openSUSE Security Update : MozillaFirefox / MozillaThunderbird / mozilla-nspr / etc (openSUSE-SU-2013:1348-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Changes in seamonkey :

- update to SeaMonkey 2.20 (bnc#833389)

- MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
memory safety hazards

- MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
mutating DOM during SetBody

- MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow
when generating CRMF requests

- MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV
audio file decoding

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
XrayWrappers using XBL Scopes

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

- requires NSPR 4.10 and NSS 3.15

- removed obsolete seamonkey-shared-nss-db.patch

Changes in seamonkey :

- update to SeaMonkey 2.20 (bnc#833389)

- MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
memory safety hazards

- MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
mutating DOM during SetBody

- MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow
when generating CRMF requests

- MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV
audio file decoding

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
XrayWrappers using XBL Scopes

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

- requires NSPR 4.10 and NSS 3.15

- removed obsolete seamonkey-shared-nss-db.patch

Changes in xulrunner :

- update to 17.0.8esr (bnc#833389)

- MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
hazards

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

Changes in xulrunner :

- update to 17.0.8esr (bnc#833389)

- MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
hazards

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

Changes in MozillaThunderbird :

- update to Thunderbird 17.0.8 (bnc#833389)

- MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
hazards

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

- update Enigmail to 1.5.2

- bugfix release

Changes in MozillaThunderbird :

- update to Thunderbird 17.0.8 (bnc#833389)

- MFSA 2013-63/CVE-2013-1701 Miscellaneous memory safety
hazards

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

- update Enigmail to 1.5.2

- bugfix release

Changes in mozilla-nss :

- fix 32bit requirement, it's without () actually

- update to 3.15.1

- TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher
suites (RFC 5246 and RFC 5289) are supported, allowing
TLS to be used without MD5 and SHA-1. Note the following
limitations: The hash function used in the signature for
TLS 1.2 client authentication must be the hash function
of the TLS 1.2 PRF, which is always SHA-256 in NSS
3.15.1. AES GCM cipher suites are not yet supported.

- some bugfixes and improvements

- require libnssckbi instead of mozilla-nss-certs so
p11-kit can conflict with the latter (fate#314991)

- update to 3.15

- Packaging

+ removed obsolete patches

- nss-disable-expired-testcerts.patch

- bug-834091.patch

- New Functionality

+ Support for OCSP Stapling (RFC 6066, Certificate Status
Request) has been added for both client and server
sockets. TLS client applications may enable this via a
call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING,
PR_TRUE);

+ Added function SECITEM_ReallocItemV2. It replaces
function SECITEM_ReallocItem, which is now declared as
obsolete.

+ Support for single-operation (eg: not multi-part)
symmetric key encryption and decryption, via
PK11_Encrypt and PK11_Decrypt.

+ certutil has been updated to support creating name
constraints extensions.

- New Functions in ssl.h SSL_PeerStapledOCSPResponse -
Returns the server's stapled OCSP response, when used
with a TLS client socket that negotiated the
status_request extension. SSL_SetStapledOCSPResponses -
Set's a stapled OCSP response for a TLS server socket to
return when clients send the status_request extension.
in ocsp.h CERT_PostOCSPRequest - Primarily intended for
testing, permits the sending and receiving of raw OCSP
request/responses. in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a
PKCS#7 signature at a specific time other than the
present time. in xconst.h
CERT_EncodeNameConstraintsExtension - Matching function
for CERT_DecodeNameConstraintsExtension, added in NSS
3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray
SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions
to handle the allocation and deallocation of
SECItemArrays SECITEM_ReallocItemV2 - Replaces
SECITEM_ReallocItem, which is now obsolete.
SECITEM_ReallocItemV2 better matches caller
expectations, in that it updates item->len on
allocation. For more details of the issues with
SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in
pk11pub.h PK11_Decrypt - Performs decryption as a single
PKCS#11 operation (eg: not multi-part). This is
necessary for AES-GCM. PK11_Encrypt - Performs
encryption as a single PKCS#11 operation (eg: not
multi-part). This is necessary for AES-GCM.

- New Types in secitem.h SECItemArray - Represents a
variable-length array of SECItems.

- New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with
SSL_OptionSet to configure TLS client sockets to request
the certificate_status extension (eg: OCSP stapling)
when set to PR_TRUE

- Notable changes

+ SECITEM_ReallocItem is now deprecated. Please consider
using SECITEM_ReallocItemV2 in all future code.

+ The list of root CA certificates in the nssckbi module
has been updated.

+ The default implementation of SSL_AuthCertificate has
been updated to add certificate status responses stapled
by the TLS server to the OCSP cache.

- a lot of bugfixes

- Add Source URL, see https://en.opensuse.org/SourceUrls

Changes in mozilla-nss :

- fix 32bit requirement, it's without () actually

- update to 3.15.1

- TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher
suites (RFC 5246 and RFC 5289) are supported, allowing
TLS to be used without MD5 and SHA-1. Note the following
limitations: The hash function used in the signature for
TLS 1.2 client authentication must be the hash function
of the TLS 1.2 PRF, which is always SHA-256 in NSS
3.15.1. AES GCM cipher suites are not yet supported.

- some bugfixes and improvements

- require libnssckbi instead of mozilla-nss-certs so
p11-kit can conflict with the latter (fate#314991)

- update to 3.15

- Packaging

+ removed obsolete patches

- nss-disable-expired-testcerts.patch

- bug-834091.patch

- New Functionality

+ Support for OCSP Stapling (RFC 6066, Certificate Status
Request) has been added for both client and server
sockets. TLS client applications may enable this via a
call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING,
PR_TRUE);

+ Added function SECITEM_ReallocItemV2. It replaces
function SECITEM_ReallocItem, which is now declared as
obsolete.

+ Support for single-operation (eg: not multi-part)
symmetric key encryption and decryption, via
PK11_Encrypt and PK11_Decrypt.

+ certutil has been updated to support creating name
constraints extensions.

- New Functions in ssl.h SSL_PeerStapledOCSPResponse -
Returns the server's stapled OCSP response, when used
with a TLS client socket that negotiated the
status_request extension. SSL_SetStapledOCSPResponses -
Set's a stapled OCSP response for a TLS server socket to
return when clients send the status_request extension.
in ocsp.h CERT_PostOCSPRequest - Primarily intended for
testing, permits the sending and receiving of raw OCSP
request/responses. in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a
PKCS#7 signature at a specific time other than the
present time. in xconst.h
CERT_EncodeNameConstraintsExtension - Matching function
for CERT_DecodeNameConstraintsExtension, added in NSS
3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray
SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions
to handle the allocation and deallocation of
SECItemArrays SECITEM_ReallocItemV2 - Replaces
SECITEM_ReallocItem, which is now obsolete.
SECITEM_ReallocItemV2 better matches caller
expectations, in that it updates item->len on
allocation. For more details of the issues with
SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in
pk11pub.h PK11_Decrypt - Performs decryption as a single
PKCS#11 operation (eg: not multi-part). This is
necessary for AES-GCM. PK11_Encrypt - Performs
encryption as a single PKCS#11 operation (eg: not
multi-part). This is necessary for AES-GCM.

- New Types in secitem.h SECItemArray - Represents a
variable-length array of SECItems.

- New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with
SSL_OptionSet to configure TLS client sockets to request
the certificate_status extension (eg: OCSP stapling)
when set to PR_TRUE

- Notable changes

+ SECITEM_ReallocItem is now deprecated. Please consider
using SECITEM_ReallocItemV2 in all future code.

+ The list of root CA certificates in the nssckbi module
has been updated.

+ The default implementation of SSL_AuthCertificate has
been updated to add certificate status responses stapled
by the TLS server to the OCSP cache.

- a lot of bugfixes

- Add Source URL, see https://en.opensuse.org/SourceUrls

Changes in mozilla-nspr :

- update to version 4.10

- bmo#844513: Add AddressSanitizer (ASan) memory check
annotations to PLArena.

- bmo#849089: Simple changes to make NSPR's configure.in
work with the current version of autoconf.

- bmo#856196: Fix compiler warnings and clean up code in
NSPR 4.10.

- bmo#859066: Fix warning in
nsprpub/pr/src/misc/prnetdb.c.

- bmo#859830: Deprecate ANDROID_VERSION in favor of
android/api-level.h.

- bmo#861434: Make PR_SetThreadPriority() change
priorities relatively to the main process instead of
using absolute values on Linux.

- bmo#871064L: _PR_InitThreads() should not call
PR_SetThreadPriority.

Changes in mozilla-nspr :

- update to version 4.10

- bmo#844513: Add AddressSanitizer (ASan) memory check
annotations to PLArena.

- bmo#849089: Simple changes to make NSPR's configure.in
work with the current version of autoconf.

- bmo#856196: Fix compiler warnings and clean up code in
NSPR 4.10.

- bmo#859066: Fix warning in
nsprpub/pr/src/misc/prnetdb.c.

- bmo#859830: Deprecate ANDROID_VERSION in favor of
android/api-level.h.

- bmo#861434: Make PR_SetThreadPriority() change
priorities relatively to the main process instead of
using absolute values on Linux.

- bmo#871064L: _PR_InitThreads() should not call
PR_SetThreadPriority.

Changes in MozillaFirefox :

- update to Firefox 23.0 (bnc#833389)

- MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
memory safety hazards

- MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
mutating DOM during SetBody

- MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow
when generating CRMF requests

- MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV
audio file decoding

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
XrayWrappers using XBL Scopes

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

- requires NSPR 4.10 and NSS 3.15

- fix build on ARM (/-g/ matches /-grecord-switches/)

Changes in MozillaFirefox :

- update to Firefox 23.0 (bnc#833389)

- MFSA 2013-63/CVE-2013-1701/CVE-2013-1702 Miscellaneous
memory safety hazards

- MFSA 2013-64/CVE-2013-1704 (bmo#883313) Use after free
mutating DOM during SetBody

- MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow
when generating CRMF requests

- MFSA 2013-67/CVE-2013-1708 (bmo#879924) Crash during WAV
audio file decoding

- MFSA 2013-68/CVE-2013-1709 (bmo#838253) Document URI
misrepresentation and masquerading

- MFSA 2013-69/CVE-2013-1710 (bmo#871368) CRMF requests
allow for code execution and XSS attacks

- MFSA 2013-70/CVE-2013-1711 (bmo#843829) Bypass of
XrayWrappers using XBL Scopes

- MFSA 2013-72/CVE-2013-1713 (bmo#887098) Wrong principal
used for validating URI for some JavaScript components

- MFSA 2013-73/CVE-2013-1714 (bmo#879787) Same-origin
bypass with web workers and XMLHttpRequest

- MFSA 2013-75/CVE-2013-1717 (bmo#406541, bmo#738397)
Local Java applets may read contents of local file
system

- requires NSPR 4.10 and NSS 3.15

- fix build on ARM (/-g/ matches /-grecord-switches/)

See also :

http://lists.opensuse.org/opensuse-updates/2013-08/msg00036.html
https://bugzilla.novell.com/show_bug.cgi?id=833389
https://en.opensuse.org/SourceUrls

Solution :

Update the affected MozillaFirefox / MozillaThunderbird / mozilla-nspr / etc packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now