SUSE Security Update: Security update for MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nspr and mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:2061-1
Rating:             important
References:         #983549 #983638 #983639 #983643 #983646 #983651 
                    #983652 #983653 #983655 #984006 #985659 #989196 
                    #990628 #990856 #991809 
Cross-References:   CVE-2016-2815 CVE-2016-2818 CVE-2016-2819
                    CVE-2016-2821 CVE-2016-2822 CVE-2016-2824
                    CVE-2016-2828 CVE-2016-2830 CVE-2016-2831
                    CVE-2016-2834 CVE-2016-2835 CVE-2016-2836
                    CVE-2016-2837 CVE-2016-2838 CVE-2016-2839
                    CVE-2016-5252 CVE-2016-5254 CVE-2016-5258
                    CVE-2016-5259 CVE-2016-5262 CVE-2016-5263
                    CVE-2016-5264 CVE-2016-5265 CVE-2016-6354
                   
Affected Products:
                    SUSE Linux Enterprise Server 11-SP2-LTSS
                    SUSE Linux Enterprise Debuginfo 11-SP2
______________________________________________________________________________

   An update that fixes 24 vulnerabilities is now available.

Description:

   MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr and  mozilla-nss
   were updated to fix nine security issues.

   MozillaFirefox was updated to version 45.3.0 ESR. mozilla-nss was updated
   to version 3.21.1, mozilla-nspr to version 4.12.

   These security issues were fixed in 45.3.0ESR:
   - CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards
     (rv:48.0 / rv:45.3) (MFSA 2016-62)
   - CVE-2016-2830: Favicon network connection can persist when page is
     closed (MFSA 2016-63)
   - CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content
     (MFSA 2016-64)
   - CVE-2016-2839: Cairo rendering crash due to memory allocation issue with
     FFmpeg 0.10 (MFSA 2016-65)
   - CVE-2016-5252: Stack underflow during 2D graphics rendering (MFSA
     2016-67)
   - CVE-2016-5254: Use-after-free when using alt key and toplevel menus
     (MFSA 2016-70)
   - CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown
     (MFSA 2016-72)
   - CVE-2016-5259: Use-after-free in service workers with nested sync events
     (MFSA 2016-73)
   - CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes
     (MFSA 2016-76)
   - CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module
     (CDM) during video playback (MFSA 2016-77)
   - CVE-2016-5263: Type confusion in display transformation (MFSA 2016-78)
   - CVE-2016-5264: Use-after-free when applying SVG effects (MFSA 2016-79)
   - CVE-2016-5265: Same-origin policy violation using local HTML file and
     saved shortcut file (MFSA 2016-80)
   - CVE-2016-6354: Fix for possible buffer overrun (bsc#990856)

   Security issues fixed in 45.2.0.ESR:
   - CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639).
   - CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53)
     (bsc#983651).
   - CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA
     2016-52) (bsc#983652).
   - CVE-2016-2821: Use-after-free deleting tables from a contenteditable
     document (MFSA 2016-51) (bsc#983653).
   - CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
     (bsc#983655).
   - CVE-2016-2828: Use-after-free when textures are used in WebGL operations
     after recycle pool destruction (MFSA 2016-56) (bsc#983646).
   - CVE-2016-2831: Entering fullscreen and persistent pointerlock without
     user permission (MFSA 2016-58) (bsc#983643).
   - CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA
     2016-49) (bsc#983638)

   These non-security issues were fixed:
   - Fix crashes on aarch64
     * Determine page size at runtime (bsc#984006)
     * Allow aarch64 to work in safe mode (bsc#985659)
   - Fix crashes on mainframes
   - Temporarily bind Firefox to the first CPU as a hotfix for an apparent
     race condition (bsc#989196, bsc#990628)

   All extensions must now be signed by addons.mozilla.org. Please read
   README.SUSE for more details.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP2-LTSS:

      zypper in -t patch slessp2-MozillaFirefox-12690=1

   - SUSE Linux Enterprise Debuginfo 11-SP2:

      zypper in -t patch dbgsp2-MozillaFirefox-12690=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):

      MozillaFirefox-45.3.0esr-48.1
      MozillaFirefox-branding-SLED-45.0-20.38
      MozillaFirefox-translations-45.3.0esr-48.1
      firefox-fontconfig-2.11.0-4.2
      libfreebl3-3.21.1-26.2
      mozilla-nspr-4.12-25.2
      mozilla-nspr-devel-4.12-25.2
      mozilla-nss-3.21.1-26.2
      mozilla-nss-devel-3.21.1-26.2
      mozilla-nss-tools-3.21.1-26.2

   - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64):

      libfreebl3-32bit-3.21.1-26.2
      mozilla-nspr-32bit-4.12-25.2
      mozilla-nss-32bit-3.21.1-26.2

   - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):

      MozillaFirefox-debuginfo-45.3.0esr-48.1
      MozillaFirefox-debugsource-45.3.0esr-48.1
      firefox-fontconfig-debuginfo-2.11.0-4.2
      mozilla-nspr-debuginfo-4.12-25.2
      mozilla-nspr-debugsource-4.12-25.2
      mozilla-nss-debuginfo-3.21.1-26.2
      mozilla-nss-debugsource-3.21.1-26.2

   - SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64):

      firefox-fontconfig-debugsource-2.11.0-4.2
      mozilla-nspr-debuginfo-32bit-4.12-25.2
      mozilla-nss-debuginfo-32bit-3.21.1-26.2


References:

   https://www.suse.com/security/cve/CVE-2016-2815.html
   https://www.suse.com/security/cve/CVE-2016-2818.html
   https://www.suse.com/security/cve/CVE-2016-2819.html
   https://www.suse.com/security/cve/CVE-2016-2821.html
   https://www.suse.com/security/cve/CVE-2016-2822.html
   https://www.suse.com/security/cve/CVE-2016-2824.html
   https://www.suse.com/security/cve/CVE-2016-2828.html
   https://www.suse.com/security/cve/CVE-2016-2830.html
   https://www.suse.com/security/cve/CVE-2016-2831.html
   https://www.suse.com/security/cve/CVE-2016-2834.html
   https://www.suse.com/security/cve/CVE-2016-2835.html
   https://www.suse.com/security/cve/CVE-2016-2836.html
   https://www.suse.com/security/cve/CVE-2016-2837.html
   https://www.suse.com/security/cve/CVE-2016-2838.html
   https://www.suse.com/security/cve/CVE-2016-2839.html
   https://www.suse.com/security/cve/CVE-2016-5252.html
   https://www.suse.com/security/cve/CVE-2016-5254.html
   https://www.suse.com/security/cve/CVE-2016-5258.html
   https://www.suse.com/security/cve/CVE-2016-5259.html
   https://www.suse.com/security/cve/CVE-2016-5262.html
   https://www.suse.com/security/cve/CVE-2016-5263.html
   https://www.suse.com/security/cve/CVE-2016-5264.html
   https://www.suse.com/security/cve/CVE-2016-5265.html
   https://www.suse.com/security/cve/CVE-2016-6354.html
   https://bugzilla.suse.com/983549
   https://bugzilla.suse.com/983638
   https://bugzilla.suse.com/983639
   https://bugzilla.suse.com/983643
   https://bugzilla.suse.com/983646
   https://bugzilla.suse.com/983651
   https://bugzilla.suse.com/983652
   https://bugzilla.suse.com/983653
   https://bugzilla.suse.com/983655
   https://bugzilla.suse.com/984006
   https://bugzilla.suse.com/985659
   https://bugzilla.suse.com/989196
   https://bugzilla.suse.com/990628
   https://bugzilla.suse.com/990856
   https://bugzilla.suse.com/991809

SuSE: 2016:2061-1: important: MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nspr and mozilla-nss

August 12, 2016
An update that fixes 24 vulnerabilities is now available

Summary

MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr and mozilla-nss were updated to fix nine security issues. MozillaFirefox was updated to version 45.3.0 ESR. mozilla-nss was updated to version 3.21.1, mozilla-nspr to version 4.12. These security issues were fixed in 45.3.0ESR: - CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards (rv:48.0 / rv:45.3) (MFSA 2016-62) - CVE-2016-2830: Favicon network connection can persist when page is closed (MFSA 2016-63) - CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content (MFSA 2016-64) - CVE-2016-2839: Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 (MFSA 2016-65) - CVE-2016-5252: Stack underflow during 2D graphics rendering (MFSA 2016-67) - CVE-2016-5254: Use-after-free when using alt key and toplevel menus (MFSA 2016-70) - CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown (MFSA 2016-72) - CVE-2016-5259: Use-after-free in service workers with nested sync events (MFSA 2016-73) - CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes (MFSA 2016-76) - CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback (MFSA 2016-77) - CVE-2016-5263: Type confusion in display transformation (MFSA 2016-78) - CVE-2016-5264: Use-after-free when applying SVG effects (MFSA 2016-79) - CVE-2016-5265: Same-origin policy violation using local HTML file and saved shortcut file (MFSA 2016-80) - CVE-2016-6354: Fix for possible buffer overrun (bsc#990856) Security issues fixed in 45.2.0.ESR: - CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639). - CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53) (bsc#983651). - CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA 2016-52) (bsc#983652). - CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51) (bsc#983653). - CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50) (bsc#983655). - CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56) (bsc#983646). - CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (MFSA 2016-58) (bsc#983643). - CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA 2016-49) (bsc#983638) These non-security issues were fixed: - Fix crashes on aarch64 * Determine page size at runtime (bsc#984006) * Allow aarch64 to work in safe mode (bsc#985659) - Fix crashes on mainframes - Temporarily bind Firefox to the first CPU as a hotfix for an apparent race condition (bsc#989196, bsc#990628) All extensions must now be signed by addons.mozilla.org. Please read README.SUSE for more details. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-MozillaFirefox-12690=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-MozillaFirefox-12690=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): MozillaFirefox-45.3.0esr-48.1 MozillaFirefox-branding-SLED-45.0-20.38 MozillaFirefox-translations-45.3.0esr-48.1 firefox-fontconfig-2.11.0-4.2 libfreebl3-3.21.1-26.2 mozilla-nspr-4.12-25.2 mozilla-nspr-devel-4.12-25.2 mozilla-nss-3.21.1-26.2 mozilla-nss-devel-3.21.1-26.2 mozilla-nss-tools-3.21.1-26.2 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64): libfreebl3-32bit-3.21.1-26.2 mozilla-nspr-32bit-4.12-25.2 mozilla-nss-32bit-3.21.1-26.2 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): MozillaFirefox-debuginfo-45.3.0esr-48.1 MozillaFirefox-debugsource-45.3.0esr-48.1 firefox-fontconfig-debuginfo-2.11.0-4.2 mozilla-nspr-debuginfo-4.12-25.2 mozilla-nspr-debugsource-4.12-25.2 mozilla-nss-debuginfo-3.21.1-26.2 mozilla-nss-debugsource-3.21.1-26.2 - SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64): firefox-fontconfig-debugsource-2.11.0-4.2 mozilla-nspr-debuginfo-32bit-4.12-25.2 mozilla-nss-debuginfo-32bit-3.21.1-26.2

References

#983549 #983638 #983639 #983643 #983646 #983651

#983652 #983653 #983655 #984006 #985659 #989196

#990628 #990856 #991809

Cross- CVE-2016-2815 CVE-2016-2818 CVE-2016-2819

CVE-2016-2821 CVE-2016-2822 CVE-2016-2824

CVE-2016-2828 CVE-2016-2830 CVE-2016-2831

CVE-2016-2834 CVE-2016-2835 CVE-2016-2836

CVE-2016-2837 CVE-2016-2838 CVE-2016-2839

CVE-2016-5252 CVE-2016-5254 CVE-2016-5258

CVE-2016-5259 CVE-2016-5262 CVE-2016-5263

CVE-2016-5264 CVE-2016-5265 CVE-2016-6354

Affected Products:

SUSE Linux Enterprise Server 11-SP2-LTSS

SUSE Linux Enterprise Debuginfo 11-SP2

https://www.suse.com/security/cve/CVE-2016-2815.html

https://www.suse.com/security/cve/CVE-2016-2818.html

https://www.suse.com/security/cve/CVE-2016-2819.html

https://www.suse.com/security/cve/CVE-2016-2821.html

https://www.suse.com/security/cve/CVE-2016-2822.html

https://www.suse.com/security/cve/CVE-2016-2824.html

https://www.suse.com/security/cve/CVE-2016-2828.html

https://www.suse.com/security/cve/CVE-2016-2830.html

https://www.suse.com/security/cve/CVE-2016-2831.html

https://www.suse.com/security/cve/CVE-2016-2834.html

https://www.suse.com/security/cve/CVE-2016-2835.html

https://www.suse.com/security/cve/CVE-2016-2836.html

https://www.suse.com/security/cve/CVE-2016-2837.html

https://www.suse.com/security/cve/CVE-2016-2838.html

https://www.suse.com/security/cve/CVE-2016-2839.html

https://www.suse.com/security/cve/CVE-2016-5252.html

https://www.suse.com/security/cve/CVE-2016-5254.html

https://www.suse.com/security/cve/CVE-2016-5258.html

https://www.suse.com/security/cve/CVE-2016-5259.html

https://www.suse.com/security/cve/CVE-2016-5262.html

https://www.suse.com/security/cve/CVE-2016-5263.html

https://www.suse.com/security/cve/CVE-2016-5264.html

https://www.suse.com/security/cve/CVE-2016-5265.html

https://www.suse.com/security/cve/CVE-2016-6354.html

https://bugzilla.suse.com/983549

https://bugzilla.suse.com/983638

https://bugzilla.suse.com/983639

https://bugzilla.suse.com/983643

https://bugzilla.suse.com/983646

https://bugzilla.suse.com/983651

https://bugzilla.suse.com/983652

https://bugzilla.suse.com/983653

https://bugzilla.suse.com/983655

https://bugzilla.suse.com/984006

https://bugzilla.suse.com/985659

https://bugzilla.suse.com/989196

https://bugzilla.suse.com/990628

https://bugzilla.suse.com/990856

https://bugzilla.suse.com/991809

Severity
Announcement ID: SUSE-SU-2016:2061-1
Rating: important

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security
2 - 4 min read
Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved