openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:0690-1
Rating:             important
References:         #1028391 
Cross-References:   CVE-2017-5398 CVE-2017-5399 CVE-2017-5400
                    CVE-2017-5401 CVE-2017-5402 CVE-2017-5403
                    CVE-2017-5404 CVE-2017-5405 CVE-2017-5406
                    CVE-2017-5407 CVE-2017-5408 CVE-2017-5410
                    CVE-2017-5412 CVE-2017-5413 CVE-2017-5414
                    CVE-2017-5415 CVE-2017-5416 CVE-2017-5417
                    CVE-2017-5418 CVE-2017-5419 CVE-2017-5420
                    CVE-2017-5421 CVE-2017-5422 CVE-2017-5426
                    CVE-2017-5427
Affected Products:
                    openSUSE Leap 42.2
                    openSUSE Leap 42.1
______________________________________________________________________________

   An update that fixes 25 vulnerabilities is now available.

Description:


   This update for MozillaFirefox and mozilla-nss fixes the following issues:

   MozillaFirefox was updated to Firefox 52.0 (boo#1028391)
     * requires NSS >= 3.28.3
     * Pages containing insecure password fields now display a warning
       directly within username and password fields.
     * Send and open a tab from one device to another with Sync
     * Removed NPAPI support for plugins other than Flash. Silverlight, Java,
       Acrobat and the like are no longer supported.
     * Removed Battery Status API to reduce fingerprinting of users by
       trackers
     * MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
       (bmo#1334933) CVE-2017-5401: Memory Corruption when handling
       ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with
       events in FontFace
                      objects (bmo#1334876) CVE-2017-5403: Use-after-free
   using addRange to add range to an incorrect root object (bmo#1340186)
   CVE-2017-5404: Use-after-free working with ranges in selections
   (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas
   operations (bmo#1306890) CVE-2017-5407: Pixel and history stealing via
   floating-point timing side channel with SVG filters (bmo#1336622)
   CVE-2017-5410: Memory corruption during JavaScript garbage collection
   incremental sweeping (bmo#1330687) CVE-2017-5408: Cross-origin reading of
   video captions in violation
                      of CORS (bmo#1313711) CVE-2017-5412: Buffer overflow
   read in SVG filters (bmo#1328323) CVE-2017-5413: Segmentation fault during
   bidirectional operations (bmo#1337504) CVE-2017-5414: File picker can
   choose incorrect default directory (bmo#1319370) CVE-2017-5415: Addressbar
   spoofing through blob URL (bmo#1321719) CVE-2017-5416: Null dereference
   crash in HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar spoofing by
   draging and dropping URLs (bmo#791597) CVE-2017-5426: Gecko Media Plugin
   sandbox is not started if seccomp-bpf filter is running (bmo#1257361)
   CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
   (bmo#1295542) CVE-2017-5418: Out of bounds read when parsing HTTP digest
   authorization responses (bmo#1338876) CVE-2017-5419: Repeated
   authentication prompts lead to DOS attack (bmo#1312243) CVE-2017-5420:
   Javascript: URLs can obfuscate addressbar location (bmo#1284395)
   CVE-2017-5405: FTP response codes can cause use of uninitialized values
   for ports (bmo#1336699) CVE-2017-5421: Print preview spoofing
   (bmo#1301876) CVE-2017-5422: DOS attack by using view-source: protocol
   repeatedly in one hyperlink (bmo#1295002) CVE-2017-5399: Memory safety
   bugs fixed in Firefox 52 CVE-2017-5398: Memory safety bugs fixed in
   Firefox 52 and Firefox ESR 45.8

   mozilla-nss was updated to NSS 3.28.3
     * This is a patch release to fix binary compatibility issues. NSS
       version 3.28, 3.28.1 and 3.28.2 contained changes that were in
       violation with the NSS compatibility promise. ECParams, which is part
       of the public API of the freebl/softokn parts of NSS, had been changed
       to include an additional attribute. That size increase caused crashes
       or malfunctioning with applications that use that data structure
       directly, or indirectly through ECPublicKey, ECPrivateKey,
       NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey,
       or potentially other data structures that reference ECParams. The
        change has been reverted to the original state in bug bmo#1334108.
        SECKEYECPublicKey had been extended with a new attribute, named
        "encoding". If an application passed type SECKEYECPublicKey to
 NSS
        (as part of SECKEYPublicKey), the NSS library read the uninitialized
        attribute. With this NSS release SECKEYECPublicKey.encoding is
        deprecated. NSS no longer reads the attribute, and will always set it
        to ECPoint_Undefined. See bug bmo#1340103.
   - requires NSPR >= 4.13.1

   - update to NSS 3.28.2 This is a stability and compatibility release.
     Below is a summary of the changes.
     * Fixed a NSS 3.28 regression in the signature scheme flexibility that
       causes connectivity issues between iOS 8 clients and NSS servers with
       ECDSA certificates (bmo#1334114)
     * Fixed a possible crash on some Windows systems (bmo#1323150)
     * Fixed a compatibility issue with TLS clients that do not provide a
       list of supported key exchange groups (bmo#1330612)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.2:

      zypper in -t patch openSUSE-2017-344=1

   - openSUSE Leap 42.1:

      zypper in -t patch openSUSE-2017-344=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE Leap 42.2 (i586 x86_64):

      MozillaFirefox-52.0-55.2
      MozillaFirefox-branding-upstream-52.0-55.2
      MozillaFirefox-buildsymbols-52.0-55.2
      MozillaFirefox-debuginfo-52.0-55.2
      MozillaFirefox-debugsource-52.0-55.2
      MozillaFirefox-devel-52.0-55.2
      MozillaFirefox-translations-common-52.0-55.2
      MozillaFirefox-translations-other-52.0-55.2
      java-1_8_0-openjdk-1.8.0.121-8.1
      java-1_8_0-openjdk-accessibility-1.8.0.121-8.1
      java-1_8_0-openjdk-debuginfo-1.8.0.121-8.1
      java-1_8_0-openjdk-debugsource-1.8.0.121-8.1
      java-1_8_0-openjdk-demo-1.8.0.121-8.1
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.121-8.1
      java-1_8_0-openjdk-devel-1.8.0.121-8.1
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.121-8.1
      java-1_8_0-openjdk-headless-1.8.0.121-8.1
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.121-8.1
      java-1_8_0-openjdk-src-1.8.0.121-8.1
      libfreebl3-3.28.3-38.1
      libfreebl3-debuginfo-3.28.3-38.1
      libsoftokn3-3.28.3-38.1
      libsoftokn3-debuginfo-3.28.3-38.1
      mozilla-nss-3.28.3-38.1
      mozilla-nss-certs-3.28.3-38.1
      mozilla-nss-certs-debuginfo-3.28.3-38.1
      mozilla-nss-debuginfo-3.28.3-38.1
      mozilla-nss-debugsource-3.28.3-38.1
      mozilla-nss-devel-3.28.3-38.1
      mozilla-nss-sysinit-3.28.3-38.1
      mozilla-nss-sysinit-debuginfo-3.28.3-38.1
      mozilla-nss-tools-3.28.3-38.1
      mozilla-nss-tools-debuginfo-3.28.3-38.1

   - openSUSE Leap 42.2 (noarch):

      java-1_8_0-openjdk-javadoc-1.8.0.121-8.1

   - openSUSE Leap 42.2 (x86_64):

      libfreebl3-32bit-3.28.3-38.1
      libfreebl3-debuginfo-32bit-3.28.3-38.1
      libsoftokn3-32bit-3.28.3-38.1
      libsoftokn3-debuginfo-32bit-3.28.3-38.1
      mozilla-nss-32bit-3.28.3-38.1
      mozilla-nss-certs-32bit-3.28.3-38.1
      mozilla-nss-certs-debuginfo-32bit-3.28.3-38.1
      mozilla-nss-debuginfo-32bit-3.28.3-38.1
      mozilla-nss-sysinit-32bit-3.28.3-38.1
      mozilla-nss-sysinit-debuginfo-32bit-3.28.3-38.1

   - openSUSE Leap 42.1 (i586 x86_64):

      java-1_8_0-openjdk-1.8.0.121-23.1
      java-1_8_0-openjdk-accessibility-1.8.0.121-23.1
      java-1_8_0-openjdk-debuginfo-1.8.0.121-23.1
      java-1_8_0-openjdk-debugsource-1.8.0.121-23.1
      java-1_8_0-openjdk-demo-1.8.0.121-23.1
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.121-23.1
      java-1_8_0-openjdk-devel-1.8.0.121-23.1
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.121-23.1
      java-1_8_0-openjdk-headless-1.8.0.121-23.1
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.121-23.1
      java-1_8_0-openjdk-src-1.8.0.121-23.1
      libfreebl3-3.28.3-38.1
      libfreebl3-debuginfo-3.28.3-38.1
      libsoftokn3-3.28.3-38.1
      libsoftokn3-debuginfo-3.28.3-38.1
      mozilla-nss-3.28.3-38.1
      mozilla-nss-certs-3.28.3-38.1
      mozilla-nss-certs-debuginfo-3.28.3-38.1
      mozilla-nss-debuginfo-3.28.3-38.1
      mozilla-nss-debugsource-3.28.3-38.1
      mozilla-nss-devel-3.28.3-38.1
      mozilla-nss-sysinit-3.28.3-38.1
      mozilla-nss-sysinit-debuginfo-3.28.3-38.1
      mozilla-nss-tools-3.28.3-38.1
      mozilla-nss-tools-debuginfo-3.28.3-38.1

   - openSUSE Leap 42.1 (noarch):

      java-1_8_0-openjdk-javadoc-1.8.0.121-23.1

   - openSUSE Leap 42.1 (x86_64):

      MozillaFirefox-52.0-55.2
      MozillaFirefox-branding-upstream-52.0-55.2
      MozillaFirefox-buildsymbols-52.0-55.2
      MozillaFirefox-debuginfo-52.0-55.2
      MozillaFirefox-debugsource-52.0-55.2
      MozillaFirefox-devel-52.0-55.2
      MozillaFirefox-translations-common-52.0-55.2
      MozillaFirefox-translations-other-52.0-55.2
      libfreebl3-32bit-3.28.3-38.1
      libfreebl3-debuginfo-32bit-3.28.3-38.1
      libsoftokn3-32bit-3.28.3-38.1
      libsoftokn3-debuginfo-32bit-3.28.3-38.1
      mozilla-nss-32bit-3.28.3-38.1
      mozilla-nss-certs-32bit-3.28.3-38.1
      mozilla-nss-certs-debuginfo-32bit-3.28.3-38.1
      mozilla-nss-debuginfo-32bit-3.28.3-38.1
      mozilla-nss-sysinit-32bit-3.28.3-38.1
      mozilla-nss-sysinit-debuginfo-32bit-3.28.3-38.1

   - openSUSE Leap 42.1 (i586):

      MozillaFirefox-52.0-55.1
      MozillaFirefox-branding-upstream-52.0-55.1
      MozillaFirefox-buildsymbols-52.0-55.1
      MozillaFirefox-debuginfo-52.0-55.1
      MozillaFirefox-debugsource-52.0-55.1
      MozillaFirefox-devel-52.0-55.1
      MozillaFirefox-translations-common-52.0-55.1
      MozillaFirefox-translations-other-52.0-55.1


References:

   https://www.suse.com/security/cve/CVE-2017-5398.html
   https://www.suse.com/security/cve/CVE-2017-5399.html
   https://www.suse.com/security/cve/CVE-2017-5400.html
   https://www.suse.com/security/cve/CVE-2017-5401.html
   https://www.suse.com/security/cve/CVE-2017-5402.html
   https://www.suse.com/security/cve/CVE-2017-5403.html
   https://www.suse.com/security/cve/CVE-2017-5404.html
   https://www.suse.com/security/cve/CVE-2017-5405.html
   https://www.suse.com/security/cve/CVE-2017-5406.html
   https://www.suse.com/security/cve/CVE-2017-5407.html
   https://www.suse.com/security/cve/CVE-2017-5408.html
   https://www.suse.com/security/cve/CVE-2017-5410.html
   https://www.suse.com/security/cve/CVE-2017-5412.html
   https://www.suse.com/security/cve/CVE-2017-5413.html
   https://www.suse.com/security/cve/CVE-2017-5414.html
   https://www.suse.com/security/cve/CVE-2017-5415.html
   https://www.suse.com/security/cve/CVE-2017-5416.html
   https://www.suse.com/security/cve/CVE-2017-5417.html
   https://www.suse.com/security/cve/CVE-2017-5418.html
   https://www.suse.com/security/cve/CVE-2017-5419.html
   https://www.suse.com/security/cve/CVE-2017-5420.html
   https://www.suse.com/security/cve/CVE-2017-5421.html
   https://www.suse.com/security/cve/CVE-2017-5422.html
   https://www.suse.com/security/cve/CVE-2017-5426.html
   https://www.suse.com/security/cve/CVE-2017-5427.html
   https://bugzilla.suse.com/1028391

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org