkey-venkman-2.24-1.33.2

   - openSUSE 12.3 (x86_64):

      libfreebl3-32bit-3.15.4-1.28.1
      libfreebl3-debuginfo-32bit-3.15.4-1.28.1
      libsoftokn3-32bit-3.15.4-1.28.1
      libsoftokn3-debuginfo-32bit-3.15.4-1.28.1
      mozilla-nss-32bit-3.15.4-1.28.1
      mozilla-nss-certs-32bit-3.15.4-1.28.1
      mozilla-nss-certs-debuginfo-32bit-3.15.4-1.28.1
      mozilla-nss-debuginfo-32bit-3.15.4-1.28.1
      mozilla-nss-sysinit-32bit-3.15.4-1.28.1
      mozilla-nss-sysinit-debuginfo-32bit-3.15.4-1.28.1


References:


--

openSUSE: 2014:0212-1: important: Mozilla Firefox 27 release

February 8, 2014
An update that contains security fixes can now be installed.

Description

Mozilla Firefox was updated to version 27. Mozilla Seamonkey was updated to 2.24, fixing similar issues as Firefox 27. Mozilla Thunderbird was updated to 24.3.0, fixing similar issues as Firefox 27. The Firefox 27 release brings TLS 1.2 support as a major security feature. It also fixes following security issues: * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3) * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected content with XBL scopes * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection timeout missing on download prompts * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use of discarded images by RasterImage * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information disclosure with *FromPoint on iframes * MFSA 2014-06/CVE-2014-1484 (bmo#953993) Profile path leaks to Android system log * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT stylesheets treated as styles in Content Security Policy * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free with imgRequestProxy and image proccessing * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin information leak through web workers * MFSA 2014-10/CVE-2014-1489 (bmo#959531) Firefox default start page UI content invokable by script * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when using web workers with asm.js * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545, bmo#930874, bmo#930857) NSS ticket handling issues * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent JavaScript handling of access to Window objects Mozilla NSS was updated to 3.15.4: * required for Firefox 27 * regular CA root store update (1.96) * Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket handling issues New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines.

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-119 - openSUSE 12.3: zypper in -t patch openSUSE-2014-119 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 13.1 (i586 x86_64): MozillaFirefox-27.0-8.1 MozillaFirefox-branding-upstream-27.0-8.1 MozillaFirefox-buildsymbols-27.0-8.1 MozillaFirefox-debuginfo-27.0-8.1 MozillaFirefox-debugsource-27.0-8.1 MozillaFirefox-devel-27.0-8.1 MozillaFirefox-translations-common-27.0-8.1 MozillaFirefox-translations-other-27.0-8.1 MozillaThunderbird-24.3.0-70.11.1 MozillaThunderbird-buildsymbols-24.3.0-70.11.1 MozillaThunderbird-debuginfo-24.3.0-70.11.1 MozillaThunderbird-debugsource-24.3.0-70.11.1 MozillaThunderbird-devel-24.3.0-70.11.1 MozillaThunderbird-translations-common-24.3.0-70.11.1 MozillaThunderbird-translations-other-24.3.0-70.11.1 enigmail-1.6.0+24.3.0-70.11.1 enigmail-debuginfo-1.6.0+24.3.0-70.11.1 libfreebl3-3.15.4-12.1 libfreebl3-debuginfo-3.15.4-12.1 libsoftokn3-3.15.4-12.1 libsoftokn3-debuginfo-3.15.4-12.1 mozilla-nss-3.15.4-12.1 mozilla-nss-certs-3.15.4-12.1 mozilla-nss-certs-debuginfo-3.15.4-12.1 mozilla-nss-debuginfo-3.15.4-12.1 mozilla-nss-debugsource-3.15.4-12.1 mozilla-nss-devel-3.15.4-12.1 mozilla-nss-sysinit-3.15.4-12.1 mozilla-nss-sysinit-debuginfo-3.15.4-12.1 mozilla-nss-tools-3.15.4-12.1 mozilla-nss-tools-debuginfo-3.15.4-12.1 seamonkey-2.24-8.1 seamonkey-debuginfo-2.24-8.1 seamonkey-debugsource-2.24-8.1 seamonkey-dom-inspector-2.24-8.1 seamonkey-irc-2.24-8.1 seamonkey-translations-common-2.24-8.1 seamonkey-translations-other-2.24-8.1 seamonkey-venkman-2.24-8.1 - openSUSE 13.1 (x86_64): libfreebl3-32bit-3.15.4-12.1 libfreebl3-debuginfo-32bit-3.15.4-12.1 libsoftokn3-32bit-3.15.4-12.1 libsoftokn3-debuginfo-32bit-3.15.4-12.1 mozilla-nss-32bit-3.15.4-12.1 mozilla-nss-certs-32bit-3.15.4-12.1 mozilla-nss-certs-debuginfo-32bit-3.15.4-12.1 mozilla-nss-debuginfo-32bit-3.15.4-12.1 mozilla-nss-sysinit-32bit-3.15.4-12.1 mozilla-nss-sysinit-debuginfo-32bit-3.15.4-12.1 - openSUSE 12.3 (i586 x86_64): MozillaFirefox-27.0-1.47.2 MozillaFirefox-branding-upstream-27.0-1.47.2 MozillaFirefox-buildsymbols-27.0-1.47.2 MozillaFirefox-debuginfo-27.0-1.47.2 MozillaFirefox-debugsource-27.0-1.47.2 MozillaFirefox-devel-27.0-1.47.2 MozillaFirefox-translations-common-27.0-1.47.2 MozillaFirefox-translations-other-27.0-1.47.2 MozillaThunderbird-24.3.0-61.39.2 MozillaThunderbird-buildsymbols-24.3.0-61.39.2 MozillaThunderbird-debuginfo-24.3.0-61.39.2 MozillaThunderbird-debugsource-24.3.0-61.39.2 MozillaThunderbird-devel-24.3.0-61.39.2 MozillaThunderbird-translations-common-24.3.0-61.39.2 MozillaThunderbird-translations-other-24.3.0-61.39.2 enigmail-1.6.0+24.3.0-61.39.2 enigmail-debuginfo-1.6.0+24.3.0-61.39.2 libfreebl3-3.15.4-1.28.1 libfreebl3-debuginfo-3.15.4-1.28.1 libsoftokn3-3.15.4-1.28.1 libsoftokn3-debuginfo-3.15.4-1.28.1 mozilla-nss-3.15.4-1.28.1 mozilla-nss-certs-3.15.4-1.28.1 mozilla-nss-certs-debuginfo-3.15.4-1.28.1 mozilla-nss-debuginfo-3.15.4-1.28.1 mozilla-nss-debugsource-3.15.4-1.28.1 mozilla-nss-devel-3.15.4-1.28.1 mozilla-nss-sysinit-3.15.4-1.28.1 mozilla-nss-sysinit-debuginfo-3.15.4-1.28.1 mozilla-nss-tools-3.15.4-1.28.1 mozilla-nss-tools-debuginfo-3.15.4-1.28.1 seamonkey-2.24-1.33.2 seamonkey-debuginfo-2.24-1.33.2 seamonkey-debugsource-2.24-1.33.2 seamonkey-dom-inspector-2.24-1.33.2 seamonkey-irc-2.24-1.33.2 seamonkey-translations-common-2.24-1.33.2 seamonkey-translations-other-2.24-1.33.2 seamonkey-venkman-2.24-1.33.2 - openSUSE 12.3 (x86_64): libfreebl3-32bit-3.15.4-1.28.1 libfreebl3-debuginfo-32bit-3.15.4-1.28.1 libsoftokn3-32bit-3.15.4-1.28.1 libsoftokn3-debuginfo-32bit-3.15.4-1.28.1 mozilla-nss-32bit-3.15.4-1.28.1 mozilla-nss-certs-32bit-3.15.4-1.28.1 mozilla-nss-certs-debuginfo-32bit-3.15.4-1.28.1 mozilla-nss-debuginfo-32bit-3.15.4-1.28.1 mozilla-nss-sysinit-32bit-3.15.4-1.28.1 mozilla-nss-sysinit-debuginfo-32bit-3.15.4-1.28.1


References

--


Severity
Announcement ID: openSUSE-SU-2014:0212-1
Rating: important
Affected Products: openSUSE 13.1 openSUSE 12.3

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved