SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0248-1
Rating:             important
References:         #859055 #861847 
Cross-References:   CVE-2014-1477 CVE-2014-1479 CVE-2014-1480
                    CVE-2014-1481 CVE-2014-1482 CVE-2014-1483
                    CVE-2014-1484 CVE-2014-1485 CVE-2014-1486
                    CVE-2014-1487 CVE-2014-1488 CVE-2014-1489
                    CVE-2014-1490 CVE-2014-1491
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP3
                    SUSE Linux Enterprise Server 11 SP3 for VMware
                    SUSE Linux Enterprise Server 11 SP3
                    SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

   An update that fixes 14 vulnerabilities is now available.
   It includes two new package versions.

Description:


   This updates the Mozilla Firefox browser to the 24.3.0ESR
   security release.  The Mozilla NSS libraries are now on
   version 3.15.4.

   The following security issues have been fixed:

   *

   MFSA 2014-01: Memory safety bugs fixed in Firefox ESR
   24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)

   *

   MFSA 2014-02: Using XBL scopes its possible to
   steal(clone) native anonymous content
   (CVE-2014-1479)(bnc#862348)

   *

   MFSA 2014-03: Download "open file" dialog delay is
   too quick, doesn't prevent clickjacking (CVE-2014-1480)

   *

   MFSA 2014-04: Image decoding causing FireFox to crash
   with Goo Create (CVE-2014-1482)(bnc#862356)

   *

   MFSA 2014-05: caretPositionFromPoint and
   elementFromPoint leak information about iframe contents via
   timing information (CVE-2014-1483)(bnc#862360)

   *

   MFSA 2014-06: Fennec leaks profile path to logcat
   (CVE-2014-1484)

   *

   MFSA 2014-07: CSP should block XSLT as script, not as
   style (CVE-2014-1485)

   *

   MFSA 2014-08: imgRequestProxy Use-After-Free Remote
   Code Execution Vulnerability (CVE-2014-1486)

   *

   MFSA 2014-09: Cross-origin information disclosure
   with error message of Web Workers (CVE-2014-1487)

   *

   MFSA 2014-10: settings & history ID bug
   (CVE-2014-1489)

   *

   MFSA 2014-11: Firefox reproducibly crashes when using
   asm.js code in workers and transferable objects
   (CVE-2014-1488)

   *

   MFSA 2014-12: TOCTOU, potential use-after-free in
   libssl's session ticket processing
   (CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH
   value (CVE-2014-1491)(bnc#862289)

   *

   MFSA 2014-13: Inconsistent this value when invoking
   getters on window (CVE-2014-1481)(bnc#862309)

   Security Issue references:

   * CVE-2014-1477
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477
   >
   * CVE-2014-1479
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479
   >
   * CVE-2014-1480
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1480
   >
   * CVE-2014-1481
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481
   >
   * CVE-2014-1482
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482
   >
   * CVE-2014-1483
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1483
   >
   * CVE-2014-1484
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1484
   >
   * CVE-2014-1485
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1485
   >
   * CVE-2014-1486
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486
   >
   * CVE-2014-1487
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487
   >
   * CVE-2014-1488
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1488
   >
   * CVE-2014-1489
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1489
   >
   * CVE-2014-1490
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1490
   >
   * CVE-2014-1491
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1491
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP3:

      zypper in -t patch sdksp3-firefox-201402-8879

   - SUSE Linux Enterprise Server 11 SP3 for VMware:

      zypper in -t patch slessp3-firefox-201402-8879

   - SUSE Linux Enterprise Server 11 SP3:

      zypper in -t patch slessp3-firefox-201402-8879

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-firefox-201402-8879

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64
 s390x x86_64) [New Version: 3.15.4]:

      MozillaFirefox-devel-24.3.0esr-0.8.1
      mozilla-nss-devel-3.15.4-0.7.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version:
 24.3.0esr and 3.15.4]:

      MozillaFirefox-24.3.0esr-0.8.1
      MozillaFirefox-translations-24.3.0esr-0.8.1
      libfreebl3-3.15.4-0.7.1
      libsoftokn3-3.15.4-0.7.1
      mozilla-nss-3.15.4-0.7.1
      mozilla-nss-tools-3.15.4-0.7.1

   - SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version:
 3.15.4]:

      libfreebl3-32bit-3.15.4-0.7.1
      libsoftokn3-32bit-3.15.4-0.7.1
      mozilla-nss-32bit-3.15.4-0.7.1

   - SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New
 Version: 24.3.0esr and 3.15.4]:

      MozillaFirefox-24.3.0esr-0.8.1
      MozillaFirefox-branding-SLED-24-0.7.14
      MozillaFirefox-translations-24.3.0esr-0.8.1
      libfreebl3-3.15.4-0.7.1
      libsoftokn3-3.15.4-0.7.1
      mozilla-nss-3.15.4-0.7.1
      mozilla-nss-tools-3.15.4-0.7.1

   - SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version:
 3.15.4]:

      libfreebl3-32bit-3.15.4-0.7.1
      libsoftokn3-32bit-3.15.4-0.7.1
      mozilla-nss-32bit-3.15.4-0.7.1

   - SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.15.4]:

      libfreebl3-x86-3.15.4-0.7.1
      libsoftokn3-x86-3.15.4-0.7.1
      mozilla-nss-x86-3.15.4-0.7.1

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.3.0esr
 and 3.15.4]:

      MozillaFirefox-24.3.0esr-0.8.1
      MozillaFirefox-branding-SLED-24-0.7.14
      MozillaFirefox-translations-24.3.0esr-0.8.1
      libfreebl3-3.15.4-0.7.1
      libsoftokn3-3.15.4-0.7.1
      mozilla-nss-3.15.4-0.7.1
      mozilla-nss-tools-3.15.4-0.7.1

   - SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.15.4]:

      libfreebl3-32bit-3.15.4-0.7.1
      libsoftokn3-32bit-3.15.4-0.7.1
      mozilla-nss-32bit-3.15.4-0.7.1


References:

   http://support.novell.com/security/cve/CVE-2014-1477.html
   http://support.novell.com/security/cve/CVE-2014-1479.html
   http://support.novell.com/security/cve/CVE-2014-1480.html
   http://support.novell.com/security/cve/CVE-2014-1481.html
   http://support.novell.com/security/cve/CVE-2014-1482.html
   http://support.novell.com/security/cve/CVE-2014-1483.html
   http://support.novell.com/security/cve/CVE-2014-1484.html
   http://support.novell.com/security/cve/CVE-2014-1485.html
   http://support.novell.com/security/cve/CVE-2014-1486.html
   http://support.novell.com/security/cve/CVE-2014-1487.html
   http://support.novell.com/security/cve/CVE-2014-1488.html
   http://support.novell.com/security/cve/CVE-2014-1489.html
   http://support.novell.com/security/cve/CVE-2014-1490.html
   http://support.novell.com/security/cve/CVE-2014-1491.html
   https://bugzilla.novell.com/859055
   https://bugzilla.novell.com/861847
   ?keywords=b12f5cfd95ec4eca119a488f5fb07f02

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org