openSUSE Security Update : MozillaFirefox (openSUSE-SU-2014:0599-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

This is a MozillaFirefox update to version 29.0 :

- MFSA 2014-34/CVE-2014-1518/CVE-2014-1519 Miscellaneous
memory safety hazards

- MFSA 2014-36/CVE-2014-1522 (bmo#995289) Web Audio memory
corruption issues

- MFSA 2014-37/CVE-2014-1523 (bmo#969226) Out of bounds
read while decoding JPG images

- MFSA 2014-38/CVE-2014-1524 (bmo#989183) Buffer overflow
when using non-XBL object as XBL

- MFSA 2014-39/CVE-2014-1525 (bmo#989210) Use-after-free
in the Text Track Manager for HTML video

- MFSA 2014-41/CVE-2014-1528 (bmo#963962) Out-of-bounds
write in Cairo

- MFSA 2014-42/CVE-2014-1529 (bmo#987003) Privilege
escalation through Web Notification API

- MFSA 2014-43/CVE-2014-1530 (bmo#895557) Cross-site
scripting (XSS) using history navigations

- MFSA 2014-44/CVE-2014-1531 (bmo#987140) Use-after-free
in imgLoader while resizing images

- MFSA 2014-45/CVE-2014-1492 (bmo#903885) Incorrect IDNA
domain name matching for wildcard certificates (fixed by
NSS 3.16)

- MFSA 2014-46/CVE-2014-1532 (bmo#966006) Use-after-free
in nsHostResolver

- MFSA 2014-47/CVE-2014-1526 (bmo#988106) Debugger can
bypass XrayWrappers with JavaScript

- rebased patches

- removed obsolete patches

- firefox-browser-css.patch

- mozilla-aarch64-599882cfb998.diff

- mozilla-aarch64-bmo-963028.patch

- mozilla-aarch64-bmo-963029.patch

- mozilla-aarch64-bmo-963030.patch

- mozilla-aarch64-bmo-963031.patch

- requires NSS 3.16

- added mozilla-icu-strncat.patch to fix post build checks

- add mozilla-aarch64-599882cfb998.patch,
mozilla-aarch64-bmo-963031.patch: AArch64 porting

- Add patch for bmo#973977

- mozilla-ppc64-xpcom.patch

- Refresh mozilla-ppc64le-xpcom.patch patch

- Adapt mozilla-ppc64le-xpcom.patch to Mozilla > 24.0
build system

This is also a mozilla-nss update to version 3.16 :

- required for Firefox 29

- bmo#903885 - (CVE-2014-1492) In a wildcard certificate,
the wildcard character should not be embedded within the
U-label of an internationalized domain name. See the
last bullet point in RFC 6125, Section 7.2.

- Supports the Linux x32 ABI. To build for the Linux x32
target, set the environment variable USE_X32=1 when
building NSS. New Functions :

- NSS_CMSSignerInfo_Verify New Macros

etc., cipher suites that were first defined in SSL 3.0
can now be referred to with their official IANA names in
TLS, with the TLS_ prefix. Previously, they had to be
referred to with their names in SSL 3.0, with the SSL_
prefix. Notable Changes :

- ECC is enabled by default. It is no longer necessary to
set the environment variable NSS_ENABLE_ECC=1 when
building NSS. To disable ECC, set the environment
variable NSS_DISABLE_ECC=1 when building NSS.

- libpkix should not include the common name of CA as DNS
names when evaluating name constraints.

- AESKeyWrap_Decrypt should not return SECSuccess for
invalid keys.

- Fix a memory corruption in sec_pkcs12_new_asafe.

- If the NSS_SDB_USE_CACHE environment variable is set,
skip the runtime test sdb_measureAccess.

- The built-in roots module has been updated to version
1.97, which adds, removes, and distrusts several

- The atob utility has been improved to automatically
ignore lines of text that aren't in base64 format.

- The certutil utility has been improved to support
creation of version 1 and version 2 certificates, in
addition to the existing version 3 support.

See also :

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now