Explore top 10 tips to secure your open-source projects now. Read More
×An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.. openSUSE Security Update: Security update for xulrunner ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:0310-1 Rating: important References: #963632 #963635 Cross-References: CVE-2016-1930 CVE-2016-1935 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: XULRunner was updated to 38.6.0 to fix two security issues. The following vulnerabilities were fixed: * CVE-2016-1930: Miscellaneous memory safety hazards (boo#963632) * CVE-2016-1935: Buffer overflow in WebGL after out of memory allocation (boo#963635) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-127=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): xulrunner-38.6.0-10.2 xulrunner-debuginfo-38.6.0-10.2 xulrunner-debugsource-38.6.0-10.2 xulrunner-devel-38.6.0-10.2 - openSUSE Leap 42.1 (x86_64): xulrunner-32bit-38.6.0-10.2 xulrunner-debuginfo-32bit-38.6.0-10.2 References: https://www.suse.com/security/cve/CVE-2016-1930.html https://www.suse.com/security/cve/CVE-2016-1935.html https://bugzilla.suse.com/963632 https://bugzilla.suse.com/963635 . Critical security patch for Fedora resolved two vulnerabilities in webkitgtk, improving overall system integrity and resilience.. openSUSE Update,xulrunner Security,Patch Instructions,Threat Mitigation. . Severity: Important. LinuxSecurity.com Team
An update that fixes 7 vulnerabilities is now available. An update that fixes 7 vulnerabilities is now available. An update that fixes 7 vulnerabilities is now available.. openSUSE Security Update: Security update for xulrunner ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:2380-1 Rating: important References: #959277 Cross-References: CVE-2015-7201 CVE-2015-7205 CVE-2015-7210 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214 CVE-2015-7222 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: Xulrunner was updated to 38.5.0 to fix several security issues. The following vulnerabilities were fixed (boo#959277): * CVE-2015-7201: Miscellaneous memory safety hazards * CVE-2015-7210: Use-after-free in WebRTC when datachannel is used after being destroyed * CVE-2015-7212: Integer overflow allocating extremely large textures * CVE-2015-7205: Underflow through code inspection * CVE-2015-7213: Integer overflow in MP4 playback in 64-bit versions * CVE-2015-7222: Integer underflow and buffer overflow processing MP4 metadata in libstagefright * CVE-2015-7214: Cross-site reading attack through data and view-source URIs Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2015-966=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): xulrunner-38.5.0-7.1 xulrunner-debuginfo-38.5.0-7.1 xulrunner-debugsource-38.5.0-7.1 xulrunner-devel-38.5.0-7.1 - openSUSE Leap 42.1 (x86_64): xulrunner-32bit-38.5.0-7.1 xulrunner-debuginfo-32bit-38.5.0-7.1 References: https://www.suse.com/security/cve/CVE-2015-7201.html https://www.suse.com/security/cve/CVE-2015-7205.html https://www.suse.com/security/cve/CVE-2015-7210.html https://www.suse.com/security/cve/CVE-2015-7212.html https://www.suse.com/security/cve/CVE-2015-7213.html https://www.suse.com/security/cve/CVE-2015-7214.html https://www.suse.com/security/cve/CVE-2015-7222.html https://bugzilla.suse.com/show_bug.cgi?id=959277 . Important patch issued for xulrunner correcting several vulnerabilities. Detailed guidance for applying the update provided.. openSUSE update,xulrunner patch,security flaws,openSUSE fixes. . Severity: Important. LinuxSecurity.com Team
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2015:1982-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2015:1982.html Issue date: 2015-11-04 CVE Names: CVE-2015-4513 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 ==================================================================== 1. Summary: Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat EnterpriseLinux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7197) A same-origin policy bypass flaw was found in the way Firefox handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Firefox to disclose sensitive information. (CVE-2015-7193) A same-origin policy bypass flaw was found in the way Firefox handled URLs containing IP addresses with white-space characters. This could lead to cross-site scripting attacks. (CVE-2015-7188) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong, Michał Bentkowski, Looben Yang, Shinto K Anto, Gustavo Grieco, Vytautas Staraitis, Ronald Crane, and Ehsan Akhgari as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.4.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1277332 - CVE-2015-4513 Mozilla: Miscellaneousmemory safety hazards (rv:38.4) (MFSA 2015-116) 1277343 - CVE-2015-7188 Mozilla: Trailing whitespace in IP address hostnames can bypass same-origin policy (MFSA 2015-122) 1277344 - CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123) 1277346 - CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127) 1277347 - CVE-2015-7194 Mozilla: Memory corruption in libjar through zip files (MFSA 2015-128) 1277349 - CVE-2015-7196 Mozilla: JavaScript garbage collection crash with Java applet (MFSA 2015-130) 1277350 - CVE-2015-7198 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131) 1277351 - CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: firefox-38.4.0-1.el5_11.src.rpm i386: firefox-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm x86_64: firefox-38.4.0-1.el5_11.i386.rpm firefox-38.4.0-1.el5_11.x86_64.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: firefox-38.4.0-1.el5_11.src.rpm i386: firefox-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm ppc: firefox-38.4.0-1.el5_11.ppc64.rpm firefox-debuginfo-38.4.0-1.el5_11.ppc64.rpm s390x: firefox-38.4.0-1.el5_11.s390.rpm firefox-38.4.0-1.el5_11.s390x.rpm firefox-debuginfo-38.4.0-1.el5_11.s390.rpm firefox-debuginfo-38.4.0-1.el5_11.s390x.rpm x86_64: firefox-38.4.0-1.el5_11.i386.rpm firefox-38.4.0-1.el5_11.x86_64.rpm firefox-debuginfo-38.4.0-1.el5_11.i386.rpm firefox-debuginfo-38.4.0-1.el5_11.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm i386: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm x86_64: firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v.6): x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm i386: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm ppc64: firefox-38.4.0-1.el6_7.ppc64.rpm firefox-debuginfo-38.4.0-1.el6_7.ppc64.rpm s390x: firefox-38.4.0-1.el6_7.s390x.rpm firefox-debuginfo-38.4.0-1.el6_7.s390x.rpm x86_64: firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): ppc64: firefox-38.4.0-1.el6_7.ppc.rpm firefox-debuginfo-38.4.0-1.el6_7.ppc.rpm s390x: firefox-38.4.0-1.el6_7.s390.rpm firefox-debuginfo-38.4.0-1.el6_7.s390.rpm x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: firefox-38.4.0-1.el6_7.src.rpm i386: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm x86_64: firefox-38.4.0-1.el6_7.x86_64.rpm firefox-debuginfo-38.4.0-1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): x86_64: firefox-38.4.0-1.el6_7.i686.rpm firefox-debuginfo-38.4.0-1.el6_7.i686.rpm Red Hat Enterprise Linux Client (v. 7): Source: firefox-38.4.0-1.el7_1.src.rpm x86_64: firefox-38.4.0-1.el7_1.x86_64.rpm firefox-debuginfo-38.4.0-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-38.4.0-1.el7_1.i686.rpm firefox-debuginfo-38.4.0-1.el7_1.i686.rpm Red Hat Enterprise Linux Server (v.7): Source: firefox-38.4.0-1.el7_1.src.rpm ppc64: firefox-38.4.0-1.el7_1.ppc64.rpm firefox-debuginfo-38.4.0-1.el7_1.ppc64.rpm s390x: firefox-38.4.0-1.el7_1.s390x.rpm firefox-debuginfo-38.4.0-1.el7_1.s390x.rpm x86_64: firefox-38.4.0-1.el7_1.x86_64.rpm firefox-debuginfo-38.4.0-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-38.4.0-1.ael7b_1.src.rpm ppc64le: firefox-38.4.0-1.ael7b_1.ppc64le.rpm firefox-debuginfo-38.4.0-1.ael7b_1.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: firefox-38.4.0-1.el7_1.ppc.rpm firefox-debuginfo-38.4.0-1.el7_1.ppc.rpm s390x: firefox-38.4.0-1.el7_1.s390.rpm firefox-debuginfo-38.4.0-1.el7_1.s390.rpm x86_64: firefox-38.4.0-1.el7_1.i686.rpm firefox-debuginfo-38.4.0-1.el7_1.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-38.4.0-1.el7_1.src.rpm x86_64: firefox-38.4.0-1.el7_1.x86_64.rpm firefox-debuginfo-38.4.0-1.el7_1.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-38.4.0-1.el7_1.i686.rpm firefox-debuginfo-38.4.0-1.el7_1.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4513 https://access.redhat.com/security/cve/CVE-2015-7188 https://access.redhat.com/security/cve/CVE-2015-7189 https://access.redhat.com/security/cve/CVE-2015-7193 https://access.redhat.com/security/cve/CVE-2015-7194 https://access.redhat.com/security/cve/CVE-2015-7196 https://access.redhat.com/security/cve/CVE-2015-7197 https://access.redhat.com/security/cve/CVE-2015-7198 https://access.redhat.com/security/updates/classification/#critical https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version:GnuPG v1 iD8DBQFWOgTPXlSAg2UNWIIRAqeSAKCeXJWyWZgjWtI46FDug6lvyhyzDgCgpFTs tlfkVW6M8aU1SMZ1LMVzu0w=IACp -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
New upstream - 37.0.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-6621 2015-04-22 16:55:27 -------------------------------------------------------------------------------- Name : xulrunner Product : Fedora 20 Version : 37.0.2 Release : 1.fc20 URL : Summary : XUL Runtime for Gecko Applications Description : XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications that are as rich as Firefox and Thunderbird. It provides mechanisms for installing, upgrading, and uninstalling these applications. XULRunner also provides libxul, a solution which allows the embedding of Mozilla technologies in other projects and products. -------------------------------------------------------------------------------- Update Information: New upstream - 37.0.2 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 16 2015 Jan Horak - 37.0.2-1 - Update to 37.0.2 * Wed Apr 15 2015 Martin Stransky - 37.0.1-1 - Update to 37.0.1 * Mon Apr 6 2015 Tom Callaway - 33.0-3 - rebuild for libvpx 1.4.0 * Wed Oct 22 2014 Dan Horák - 33.0-2 - Fix filelist for secondary arches * Thu Oct 16 2014 Martin Stransky - 33.0-1 - Update to 33.0 * Sat Sep 20 2014 Peter Robinson 32.0.2-1 - Update to 32.0.2 - sync fixes to the same as firefox * Tue Sep 9 2014 Martin Stransky - 32.0-2 - move /sdk/bin to xulrunner libdir * Tue Aug 26 2014 Martin Stransky - 32.0-1 - Update to 32.0 build 1 * Mon Aug 18 2014 Fedora Release Engineering - 31.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Fri Jul 25 2014 Martin Stransky - 31.0-1 - Update to 31.0 build 2 * Fri Jul 25 2014 Yaakov Selkowitz - 30.0-3 - Fix mozilla-config.h wrapper on aarch64 * Sun Jun 8 2014 Fedora Release Engineering - 30.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Thu Jun 5 2014 Martin Stransky - 30.0-1 - Update to 30.0build 1 - Disabled shared js * Fri May 23 2014 Martin Stransky - 29.0-5 - Added a build fix for ppc64 - rhbz#1100495 * Thu May 15 2014 Peter Robinson 29.0-4 - Update aarch64 bits * Thu May 15 2014 Peter Robinson 29.0-3 - Add upstream patches for aarch64 support * Mon Apr 28 2014 Martin Stransky - 29.0-2 - An updated ppc64le patch (rhbz#1091054) * Mon Apr 28 2014 Martin Stransky - 29.0-1 - Update to 29.0 * Tue Mar 18 2014 Martin Stransky - 28.0-1 - Update to 28.0 - Fixed arm patch * Mon Feb 3 2014 Martin Stransky - 27.0-1 - Update to 27.0 * Fri Dec 13 2013 Martin Stransky - 26.0-2 - rhbz#1037406 - xulrunner FTBFS if "-Werror=format-security" flag is used * Mon Dec 9 2013 Martin Stransky - 26.0-1 - Update to 26.0 Build 2 * Thu Nov 21 2013 Martin Stransky - 25.0-5 - Fixed rhbz#1007603 - NSS and cert9 (sql): firefox crash on exit with https-everywhere installed * Tue Nov 12 2013 Martin Stransky - 25.0-4 - rhbz#1010916 - enabled pluseaudio backend * Fri Nov 8 2013 Martin Stransky - 25.0-3 - Fixed rhbz#974718 - Segfault in FileBlockCache::Run when playing a movie on ppc -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update xulrunner' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
New upstream - 37.0.2. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-6615 2015-04-22 16:55:15 -------------------------------------------------------------------------------- Name : xulrunner Product : Fedora 21 Version : 37.0.2 Release : 1.fc21 URL : Summary : XUL Runtime for Gecko Applications Description : XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications that are as rich as Firefox and Thunderbird. It provides mechanisms for installing, upgrading, and uninstalling these applications. XULRunner also provides libxul, a solution which allows the embedding of Mozilla technologies in other projects and products. -------------------------------------------------------------------------------- Update Information: New upstream - 37.0.2 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 16 2015 Jan Horak - 37.0.2-1 - Update to 37.0.2 * Wed Apr 15 2015 Martin Stransky - 37.0.1-1 - Update to 37.0.1 * Mon Apr 6 2015 Tom Callaway - 33.0-3 - rebuild for libvpx 1.4.0 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update xulrunner' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Update to new upstream - 37.0.2 Bookmark rebuild - Bug 1210474. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-6629 2015-04-22 16:55:48 -------------------------------------------------------------------------------- Name : xulrunner Product : Fedora 22 Version : 37.0.2 Release : 1.fc22 URL : Summary : XUL Runtime for Gecko Applications Description : XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications that are as rich as Firefox and Thunderbird. It provides mechanisms for installing, upgrading, and uninstalling these applications. XULRunner also provides libxul, a solution which allows the embedding of Mozilla technologies in other projects and products. -------------------------------------------------------------------------------- Update Information: Update to new upstream - 37.0.2 Bookmark rebuild - Bug 1210474 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1210474 - Update fedora-bookmarks for Fedora 22 https://bugzilla.redhat.com/show_bug.cgi?id=1210474 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update xulrunner' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
DSA-3050-1 updated the Iceweasel browser to the new ESR31 series of Firefox. In that version the xulrunner library is no longer included. This followup update provides xulrunner 24.8.1esr-2~deb7u1 in a separate source package to ensure that packages build-depending on xulrunner . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3050-2
An update that fixes 10 vulnerabilities is now available. An update that fixes 10 vulnerabilities is now available. An update that fixes 10 vulnerabilities is now available.. openSUSE Security Update: xulrunner: 17.0.7esr ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1143-1 Rating: important References: #825935 Cross-References: CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 CVE-2013-1694 CVE-2013-1697 Affected Products: openSUSE 12.3 openSUSE 12.2 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: Mozilla xulrunner was update to 17.0.7esr (bnc#825935) Security issues fixed: * MFSA 2013-49/CVE-2013-1682 Miscellaneous memory safety hazards * MFSA 2013-50/CVE-2013-1684/CVE-2013-1685/CVE-2013-1686 Memory corruption found using Address Sanitizer * MFSA 2013-51/CVE-2013-1687 (bmo#863933, bmo#866823) Privileged content access and execution via XBL * MFSA 2013-53/CVE-2013-1690 (bmo#857883) Execution of unmapped memory through onreadystatechange event * MFSA 2013-54/CVE-2013-1692 (bmo#866915) Data in the body of XHR HEAD requests leads to CSRF attacks * MFSA 2013-55/CVE-2013-1693 (bmo#711043) SVG filters can lead to information disclosure * MFSA 2013-56/CVE-2013-1694 (bmo#848535) PreserveWrapper has inconsistent behavior * MFSA 2013-59/CVE-2013-1697 (bmo#858101) XrayWrappers can be bypassed to run user defined methods in a privileged context Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-555 - openSUSE 12.2: zypper in -tpatch openSUSE-2013-555 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): mozilla-js-17.0.7-1.20.1 mozilla-js-debuginfo-17.0.7-1.20.1 xulrunner-17.0.7-1.20.1 xulrunner-buildsymbols-17.0.7-1.20.1 xulrunner-debuginfo-17.0.7-1.20.1 xulrunner-debugsource-17.0.7-1.20.1 xulrunner-devel-17.0.7-1.20.1 xulrunner-devel-debuginfo-17.0.7-1.20.1 - openSUSE 12.3 (x86_64): mozilla-js-32bit-17.0.7-1.20.1 mozilla-js-debuginfo-32bit-17.0.7-1.20.1 xulrunner-32bit-17.0.7-1.20.1 xulrunner-debuginfo-32bit-17.0.7-1.20.1 - openSUSE 12.2 (i586 x86_64): mozilla-js-17.0.7-2.46.1 mozilla-js-debuginfo-17.0.7-2.46.1 xulrunner-17.0.7-2.46.1 xulrunner-buildsymbols-17.0.7-2.46.1 xulrunner-debuginfo-17.0.7-2.46.1 xulrunner-debugsource-17.0.7-2.46.1 xulrunner-devel-17.0.7-2.46.1 xulrunner-devel-debuginfo-17.0.7-2.46.1 - openSUSE 12.2 (x86_64): mozilla-js-32bit-17.0.7-2.46.1 mozilla-js-debuginfo-32bit-17.0.7-2.46.1 xulrunner-32bit-17.0.7-2.46.1 xulrunner-debuginfo-32bit-17.0.7-2.46.1 References: https://www.suse.com/security/cve/CVE-2013-1682.html https://www.suse.com/security/cve/CVE-2013-1684.html https://www.suse.com/security/cve/CVE-2013-1685.html https://www.suse.com/security/cve/CVE-2013-1686.html https://www.suse.com/security/cve/CVE-2013-1687.html https://www.suse.com/security/cve/CVE-2013-1690.html https://www.suse.com/security/cve/CVE-2013-1692.html https://www.suse.com/security/cve/CVE-2013-1693.html https://www.suse.com/security/cve/CVE-2013-1694.html https://www.suse.com/security/cve/CVE-2013-1697.html https://login.microfocus.com/nidp/app/login?sid=0 . New update released for openSUSE: resolves 10 security vulnerabilities in xulrunner, enhancing system security and efficiency.. openSUSE Security,xulrunner Update,memory safety patch,CSRF mitigation. . Severity: Important.LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.