SUSE: 2019:14260-1 important: MozillaFirefox, mozilla-nspr, mozilla-nss
Summary
This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues: Update Firefox Extended Support Release to 68.3.0 ESR (MFSA 2019-37 / bsc#1158328) Security issues fixed: - CVE-2019-17008: Use-after-free in worker destruction (bmo#1546331). - CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code (bmo#1580156). - CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher (bmo#1586176). - CVE-2019-17009: Updater temporary files accessible to unprivileged processes (bmo#1510494). - CVE-2019-17010: Use-after-free when performing device orientation checks (bmo#1581084). - CVE-2019-17005: Buffer overflow in plain text serializer (bmo#1584170). - CVE-2019-17011: Use-after-free when retrieving a document in antitracking (bmo#1591334). - CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502). Update mozilla-nss to version 3.47.1 (bsc#1158527): Security issues fixed: - CVE-2019-11745: EncryptUpdate should use maxout, not block size. Bug fixes: - Fix a crash that could be caused by client certificates during startup (bmo#1590495, bsc#1158527) - Fix compile-time warnings from uninitialized variables in a perl script (bmo#1589810) - Support AES HW acceleration on ARMv8 (bmo#1152625) - Allow per-socket run-time ordering of the cipher suites presented in ClientHello (bmo#1267894) - Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501) - Remove arbitrary HKDF output limit by allocating space as needed (bmo#1577953) Update mozilla-nspr to version 4.23: Bug fixes: - fixed a build failure that was introduced in 4.22 - correctness fix for Win64 socket polling - whitespace in C files was cleaned up and no longer uses tab characters for indenting - added support for the ARC architecture - removed support for the following platforms: OSF1/Tru64, DGUX, IRIX, Symbian, BeOS - correctness and build fixes Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14260=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.3.0-78.54.1 MozillaFirefox-translations-common-68.3.0-78.54.1 MozillaFirefox-translations-other-68.3.0-78.54.1 libfreebl3-3.47.1-38.12.1 libfreebl3-32bit-3.47.1-38.12.1 libsoftokn3-3.47.1-38.12.1 libsoftokn3-32bit-3.47.1-38.12.1 mozilla-nspr-32bit-4.23-29.9.1 mozilla-nspr-4.23-29.9.1 mozilla-nspr-devel-4.23-29.9.1 mozilla-nss-3.47.1-38.12.1 mozilla-nss-32bit-3.47.1-38.12.1 mozilla-nss-certs-3.47.1-38.12.1 mozilla-nss-certs-32bit-3.47.1-38.12.1 mozilla-nss-devel-3.47.1-38.12.1 mozilla-nss-tools-3.47.1-38.12.1
References
#1158328 #1158527
Cross- CVE-2019-11745 CVE-2019-13722 CVE-2019-17005
CVE-2019-17008 CVE-2019-17009 CVE-2019-17010
CVE-2019-17011 CVE-2019-17012
Affected Products:
SUSE Linux Enterprise Server 11-SP4-LTSS
https://www.suse.com/security/cve/CVE-2019-11745.html
https://www.suse.com/security/cve/CVE-2019-13722.html
https://www.suse.com/security/cve/CVE-2019-17005.html
https://www.suse.com/security/cve/CVE-2019-17008.html
https://www.suse.com/security/cve/CVE-2019-17009.html
https://www.suse.com/security/cve/CVE-2019-17010.html
https://www.suse.com/security/cve/CVE-2019-17011.html
https://www.suse.com/security/cve/CVE-2019-17012.html
https://bugzilla.suse.com/1158328
https://bugzilla.suse.com/1158527