Security update for MozillaFirefox and mozilla-nss
SUSE Security Update: Security update for MozillaFirefox and mozilla-nss
- update to Firefox 31.2.0 ESR (bnc#900941)
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994, bmo#1011354,
bmo#1018916, bmo#1020034, bmo#1023035, bmo#1032208, bmo#1033020,
bmo#1034230, bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044,
bmo#1072174) Miscellaneous memory safety hazards (rv:33.0/rv:31.2)
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API
- SSLv3 is disabled by default. See README.POODLE for more detailed
information.
- disable call home features
- update to 3.17.2 (bnc#900941) Bugfix release
* bmo#1049435 - Importing an RSA private key fails if p < q
* bmo#1057161 - NSS hangs with 100% CPU on invalid EC key
* bmo#1078669 - certutil crashes when using the --certVersion parameter
- changes from earlier version of the 3.17 branch: update to 3.17.1
(bnc#897890)
* MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature
Forgery in NSS
* Change library's signature algorithm default to SHA256
* Add support for draft-ietf-tls-downgrade-scsv
* Add clang-cl support to the NSS build system
* Implement TLS 1.3:
* Part 1. Negotiate TLS 1.3
* Part 2. Remove deprecated cipher suites andcompression.
* Add support for little-endian powerpc64 update to 3.17
* required for Firefox 33 New functionality:
* When using ECDHE, the TLS server code may be configured to generate a
fresh ephemeral ECDH key for each handshake, by setting the
SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
server's ephemeral ECDH key is reused for multiple handshakes. This
option does not affect the TLS client code, which always generates a
fresh ephemeral ECDH key for each handshake. New Macros
* SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
* The manual pages for the certutil and pp tools have been updated to
document the new parameters that had been added in NSS 3.16.2.
| Announcement ID: | SUSE-SU-2014:1510-1 |
| Rating: | moderate |
| References: | #897890 #900941 |
| Affected Products: |
An update that fixes 10 vulnerabilities is now available.
Description:
- update to Firefox 31.2.0 ESR (bnc#900941)
* MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994, bmo#1011354,
bmo#1018916, bmo#1020034, bmo#1023035, bmo#1032208, bmo#1033020,
bmo#1034230, bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044,
bmo#1072174) Miscellaneous memory safety hazards (rv:33.0/rv:31.2)
* MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS
manipulation
* MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption
issues with custom waveforms
* MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM
video
* MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting
with text directionality
* MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981)
Inconsistent video sharing within iframe
* MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin
objects via the Alarms API
- SSLv3 is disabled by default. See README.POODLE for more detailed
information.
- disable call home features
- update to 3.17.2 (bnc#900941) Bugfix release
* bmo#1049435 - Importing an RSA private key fails if p < q
* bmo#1057161 - NSS hangs with 100% CPU on invalid EC key
* bmo#1078669 - certutil crashes when using the --certVersion parameter
- changes from earlier version of the 3.17 branch: update to 3.17.1
(bnc#897890)
* MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature
Forgery in NSS
* Change library's signature algorithm default to SHA256
* Add support for draft-ietf-tls-downgrade-scsv
* Add clang-cl support to the NSS build system
* Implement TLS 1.3:
* Part 1. Negotiate TLS 1.3
* Part 2. Remove deprecated cipher suites andcompression.
* Add support for little-endian powerpc64 update to 3.17
* required for Firefox 33 New functionality:
* When using ECDHE, the TLS server code may be configured to generate a
fresh ephemeral ECDH key for each handshake, by setting the
SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
server's ephemeral ECDH key is reused for multiple handshakes. This
option does not affect the TLS client code, which always generates a
fresh ephemeral ECDH key for each handshake. New Macros
* SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
* The manual pages for the certutil and pp tools have been updated to
document the new parameters that had been added in NSS 3.16.2.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 12:
zypper in -t patch SUSE-SLE-SDK-12-2014-81 - SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2014-81 - SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2014-81
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):
- MozillaFirefox-debuginfo-31.2.0esr-6.4
- MozillaFirefox-debugsource-31.2.0esr-6.4
- MozillaFirefox-devel-31.2.0esr-6.4
- mozilla-nss-debuginfo-3.17.2-8.2
- mozilla-nss-debugsource-3.17.2-8.2
- mozilla-nss-devel-3.17.2-8.2
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
- MozillaFirefox-31.2.0esr-6.4
- MozillaFirefox-branding-SLE-31-4.1
- MozillaFirefox-debuginfo-31.2.0esr-6.4
- MozillaFirefox-debugsource-31.2.0esr-6.4
- MozillaFirefox-translations-31.2.0esr-6.4
- libfreebl3-3.17.2-8.2
- libfreebl3-debuginfo-3.17.2-8.2
- libfreebl3-hmac-3.17.2-8.2
- libsoftokn3-3.17.2-8.2
- libsoftokn3-debuginfo-3.17.2-8.2
- libsoftokn3-hmac-3.17.2-8.2
- mozilla-nss-3.17.2-8.2
- mozilla-nss-certs-3.17.2-8.2
- mozilla-nss-certs-debuginfo-3.17.2-8.2
- mozilla-nss-debuginfo-3.17.2-8.2
- mozilla-nss-debugsource-3.17.2-8.2
- mozilla-nss-tools-3.17.2-8.2
- mozilla-nss-tools-debuginfo-3.17.2-8.2
- SUSE Linux Enterprise Desktop 12 (x86_64):
- MozillaFirefox-31.2.0esr-6.4
- MozillaFirefox-branding-SLE-31-4.1
- MozillaFirefox-debuginfo-31.2.0esr-6.4
- MozillaFirefox-debugsource-31.2.0esr-6.4
- MozillaFirefox-translations-31.2.0esr-6.4
- libfreebl3-3.17.2-8.2
- libfreebl3-debuginfo-3.17.2-8.2
- libsoftokn3-3.17.2-8.2
- libsoftokn3-debuginfo-3.17.2-8.2
- mozilla-nss-3.17.2-8.2
- mozilla-nss-certs-3.17.2-8.2
- mozilla-nss-certs-debuginfo-3.17.2-8.2
- mozilla-nss-debuginfo-3.17.2-8.2
- mozilla-nss-debugsource-3.17.2-8.2
- mozilla-nss-tools-3.17.2-8.2
- mozilla-nss-tools-debuginfo-3.17.2-8.2
References:
- http://support.novell.com/security/cve/CVE-2014-1568.html
- http://support.novell.com/security/cve/CVE-2014-1574.html
- http://support.novell.com/security/cve/CVE-2014-1575.html
- http://support.novell.com/security/cve/CVE-2014-1576.html
- http://support.novell.com/security/cve/CVE-2014-1577.html
- http://support.novell.com/security/cve/CVE-2014-1578.html
- http://support.novell.com/security/cve/CVE-2014-1581.html
- http://support.novell.com/security/cve/CVE-2014-1583.html
- http://support.novell.com/security/cve/CVE-2014-1585.html
- http://support.novell.com/security/cve/CVE-2014-1586.html
- https://bugzilla.suse.com/show_bug.cgi?id=897890
- https://bugzilla.suse.com/show_bug.cgi?id=900941