SUSE-SU-2014:1510-1: moderate: Security update for MozillaFirefox and mozilla-nss

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Nov 27 02:04:49 MST 2014


   SUSE Security Update: Security update for MozillaFirefox and mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:1510-1
Rating:             moderate
References:         #897890 #900941 
Cross-References:   CVE-2014-1568 CVE-2014-1574 CVE-2014-1575
                    CVE-2014-1576 CVE-2014-1577 CVE-2014-1578
                    CVE-2014-1581 CVE-2014-1583 CVE-2014-1585
                    CVE-2014-1586
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that fixes 10 vulnerabilities is now available.

Description:


   - update to Firefox 31.2.0 ESR (bnc#900941)
     * MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994, bmo#1011354,
       bmo#1018916, bmo#1020034, bmo#1023035, bmo#1032208, bmo#1033020,
       bmo#1034230, bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044,
       bmo#1072174) Miscellaneous memory safety hazards (rv:33.0/rv:31.2)
     * MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
       manipulation
     * MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
       issues with custom waveforms
     * MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
       video
     * MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
       with text directionality
     * MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
       Inconsistent video sharing within iframe
     * MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
       objects via the Alarms API
   - SSLv3 is disabled by default. See README.POODLE for more detailed
     information.

   - disable call home features

   - update to 3.17.2 (bnc#900941) Bugfix release
     * bmo#1049435 - Importing an RSA private key fails if p < q
     * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key
     * bmo#1078669 - certutil crashes when using the --certVersion parameter
   - changes from earlier version of the 3.17 branch: update to 3.17.1
     (bnc#897890)
     * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature
       Forgery in NSS
     * Change library's signature algorithm default to SHA256
     * Add support for draft-ietf-tls-downgrade-scsv
     * Add clang-cl support to the NSS build system
     * Implement TLS 1.3:
       * Part 1. Negotiate TLS 1.3
       * Part 2. Remove deprecated cipher suites andcompression.
     * Add support for little-endian powerpc64 update to 3.17
     * required for Firefox 33 New functionality:
     * When using ECDHE, the TLS server code may be configured to generate a
       fresh ephemeral ECDH key for each handshake, by setting the
       SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
       SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
       server's ephemeral ECDH key is reused for multiple handshakes.  This
       option does not affect the TLS client code, which always generates a
       fresh ephemeral ECDH key for each handshake. New Macros
     * SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
     * The manual pages for the certutil and pp tools have been updated to
       document the new parameters that had been added in NSS 3.16.2.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12:

      zypper in -t patch SUSE-SLE-SDK-12-2014-81

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2014-81

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2014-81

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):

      MozillaFirefox-debuginfo-31.2.0esr-6.4
      MozillaFirefox-debugsource-31.2.0esr-6.4
      MozillaFirefox-devel-31.2.0esr-6.4
      mozilla-nss-debuginfo-3.17.2-8.2
      mozilla-nss-debugsource-3.17.2-8.2
      mozilla-nss-devel-3.17.2-8.2

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      MozillaFirefox-31.2.0esr-6.4
      MozillaFirefox-branding-SLE-31-4.1
      MozillaFirefox-debuginfo-31.2.0esr-6.4
      MozillaFirefox-debugsource-31.2.0esr-6.4
      MozillaFirefox-translations-31.2.0esr-6.4
      libfreebl3-3.17.2-8.2
      libfreebl3-debuginfo-3.17.2-8.2
      libfreebl3-hmac-3.17.2-8.2
      libsoftokn3-3.17.2-8.2
      libsoftokn3-debuginfo-3.17.2-8.2
      libsoftokn3-hmac-3.17.2-8.2
      mozilla-nss-3.17.2-8.2
      mozilla-nss-certs-3.17.2-8.2
      mozilla-nss-certs-debuginfo-3.17.2-8.2
      mozilla-nss-debuginfo-3.17.2-8.2
      mozilla-nss-debugsource-3.17.2-8.2
      mozilla-nss-tools-3.17.2-8.2
      mozilla-nss-tools-debuginfo-3.17.2-8.2

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      MozillaFirefox-31.2.0esr-6.4
      MozillaFirefox-branding-SLE-31-4.1
      MozillaFirefox-debuginfo-31.2.0esr-6.4
      MozillaFirefox-debugsource-31.2.0esr-6.4
      MozillaFirefox-translations-31.2.0esr-6.4
      libfreebl3-3.17.2-8.2
      libfreebl3-debuginfo-3.17.2-8.2
      libsoftokn3-3.17.2-8.2
      libsoftokn3-debuginfo-3.17.2-8.2
      mozilla-nss-3.17.2-8.2
      mozilla-nss-certs-3.17.2-8.2
      mozilla-nss-certs-debuginfo-3.17.2-8.2
      mozilla-nss-debuginfo-3.17.2-8.2
      mozilla-nss-debugsource-3.17.2-8.2
      mozilla-nss-tools-3.17.2-8.2
      mozilla-nss-tools-debuginfo-3.17.2-8.2


References:

   http://support.novell.com/security/cve/CVE-2014-1568.html
   http://support.novell.com/security/cve/CVE-2014-1574.html
   http://support.novell.com/security/cve/CVE-2014-1575.html
   http://support.novell.com/security/cve/CVE-2014-1576.html
   http://support.novell.com/security/cve/CVE-2014-1577.html
   http://support.novell.com/security/cve/CVE-2014-1578.html
   http://support.novell.com/security/cve/CVE-2014-1581.html
   http://support.novell.com/security/cve/CVE-2014-1583.html
   http://support.novell.com/security/cve/CVE-2014-1585.html
   http://support.novell.com/security/cve/CVE-2014-1586.html
   https://bugzilla.suse.com/show_bug.cgi?id=897890
   https://bugzilla.suse.com/show_bug.cgi?id=900941



More information about the sle-security-updates mailing list