openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2016:2026-1
Rating:             important
References:         #984126 #984403 #984637 #986541 #991809 
Cross-References:   CVE-2016-0718 CVE-2016-2830 CVE-2016-2835
                    CVE-2016-2836 CVE-2016-2837 CVE-2016-2838
                    CVE-2016-2839 CVE-2016-5250 CVE-2016-5251
                    CVE-2016-5252 CVE-2016-5254 CVE-2016-5255
                    CVE-2016-5258 CVE-2016-5259 CVE-2016-5260
                    CVE-2016-5261 CVE-2016-5262 CVE-2016-5263
                    CVE-2016-5264 CVE-2016-5265 CVE-2016-5266
                    CVE-2016-5268
Affected Products:
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes 22 vulnerabilities is now available.

Description:

   Mozilla Firefox was updated to 48.0 to fix security issues, bugs, and
   deliver various improvements.

   The following major changes are included:

   - Process separation (e10s) is enabled for some users   - Add-ons that have not been verified and signed by Mozilla will not load
   - WebRTC enhancements
   - The media parser has been redeveloped using the Rust programming language
   - better Canvas performance with speedy Skia support
   - Now requires NSS 3.24

   The following security issues were fixed: (boo#991809)

   - CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards
   - CVE-2016-2830: Favicon network connection can persist when page is closed
   - CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content
   - CVE-2016-2839: Cairo rendering crash due to memory allocation issue with
     FFmpeg 0.10
   - CVE-2016-5251: Location bar spoofing via data URLs with
     malformed/invalid mediatypes
   - CVE-2016-5252: Stack underflow during 2D graphics rendering
   - CVE-2016-0718: Out-of-bounds read during XML parsing in Expat library
   - CVE-2016-5254: Use-after-free when using alt key and toplevel menus
   - CVE-2016-5255: Crash in incremental garbage collection in JavaScript
   - CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown
   - CVE-2016-5259: Use-after-free in service workers with nested sync events
   - CVE-2016-5260: Form input type change from password to text can store
     plain text password in session restore file
   - CVE-2016-5261: Integer overflow in WebSockets during data buffering
   - CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes
   - CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module
     (CDM) during video playback
   - CVE-2016-5263: Type confusion in display transformation
   - CVE-2016-5264: Use-after-free when applying SVG effects
   - CVE-2016-5265: Same-origin policy violation using local HTML file and
     saved shortcut file
   - CVE-2016-5266: Information disclosure and local file manipulation
     through drag and drop
   - CVE-2016-5268: Spoofing attack through text injection into internal
     error pages
   - CVE-2016-5250: Information disclosure through Resource Timing API during
     page navigation

   The following non-security changes are included:

   - The AppData description and screenshots were updated.
   - Fix Firefox crash on startup on i586 (boo#986541)
   - The Selenium WebDriver may have caused Firefox to crash at startup
   - fix build issues with gcc/binutils combination used in Leap 42.2
     (boo#984637)
   - Fix running on 48bit va aarch64 (boo#984126)
   - fix XUL dialog button order under KDE session (boo#984403)

   Mozilla NSS was updated to 3.24 as a dependency.

   Changes in mozilla-nss:

   - NSS softoken updated with latest NIST guidance
   - NSS softoken updated to allow NSS to run in FIPS Level 1 (no password)
   - Various added and deprecated functions
   - Remove most code related to SSL v2, including the ability to actively
     send a SSLv2-compatible client hello.
   - Protect against the Cachebleed attack.
   - Disable support for DTLS compression.
   - Improve support for TLS 1.3. This includes support for DTLS 1.3.
     (experimental)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.1:

      zypper in -t patch 2016-960=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.1 (i586 x86_64):

      MozillaFirefox-48.0-119.1
      MozillaFirefox-branding-upstream-48.0-119.1
      MozillaFirefox-buildsymbols-48.0-119.1
      MozillaFirefox-debuginfo-48.0-119.1
      MozillaFirefox-debugsource-48.0-119.1
      MozillaFirefox-devel-48.0-119.1
      MozillaFirefox-translations-common-48.0-119.1
      MozillaFirefox-translations-other-48.0-119.1
      libfreebl3-3.24-83.1
      libfreebl3-debuginfo-3.24-83.1
      libsoftokn3-3.24-83.1
      libsoftokn3-debuginfo-3.24-83.1
      mozilla-nss-3.24-83.1
      mozilla-nss-certs-3.24-83.1
      mozilla-nss-certs-debuginfo-3.24-83.1
      mozilla-nss-debuginfo-3.24-83.1
      mozilla-nss-debugsource-3.24-83.1
      mozilla-nss-devel-3.24-83.1
      mozilla-nss-sysinit-3.24-83.1
      mozilla-nss-sysinit-debuginfo-3.24-83.1
      mozilla-nss-tools-3.24-83.1
      mozilla-nss-tools-debuginfo-3.24-83.1

   - openSUSE 13.1 (x86_64):

      libfreebl3-32bit-3.24-83.1
      libfreebl3-debuginfo-32bit-3.24-83.1
      libsoftokn3-32bit-3.24-83.1
      libsoftokn3-debuginfo-32bit-3.24-83.1
      mozilla-nss-32bit-3.24-83.1
      mozilla-nss-certs-32bit-3.24-83.1
      mozilla-nss-certs-debuginfo-32bit-3.24-83.1
      mozilla-nss-debuginfo-32bit-3.24-83.1
      mozilla-nss-sysinit-32bit-3.24-83.1
      mozilla-nss-sysinit-debuginfo-32bit-3.24-83.1


References:

   https://www.suse.com/security/cve/CVE-2016-0718.html
   https://www.suse.com/security/cve/CVE-2016-2830.html
   https://www.suse.com/security/cve/CVE-2016-2835.html
   https://www.suse.com/security/cve/CVE-2016-2836.html
   https://www.suse.com/security/cve/CVE-2016-2837.html
   https://www.suse.com/security/cve/CVE-2016-2838.html
   https://www.suse.com/security/cve/CVE-2016-2839.html
   https://www.suse.com/security/cve/CVE-2016-5250.html
   https://www.suse.com/security/cve/CVE-2016-5251.html
   https://www.suse.com/security/cve/CVE-2016-5252.html
   https://www.suse.com/security/cve/CVE-2016-5254.html
   https://www.suse.com/security/cve/CVE-2016-5255.html
   https://www.suse.com/security/cve/CVE-2016-5258.html
   https://www.suse.com/security/cve/CVE-2016-5259.html
   https://www.suse.com/security/cve/CVE-2016-5260.html
   https://www.suse.com/security/cve/CVE-2016-5261.html
   https://www.suse.com/security/cve/CVE-2016-5262.html
   https://www.suse.com/security/cve/CVE-2016-5263.html
   https://www.suse.com/security/cve/CVE-2016-5264.html
   https://www.suse.com/security/cve/CVE-2016-5265.html
   https://www.suse.com/security/cve/CVE-2016-5266.html
   https://www.suse.com/security/cve/CVE-2016-5268.html
   https://bugzilla.suse.com/984126
   https://bugzilla.suse.com/984403
   https://bugzilla.suse.com/984637
   https://bugzilla.suse.com/986541
   https://bugzilla.suse.com/991809

openSUSE: 2016:2026-1: important: MozillaFirefox, mozilla-nss

August 11, 2016
An update that fixes 22 vulnerabilities is now available

Description

Mozilla Firefox was updated to 48.0 to fix security issues, bugs, and deliver various improvements. The following major changes are included: - Process separation (e10s) is enabled for some users - Add-ons that have not been verified and signed by Mozilla will not load - WebRTC enhancements - The media parser has been redeveloped using the Rust programming language - better Canvas performance with speedy Skia support - Now requires NSS 3.24 The following security issues were fixed: (boo#991809) - CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards - CVE-2016-2830: Favicon network connection can persist when page is closed - CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content - CVE-2016-2839: Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 - CVE-2016-5251: Location bar spoofing via data URLs with malformed/invalid mediatypes - CVE-2016-5252: Stack underflow during 2D graphics rendering - CVE-2016-0718: Out-of-bounds read during XML parsing in Expat library - CVE-2016-5254: Use-after-free when using alt key and toplevel menus - CVE-2016-5255: Crash in incremental garbage collection in JavaScript - CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown - CVE-2016-5259: Use-after-free in service workers with nested sync events - CVE-2016-5260: Form input type change from password to text can store plain text password in session restore file - CVE-2016-5261: Integer overflow in WebSockets during data buffering - CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes - CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback - CVE-2016-5263: Type confusion in display transformation - CVE-2016-5264: Use-after-free when applying SVG effects - CVE-2016-5265: Same-origin policy violation using local HTML file and saved shortcut file - CVE-2016-5266: Information disclosure and local file manipulation through drag and drop - CVE-2016-5268: Spoofing attack through text injection into internal error pages - CVE-2016-5250: Information disclosure through Resource Timing API during page navigation The following non-security changes are included: - The AppData description and screenshots were updated. - Fix Firefox crash on startup on i586 (boo#986541) - The Selenium WebDriver may have caused Firefox to crash at startup - fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637) - Fix running on 48bit va aarch64 (boo#984126) - fix XUL dialog button order under KDE session (boo#984403) Mozilla NSS was updated to 3.24 as a dependency. Changes in mozilla-nss: - NSS softoken updated with latest NIST guidance - NSS softoken updated to allow NSS to run in FIPS Level 1 (no password) - Various added and deprecated functions - Remove most code related to SSL v2, including the ability to actively send a SSLv2-compatible client hello. - Protect against the Cachebleed attack. - Disable support for DTLS compression. - Improve support for TLS 1.3. This includes support for DTLS 1.3. (experimental)

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch 2016-960=1 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 13.1 (i586 x86_64): MozillaFirefox-48.0-119.1 MozillaFirefox-branding-upstream-48.0-119.1 MozillaFirefox-buildsymbols-48.0-119.1 MozillaFirefox-debuginfo-48.0-119.1 MozillaFirefox-debugsource-48.0-119.1 MozillaFirefox-devel-48.0-119.1 MozillaFirefox-translations-common-48.0-119.1 MozillaFirefox-translations-other-48.0-119.1 libfreebl3-3.24-83.1 libfreebl3-debuginfo-3.24-83.1 libsoftokn3-3.24-83.1 libsoftokn3-debuginfo-3.24-83.1 mozilla-nss-3.24-83.1 mozilla-nss-certs-3.24-83.1 mozilla-nss-certs-debuginfo-3.24-83.1 mozilla-nss-debuginfo-3.24-83.1 mozilla-nss-debugsource-3.24-83.1 mozilla-nss-devel-3.24-83.1 mozilla-nss-sysinit-3.24-83.1 mozilla-nss-sysinit-debuginfo-3.24-83.1 mozilla-nss-tools-3.24-83.1 mozilla-nss-tools-debuginfo-3.24-83.1 - openSUSE 13.1 (x86_64): libfreebl3-32bit-3.24-83.1 libfreebl3-debuginfo-32bit-3.24-83.1 libsoftokn3-32bit-3.24-83.1 libsoftokn3-debuginfo-32bit-3.24-83.1 mozilla-nss-32bit-3.24-83.1 mozilla-nss-certs-32bit-3.24-83.1 mozilla-nss-certs-debuginfo-32bit-3.24-83.1 mozilla-nss-debuginfo-32bit-3.24-83.1 mozilla-nss-sysinit-32bit-3.24-83.1 mozilla-nss-sysinit-debuginfo-32bit-3.24-83.1


References

https://www.suse.com/security/cve/CVE-2016-0718.html https://www.suse.com/security/cve/CVE-2016-2830.html https://www.suse.com/security/cve/CVE-2016-2835.html https://www.suse.com/security/cve/CVE-2016-2836.html https://www.suse.com/security/cve/CVE-2016-2837.html https://www.suse.com/security/cve/CVE-2016-2838.html https://www.suse.com/security/cve/CVE-2016-2839.html https://www.suse.com/security/cve/CVE-2016-5250.html https://www.suse.com/security/cve/CVE-2016-5251.html https://www.suse.com/security/cve/CVE-2016-5252.html https://www.suse.com/security/cve/CVE-2016-5254.html https://www.suse.com/security/cve/CVE-2016-5255.html https://www.suse.com/security/cve/CVE-2016-5258.html https://www.suse.com/security/cve/CVE-2016-5259.html https://www.suse.com/security/cve/CVE-2016-5260.html https://www.suse.com/security/cve/CVE-2016-5261.html https://www.suse.com/security/cve/CVE-2016-5262.html https://www.suse.com/security/cve/CVE-2016-5263.html https://www.suse.com/security/cve/CVE-2016-5264.html https://www.suse.com/security/cve/CVE-2016-5265.html https://www.suse.com/security/cve/CVE-2016-5266.html https://www.suse.com/security/cve/CVE-2016-5268.html https://bugzilla.suse.com/984126 https://bugzilla.suse.com/984403 https://bugzilla.suse.com/984637 https://bugzilla.suse.com/986541 https://bugzilla.suse.com/991809


Severity
Announcement ID: openSUSE-SU-2016:2026-1
Rating: important
Affected Products: openSUSE 13.1 .

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved