Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2015:0412-1
Rating:	important
References:	bsc#917597
Cross-References:	CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0835 CVE-2015-0836
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12

An update that solves five vulnerabilities can now be installed.

Description:

MozillaFirefox was updated to version 31.5.0 ESR to fix five security issues.

These security issues were fixed: - CVE-2015-0836: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.5 allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (bnc#917597). - CVE-2015-0827: Heap-based buffer overflow in the mozilla::gfx::CopyRect function in Mozilla Firefox before 31.5 allowed remote attackers to obtain sensitive information from uninitialized process memory via a malformed SVG graphic (bnc#917597). - CVE-2015-0835: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 36.0 allowed remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (bnc#917597). - CVE-2015-0831: Use-after-free vulnerability in the mozilla::dom::IndexedDB::IDBObjectStore::CreateIndex function in Mozilla Firefox before 31.5 allowed remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted content that is improperly handled during IndexedDB index creation (bnc#917597). - CVE-2015-0822: The Form Autocompletion feature in Mozilla Firefox before 31.5 allowed remote attackers to read arbitrary files via crafted JavaScript code (bnc#917597).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-104=1
• SUSE Linux Enterprise Software Development Kit 12
  zypper in -t patch SUSE-SLE-SDK-12-2015-104=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-104=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-104=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • MozillaFirefox-translations-31.5.0esr-24.1
  • MozillaFirefox-31.5.0esr-24.1
  • MozillaFirefox-debuginfo-31.5.0esr-24.1
  • MozillaFirefox-debugsource-31.5.0esr-24.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64)
  • MozillaFirefox-devel-31.5.0esr-24.1
  • MozillaFirefox-debugsource-31.5.0esr-24.1
  • MozillaFirefox-debuginfo-31.5.0esr-24.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • MozillaFirefox-translations-31.5.0esr-24.1
  • MozillaFirefox-31.5.0esr-24.1
  • MozillaFirefox-debuginfo-31.5.0esr-24.1
  • MozillaFirefox-debugsource-31.5.0esr-24.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • MozillaFirefox-translations-31.5.0esr-24.1
  • MozillaFirefox-31.5.0esr-24.1
  • MozillaFirefox-debuginfo-31.5.0esr-24.1
  • MozillaFirefox-debugsource-31.5.0esr-24.1

References:

• https://www.suse.com/security/cve/CVE-2015-0822.html
• https://www.suse.com/security/cve/CVE-2015-0827.html
• https://www.suse.com/security/cve/CVE-2015-0831.html
• https://www.suse.com/security/cve/CVE-2015-0835.html
• https://www.suse.com/security/cve/CVE-2015-0836.html
• https://bugzilla.suse.com/show_bug.cgi?id=917597