openSUSE Security Update : firefox / mozilla-nspr / mozilla-nss (openSUSE-SU-2014:1344-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- update to Firefox 33.0 (bnc#900941) New features :

- OpenH264 support (sandboxed)

- Enhanced Tiles

- Improved search experience through the location bar

- Slimmer and faster JavaScript strings

- New CSP (Content Security Policy) backend

- Support for connecting to HTTP proxy over HTTPS

- Improved reliability of the session restoration

- Proprietary window.crypto properties/functions removed
Security :

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous
memory safety hazards

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow
during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio
memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds
write with WebM video

- MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further
uninitialized memory use during GIF rendering

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free
interacting with text directionality

- MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095,
bmo#1066190) Key pinning bypasses

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,
bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing
cross-origin objects via the Alarms API (only relevant
for installed web apps)

- requires NSPR 4.10.7

- requires NSS 3.17.1

- removed obsolete patches :

- mozilla-ppc.patch

- mozilla-libproxy-compat.patch

- added basic appdata information

- update to SeaMonkey 2.30 (bnc#900941)

- venkman debugger removed from application and therefore
obsolete package seamonkey-venkman

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous
memory safety hazards

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow
during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio
memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds
write with WebM video

- MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further
uninitialized memory use during GIF rendering

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free
interacting with text directionality

- MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095,
bmo#1066190) Key pinning bypasses

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,
bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing
cross-origin objects via the Alarms API (only relevant
for installed web apps)

- requires NSPR 4.10.7

- requires NSS 3.17.1

- removed obsolete patches :

- mozilla-ppc.patch

- mozilla-libproxy-compat.patch

Changes in mozilla-nss :

- update to 3.17.1 (bnc#897890)

- Change library's signature algorithm default to SHA256

- Add support for draft-ietf-tls-downgrade-scsv

- Add clang-cl support to the NSS build system

- Implement TLS 1.3 :

- Part 1. Negotiate TLS 1.3

- Part 2. Remove deprecated cipher suites andcompression.

- Add support for little-endian powerpc64

- update to 3.17

- required for Firefox 33 New functionality :

- When using ECDHE, the TLS server code may be configured
to generate a fresh ephemeral ECDH key for each
handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY
socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE,
which means the server's ephemeral ECDH key is reused
for multiple handshakes. This option does not affect the
TLS client code, which always generates a fresh
ephemeral ECDH key for each handshake. New Macros

- SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

- The manual pages for the certutil and pp tools have been
updated to document the new parameters that had been
added in NSS 3.16.2.

- On Windows, the new build variable USE_STATIC_RTL can be
used to specify the static C runtime library should be
used. By default the dynamic C runtime library is used.
Changes in mozilla-nspr :

- update to version 4.10.7

- bmo#836658: VC11+ defaults to SSE2 builds by default.

- bmo#979278: TSan: data race
nsprpub/pr/src/threads/prtpd.c:103
PR_NewThreadPrivateIndex.

- bmo#1026129: Replace some manual declarations of MSVC
intrinsics with #include <intrin.h>.

- bmo#1026469: Use AC_CHECK_LIB instead of
MOZ_CHECK_PTHREADS. Skip compiler checks when using
MSVC, even when $CC is not literally 'cl'.

- bmo#1034415: NSPR hardcodes the C compiler to cl on
Windows.

- bmo#1042408: Compilation fix for Android > API level 19.

- bmo#1043082: NSPR's build system hardcodes -MD.

See also :

http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1012609
https://bugzilla.mozilla.org/show_bug.cgi?id=1015540
https://bugzilla.mozilla.org/show_bug.cgi?id=1026129
https://bugzilla.mozilla.org/show_bug.cgi?id=1026469
https://bugzilla.mozilla.org/show_bug.cgi?id=1034415
https://bugzilla.mozilla.org/show_bug.cgi?id=1041512
https://bugzilla.mozilla.org/show_bug.cgi?id=1042408
https://bugzilla.mozilla.org/show_bug.cgi?id=1043082
https://bugzilla.mozilla.org/show_bug.cgi?id=1049095
https://bugzilla.mozilla.org/show_bug.cgi?id=1062876
https://bugzilla.mozilla.org/show_bug.cgi?id=1062981
https://bugzilla.mozilla.org/show_bug.cgi?id=1063327
https://bugzilla.mozilla.org/show_bug.cgi?id=1063733
https://bugzilla.mozilla.org/show_bug.cgi?id=1063971
https://bugzilla.mozilla.org/show_bug.cgi?id=1066190
https://bugzilla.mozilla.org/show_bug.cgi?id=1068218
https://bugzilla.mozilla.org/show_bug.cgi?id=836658
https://bugzilla.mozilla.org/show_bug.cgi?id=979278
https://bugzilla.opensuse.org/show_bug.cgi?id=894370
https://bugzilla.opensuse.org/show_bug.cgi?id=896624
https://bugzilla.opensuse.org/show_bug.cgi?id=897890
https://bugzilla.opensuse.org/show_bug.cgi?id=900941
https://bugzilla.opensuse.org/show_bug.cgi?id=901213

Solution :

Update the affected firefox / mozilla-nspr / mozilla-nss packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now