Security update for Mozilla Firefox

SUSE Security Update: Security update for Mozilla Firefox
Announcement ID: SUSE-SU-2014:0248-2
Rating: important
References: #859055 #861847
Affected Products:
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS

  • An update that fixes 14 vulnerabilities is now available. It includes four new package versions.

    Description:


    Mozilla Firefox was updated to the 24.3.0ESR security
    release.

    The following security issues have been fixed:

    *

    MFSA 2014-01: Memory safety bugs fixed in Firefox ESR
    24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)

    *

    MFSA 2014-02: Using XBL scopes its possible to
    steal(clone) native anonymous content
    (CVE-2014-1479)(bnc#862348)

    *

    MFSA 2014-03: Download "open file" dialog delay is
    too quick, doesn't prevent clickjacking (CVE-2014-1480)

    *

    MFSA 2014-04: Image decoding causing FireFox to crash
    with Goo Create (CVE-2014-1482)(bnc#862356)

    *

    MFSA 2014-05: caretPositionFromPoint and
    elementFromPoint leak information about iframe contents via
    timing information (CVE-2014-1483)(bnc#862360)

    *

    MFSA 2014-06: Fennec leaks profile path to logcat
    (CVE-2014-1484)

    *

    MFSA 2014-07: CSP should block XSLT as script, not as
    style (CVE-2014-1485)

    *

    MFSA 2014-08: imgRequestProxy Use-After-Free Remote
    Code Execution Vulnerability (CVE-2014-1486)

    *

    MFSA 2014-09: Cross-origin information disclosure
    with error message of Web Workers (CVE-2014-1487)

    *

    MFSA 2014-10: settings & history ID bug
    (CVE-2014-1489)

    *

    MFSA 2014-11: Firefox reproducibly crashes when using
    asm.js code in workers and transferable objects
    (CVE-2014-1488)

    *

    MFSA 2014-12: TOCTOU, potential use-after-free in
    libssl's session ticket processing
    (CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH
    value (CVE-2014-1491)(bnc#862289)

    *

    MFSA 2014-13: Inconsistent this value when invoking
    getters on window (CVE-2014-1481)(bnc#862309)

    Also Mozilla NSS was updated to 3.15.4 release.

    * required for Firefox 27
    * regular CA root store update (1.96)
    * some OSCP improvments
    * other bugfixes

    Security Issue references:

    * CVE-2014-1477
    >
    * CVE-2014-1479
    >
    * CVE-2014-1480
    >
    * CVE-2014-1481
    >
    * CVE-2014-1482
    >
    * CVE-2014-1483
    >
    * CVE-2014-1484
    >
    * CVE-2014-1485
    >
    * CVE-2014-1486
    >
    * CVE-2014-1487
    >
    * CVE-2014-1488
    >
    * CVE-2014-1489
    >
    * CVE-2014-1490
    >
    * CVE-2014-1491
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11 SP2 LTSS:
      zypper in -t patch slessp2-firefox-201402-8899
    • SUSE Linux Enterprise Server 11 SP1 LTSS:
      zypper in -t patch slessp1-firefox-201402-8898

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 24.3.0esr,3.15.4 and 4.10.2]:
    • MozillaFirefox-24.3.0esr-0.4.2.2
    • MozillaFirefox-branding-SLED-24-0.4.10.4
    • MozillaFirefox-translations-24.3.0esr-0.4.2.2
    • firefox-libgcc_s1-4.7.2_20130108-0.16.1
    • firefox-libstdc++6-4.7.2_20130108-0.16.1
    • libfreebl3-3.15.4-0.4.2.1
    • mozilla-nspr-4.10.2-0.3.2
    • mozilla-nss-3.15.4-0.4.2.1
    • mozilla-nss-tools-3.15.4-0.4.2.1
    • SUSE Linux Enterprise Server 11 SP2 LTSS (s390x x86_64) [New Version: 3.15.4 and 4.10.2]:
    • libfreebl3-32bit-3.15.4-0.4.2.1
    • mozilla-nspr-32bit-4.10.2-0.3.2
    • mozilla-nss-32bit-3.15.4-0.4.2.1
    • SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 24,24.3.0esr,3.15.4 and 4.10.2]:
    • MozillaFirefox-24.3.0esr-0.4.2.2
    • MozillaFirefox-branding-SLED-24-0.4.10.4
    • MozillaFirefox-translations-24.3.0esr-0.4.2.2
    • firefox-libgcc_s1-4.7.2_20130108-0.16.1
    • firefox-libstdc++6-4.7.2_20130108-0.16.1
    • libfreebl3-3.15.4-0.4.2.1
    • mozilla-nspr-4.10.2-0.3.2
    • mozilla-nss-3.15.4-0.4.2.1
    • mozilla-nss-tools-3.15.4-0.4.2.1
    • SUSE Linux Enterprise Server 11 SP1 LTSS (s390x x86_64) [New Version: 3.15.4 and 4.10.2]:
    • libfreebl3-32bit-3.15.4-0.4.2.1
    • mozilla-nspr-32bit-4.10.2-0.3.2
    • mozilla-nss-32bit-3.15.4-0.4.2.1

    References:

    • http://support.novell.com/security/cve/CVE-2014-1477.html
    • http://support.novell.com/security/cve/CVE-2014-1479.html
    • http://support.novell.com/security/cve/CVE-2014-1480.html
    • http://support.novell.com/security/cve/CVE-2014-1481.html
    • http://support.novell.com/security/cve/CVE-2014-1482.html
    • http://support.novell.com/security/cve/CVE-2014-1483.html
    • http://support.novell.com/security/cve/CVE-2014-1484.html
    • http://support.novell.com/security/cve/CVE-2014-1485.html
    • http://support.novell.com/security/cve/CVE-2014-1486.html
    • http://support.novell.com/security/cve/CVE-2014-1487.html
    • http://support.novell.com/security/cve/CVE-2014-1488.html
    • http://support.novell.com/security/cve/CVE-2014-1489.html
    • http://support.novell.com/security/cve/CVE-2014-1490.html
    • http://support.novell.com/security/cve/CVE-2014-1491.html
    • https://bugzilla.novell.com/859055
    • https://bugzilla.novell.com/861847
    • http://download.novell.com/patch/finder/?keywords=30bede649a43f15d0ae5fd4070619ffe
    • http://download.novell.com/patch/finder/?keywords=aba5ed8a4574a80ca797b2dbd204522e