Security update for MozillaFirefox
SUSE Security Update: Security update for MozillaFirefox
This updates the Mozilla Firefox browser to the 24.3.0ESR
security release. The Mozilla NSS libraries are now on
version 3.15.4.
The following security issues have been fixed:
*
MFSA 2014-01: Memory safety bugs fixed in Firefox ESR
24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)
*
MFSA 2014-02: Using XBL scopes its possible to
steal(clone) native anonymous content
(CVE-2014-1479)(bnc#862348)
*
MFSA 2014-03: Download "open file" dialog delay is
too quick, doesn't prevent clickjacking (CVE-2014-1480)
*
MFSA 2014-04: Image decoding causing FireFox to crash
with Goo Create (CVE-2014-1482)(bnc#862356)
*
MFSA 2014-05: caretPositionFromPoint and
elementFromPoint leak information about iframe contents via
timing information (CVE-2014-1483)(bnc#862360)
*
MFSA 2014-06: Fennec leaks profile path to logcat
(CVE-2014-1484)
*
MFSA 2014-07: CSP should block XSLT as script, not as
style (CVE-2014-1485)
*
MFSA 2014-08: imgRequestProxy Use-After-Free Remote
Code Execution Vulnerability (CVE-2014-1486)
*
MFSA 2014-09: Cross-origin information disclosure
with error message of Web Workers (CVE-2014-1487)
*
MFSA 2014-10: settings & history ID bug
(CVE-2014-1489)
*
MFSA 2014-11: Firefox reproducibly crashes when using
asm.js code in workers and transferable objects
(CVE-2014-1488)
*
MFSA 2014-12: TOCTOU, potential use-after-free in
libssl's session ticket processing
(CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH
value (CVE-2014-1491)(bnc#862289)
*
MFSA 2014-13: Inconsistent this value when invoking
getters on window (CVE-2014-1481)(bnc#862309)
Security Issue references:
* CVE-2014-1477
>
* CVE-2014-1479
>
* CVE-2014-1480
>
* CVE-2014-1481
>
* CVE-2014-1482
>
* CVE-2014-1483
>
* CVE-2014-1484
>
* CVE-2014-1485
>
* CVE-2014-1486
>
* CVE-2014-1487
>
* CVE-2014-1488
>
* CVE-2014-1489
>
* CVE-2014-1490
>
* CVE-2014-1491
>
| Announcement ID: | SUSE-SU-2014:0248-1 |
| Rating: | important |
| References: | #859055 #861847 |
| Affected Products: |
An update that fixes 14 vulnerabilities is now available. It includes two new package versions.
Description:
This updates the Mozilla Firefox browser to the 24.3.0ESR
security release. The Mozilla NSS libraries are now on
version 3.15.4.
The following security issues have been fixed:
*
MFSA 2014-01: Memory safety bugs fixed in Firefox ESR
24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)
*
MFSA 2014-02: Using XBL scopes its possible to
steal(clone) native anonymous content
(CVE-2014-1479)(bnc#862348)
*
MFSA 2014-03: Download "open file" dialog delay is
too quick, doesn't prevent clickjacking (CVE-2014-1480)
*
MFSA 2014-04: Image decoding causing FireFox to crash
with Goo Create (CVE-2014-1482)(bnc#862356)
*
MFSA 2014-05: caretPositionFromPoint and
elementFromPoint leak information about iframe contents via
timing information (CVE-2014-1483)(bnc#862360)
*
MFSA 2014-06: Fennec leaks profile path to logcat
(CVE-2014-1484)
*
MFSA 2014-07: CSP should block XSLT as script, not as
style (CVE-2014-1485)
*
MFSA 2014-08: imgRequestProxy Use-After-Free Remote
Code Execution Vulnerability (CVE-2014-1486)
*
MFSA 2014-09: Cross-origin information disclosure
with error message of Web Workers (CVE-2014-1487)
*
MFSA 2014-10: settings & history ID bug
(CVE-2014-1489)
*
MFSA 2014-11: Firefox reproducibly crashes when using
asm.js code in workers and transferable objects
(CVE-2014-1488)
*
MFSA 2014-12: TOCTOU, potential use-after-free in
libssl's session ticket processing
(CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH
value (CVE-2014-1491)(bnc#862289)
*
MFSA 2014-13: Inconsistent this value when invoking
getters on window (CVE-2014-1481)(bnc#862309)
Security Issue references:
* CVE-2014-1477
* CVE-2014-1479
* CVE-2014-1480
* CVE-2014-1481
* CVE-2014-1482
* CVE-2014-1483
* CVE-2014-1484
* CVE-2014-1485
* CVE-2014-1486
* CVE-2014-1487
* CVE-2014-1488
* CVE-2014-1489
* CVE-2014-1490
* CVE-2014-1491
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-firefox-201402-8879 - SUSE Linux Enterprise Server 11 SP3 for VMware:
zypper in -t patch slessp3-firefox-201402-8879 - SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-firefox-201402-8879 - SUSE Linux Enterprise Desktop 11 SP3:
zypper in -t patch sledsp3-firefox-201402-8879
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 3.15.4]:
- MozillaFirefox-devel-24.3.0esr-0.8.1
- mozilla-nss-devel-3.15.4-0.7.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64) [New Version: 24.3.0esr and 3.15.4]:
- MozillaFirefox-24.3.0esr-0.8.1
- MozillaFirefox-translations-24.3.0esr-0.8.1
- libfreebl3-3.15.4-0.7.1
- libsoftokn3-3.15.4-0.7.1
- mozilla-nss-3.15.4-0.7.1
- mozilla-nss-tools-3.15.4-0.7.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (x86_64) [New Version: 3.15.4]:
- libfreebl3-32bit-3.15.4-0.7.1
- libsoftokn3-32bit-3.15.4-0.7.1
- mozilla-nss-32bit-3.15.4-0.7.1
- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64) [New Version: 24.3.0esr and 3.15.4]:
- MozillaFirefox-24.3.0esr-0.8.1
- MozillaFirefox-branding-SLED-24-0.7.14
- MozillaFirefox-translations-24.3.0esr-0.8.1
- libfreebl3-3.15.4-0.7.1
- libsoftokn3-3.15.4-0.7.1
- mozilla-nss-3.15.4-0.7.1
- mozilla-nss-tools-3.15.4-0.7.1
- SUSE Linux Enterprise Server 11 SP3 (ppc64 s390x x86_64) [New Version: 3.15.4]:
- libfreebl3-32bit-3.15.4-0.7.1
- libsoftokn3-32bit-3.15.4-0.7.1
- mozilla-nss-32bit-3.15.4-0.7.1
- SUSE Linux Enterprise Server 11 SP3 (ia64) [New Version: 3.15.4]:
- libfreebl3-x86-3.15.4-0.7.1
- libsoftokn3-x86-3.15.4-0.7.1
- mozilla-nss-x86-3.15.4-0.7.1
- SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 24.3.0esr and 3.15.4]:
- MozillaFirefox-24.3.0esr-0.8.1
- MozillaFirefox-branding-SLED-24-0.7.14
- MozillaFirefox-translations-24.3.0esr-0.8.1
- libfreebl3-3.15.4-0.7.1
- libsoftokn3-3.15.4-0.7.1
- mozilla-nss-3.15.4-0.7.1
- mozilla-nss-tools-3.15.4-0.7.1
- SUSE Linux Enterprise Desktop 11 SP3 (x86_64) [New Version: 3.15.4]:
- libfreebl3-32bit-3.15.4-0.7.1
- libsoftokn3-32bit-3.15.4-0.7.1
- mozilla-nss-32bit-3.15.4-0.7.1
References:
- http://support.novell.com/security/cve/CVE-2014-1477.html
- http://support.novell.com/security/cve/CVE-2014-1479.html
- http://support.novell.com/security/cve/CVE-2014-1480.html
- http://support.novell.com/security/cve/CVE-2014-1481.html
- http://support.novell.com/security/cve/CVE-2014-1482.html
- http://support.novell.com/security/cve/CVE-2014-1483.html
- http://support.novell.com/security/cve/CVE-2014-1484.html
- http://support.novell.com/security/cve/CVE-2014-1485.html
- http://support.novell.com/security/cve/CVE-2014-1486.html
- http://support.novell.com/security/cve/CVE-2014-1487.html
- http://support.novell.com/security/cve/CVE-2014-1488.html
- http://support.novell.com/security/cve/CVE-2014-1489.html
- http://support.novell.com/security/cve/CVE-2014-1490.html
- http://support.novell.com/security/cve/CVE-2014-1491.html
- https://bugzilla.novell.com/859055
- https://bugzilla.novell.com/861847
- http://download.novell.com/patch/finder/?keywords=b12f5cfd95ec4eca119a488f5fb07f02