Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in mozilla-nspr und Mozilla Firefox, Mozilla Thunderbird
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in mozilla-nspr und Mozilla Firefox, Mozilla Thunderbird
ID: openSUSE-SU-2015:0677-1
Distribution: SUSE
Plattformen: openSUSE 13.1, openSUSE 13.2
Datum: Mi, 8. April 2015, 11:27
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816
Applikationen: Mozilla Firefox, Mozilla Thunderbird, NSPR

Originalnachricht

 
   openSUSE Security Update: Security update for MozillaFirefox,
 MozillaThunderbird, mozilla-nspr
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2015:0677-1
Rating:             important
References:         #925368 #925392 #925393 #925394 #925395 #925396 
                    #925397 #925398 #925399 #925400 #925401 #925402 
                    #926166 
Cross-References:   CVE-2015-0799 CVE-2015-0801 CVE-2015-0802
                    CVE-2015-0803 CVE-2015-0804 CVE-2015-0805
                    CVE-2015-0806 CVE-2015-0807 CVE-2015-0808
                    CVE-2015-0811 CVE-2015-0812 CVE-2015-0813
                    CVE-2015-0814 CVE-2015-0815 CVE-2015-0816
                   
Affected Products:
                    openSUSE 13.2
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes 15 vulnerabilities is now available.

Description:

   Mozilla Firefox and Thunderbird were updated to fix several important
   vulnerabilities.

   Mozilla Firefox was updated to 37.0.1. Mozilla Thunderbird was updated to
   31.6.0. mozilla-nspr was updated to 4.10.8 as a dependency.

   The following vulnerabilities were fixed in Mozilla Firefox:

   * Miscellaneous memory safety hazards (MFSA
     2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)
   * Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA
     2015-31/CVE-2015-0813 bmo#1106596 boo#925393)
   * Add-on lightweight theme installation approval bypassed through MITM
     attack (MFSA 2015-32/CVE-2015-0812 bmo#1128126 boo#925394)
   * resource:// documents can load privileged pages (MFSA
     2015-33/CVE-2015-0816 bmo#1144991 boo#925395)
   * Out of bounds read in QCMS library (MFSA-2015-34/CVE-2015-0811
     bmo#1132468 boo#925396)
   * Incorrect memory management for simple-type arrays in WebRTC
     (MFSA-2015-36/CVE-2015-0808 bmo#1109552 boo#925397)
   * CORS requests should not follow 30x redirections after preflight
     (MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398)
   * Memory corruption crashes in Off Main Thread Compositing
     (MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 bmo#1135511 bmo#1099437
     boo#925399)
   * Use-after-free due to type confusion flaws
     (MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (mo#1134560 boo#925400)
   * Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801
     bmo#1146339 boo#925401)
   * Windows can retain access to privileged content on navigation to
     unprivileged pages (MFSA-2015-42/CVE-2015-0802 bmo#1124898 boo#925402)

   The following vulnerability was fixed in functionality that was not
   released as an update to openSUSE:

   * Certificate verification could be bypassed through the HTTP/2 Alt-Svc
     header (MFSA 2015-44/CVE-2015-0799 bmo#1148328 bnc#926166)

   The functionality added in 37.0 and thus removed in 37.0.1 was:

   * Opportunistically encrypt HTTP traffic where the server supports HTTP/2
     AltSvc

   The following functionality was added or updated in Mozilla Firefox:

     * Heartbeat user rating system
     * Yandex set as default search provider for the Turkish locale
     * Bing search now uses HTTPS for secure searching
     * Improved protection against site impersonation via OneCRL centralized
       certificate revocation
     * some more behaviour changes for TLS

   The following vulnerabilities were fixed in Mozilla Thunderbird:

   * Miscellaneous memory safety hazards (MFSA
     2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)
   * Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA
     2015-31/CVE-2015-0813 bmo#1106596 boo#925393)
   * resource:// documents can load privileged pages (MFSA
     2015-33/CVE-2015-0816 bmo#1144991 boo#925395)
   * CORS requests should not follow 30x redirections after preflight
     (MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398)
   * Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801
     bmo#1146339 boo#925401)

   mozilla-nspr was updated to 4.10.8 as a dependency and received the
   following changes:
     * bmo#573192: remove the stack-based PRFileDesc cache.
     * bmo#756047: check for _POSIX_THREAD_PRIORITY_SCHEDULING > 0 instead
 of
       only checking if the identifier is defined.
     * bmo#1089908: Fix variable shadowing in _PR_MD_LOCKFILE. Use
       PR_ARRAY_SIZE to get the array size of _PR_RUNQ(t->cpu).
     * bmo#1106600: Replace PR_ASSERT(!"foo") with
 PR_NOT_REACHED("foo") to
       fix clang -Wstring-conversion warnings.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2015-290=1

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2015-290=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.2 (i586 x86_64):

      MozillaFirefox-37.0.1-23.1
      MozillaFirefox-branding-upstream-37.0.1-23.1
      MozillaFirefox-buildsymbols-37.0.1-23.1
      MozillaFirefox-debuginfo-37.0.1-23.1
      MozillaFirefox-debugsource-37.0.1-23.1
      MozillaFirefox-devel-37.0.1-23.1
      MozillaFirefox-translations-common-37.0.1-23.1
      MozillaFirefox-translations-other-37.0.1-23.1
      MozillaThunderbird-31.6.0-15.3
      MozillaThunderbird-buildsymbols-31.6.0-15.3
      MozillaThunderbird-debuginfo-31.6.0-15.3
      MozillaThunderbird-debugsource-31.6.0-15.3
      MozillaThunderbird-devel-31.6.0-15.3
      MozillaThunderbird-translations-common-31.6.0-15.3
      MozillaThunderbird-translations-other-31.6.0-15.3
      mozilla-nspr-4.10.8-6.1
      mozilla-nspr-debuginfo-4.10.8-6.1
      mozilla-nspr-debugsource-4.10.8-6.1
      mozilla-nspr-devel-4.10.8-6.1

   - openSUSE 13.2 (x86_64):

      mozilla-nspr-32bit-4.10.8-6.1
      mozilla-nspr-debuginfo-32bit-4.10.8-6.1

   - openSUSE 13.1 (i586 x86_64):

      MozillaFirefox-37.0.1-68.1
      MozillaFirefox-branding-upstream-37.0.1-68.1
      MozillaFirefox-buildsymbols-37.0.1-68.1
      MozillaFirefox-debuginfo-37.0.1-68.1
      MozillaFirefox-debugsource-37.0.1-68.1
      MozillaFirefox-devel-37.0.1-68.1
      MozillaFirefox-translations-common-37.0.1-68.1
      MozillaFirefox-translations-other-37.0.1-68.1
      MozillaThunderbird-31.6.0-70.50.2
      MozillaThunderbird-buildsymbols-31.6.0-70.50.2
      MozillaThunderbird-debuginfo-31.6.0-70.50.2
      MozillaThunderbird-debugsource-31.6.0-70.50.2
      MozillaThunderbird-devel-31.6.0-70.50.2
      MozillaThunderbird-translations-common-31.6.0-70.50.2
      MozillaThunderbird-translations-other-31.6.0-70.50.2
      mozilla-nspr-4.10.8-22.1
      mozilla-nspr-debuginfo-4.10.8-22.1
      mozilla-nspr-debugsource-4.10.8-22.1
      mozilla-nspr-devel-4.10.8-22.1

   - openSUSE 13.1 (x86_64):

      mozilla-nspr-32bit-4.10.8-22.1
      mozilla-nspr-debuginfo-32bit-4.10.8-22.1


References:

   https://www.suse.com/security/cve/CVE-2015-0799.html
   https://www.suse.com/security/cve/CVE-2015-0801.html
   https://www.suse.com/security/cve/CVE-2015-0802.html
   https://www.suse.com/security/cve/CVE-2015-0803.html
   https://www.suse.com/security/cve/CVE-2015-0804.html
   https://www.suse.com/security/cve/CVE-2015-0805.html
   https://www.suse.com/security/cve/CVE-2015-0806.html
   https://www.suse.com/security/cve/CVE-2015-0807.html
   https://www.suse.com/security/cve/CVE-2015-0808.html
   https://www.suse.com/security/cve/CVE-2015-0811.html
   https://www.suse.com/security/cve/CVE-2015-0812.html
   https://www.suse.com/security/cve/CVE-2015-0813.html
   https://www.suse.com/security/cve/CVE-2015-0814.html
   https://www.suse.com/security/cve/CVE-2015-0815.html
   https://www.suse.com/security/cve/CVE-2015-0816.html
   https://bugzilla.suse.com/925368
   https://bugzilla.suse.com/925392
   https://bugzilla.suse.com/925393
   https://bugzilla.suse.com/925394
   https://bugzilla.suse.com/925395
   https://bugzilla.suse.com/925396
   https://bugzilla.suse.com/925397
   https://bugzilla.suse.com/925398
   https://bugzilla.suse.com/925399
   https://bugzilla.suse.com/925400
   https://bugzilla.suse.com/925401
   https://bugzilla.suse.com/925402
   https://bugzilla.suse.com/926166

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung