openSUSE Security Update : MozillaFirefox (openSUSE-2017-187)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for MozillaFirefox to version 51.0.1 fixes security issues
and bugs.

These security issues were fixed :

- CVE-2017-5375: Excessive JIT code allocation allows
bypass of ASLR and DEP (bmo#1325200, boo#1021814)

- CVE-2017-5376: Use-after-free in XSL (bmo#1311687,
boo#1021817) CVE-2017-5377: Memory corruption with
transforms to create gradients in Skia (bmo#1306883,
boo#1021826)

- CVE-2017-5378: Pointer and frame data leakage of
JavaScript objects (bmo#1312001, bmo#1330769,
boo#1021818)

- CVE-2017-5379: Use-after-free in Web Animations
(bmo#1309198,boo#1021827)

- CVE-2017-5380: Potential use-after-free during DOM
manipulations (bmo#1322107, boo#1021819)

- CVE-2017-5390: Insecure communication methods in
Developer Tools JSON viewer (bmo#1297361, boo#1021820)

- CVE-2017-5389: WebExtensions can install additional
add-ons via modified host requests (bmo#1308688,
boo#1021828)

- CVE-2017-5396: Use-after-free with Media Decoder
(bmo#1329403, boo#1021821)

- CVE-2017-5381: Certificate Viewer exporting can be used
to navigate and save to arbitrary filesystem locations
(bmo#1017616, boo#1021830)

- CVE-2017-5382: Feed preview can expose privileged
content errors and exceptions (bmo#1295322, boo#1021831)

- CVE-2017-5383: Location bar spoofing with unicode
characters (bmo#1323338, bmo#1324716, boo#1021822)

- CVE-2017-5384: Information disclosure via Proxy
Auto-Config (PAC) (bmo#1255474, boo#1021832)

- CVE-2017-5385: Data sent in multipart channels ignores
referrer-policy response headers (bmo#1295945,
boo#1021833)

- CVE-2017-5386: WebExtensions can use data: protocol to
affect other extensions (bmo#1319070, boo#1021823)

- CVE-2017-5391: Content about: pages can load privileged
about: pages (bmo#1309310, boo#1021835)

- CVE-2017-5393: Remove addons.mozilla.org CDN from
whitelist for mozAddonManager (bmo#1309282, boo#1021837)

- CVE-2017-5387: Disclosure of local file existence
through TRACK tag error messages (bmo#1295023,
boo#1021839)

- CVE-2017-5388: WebRTC can be used to generate a large
amount of UDP traffic for DDOS attacks (bmo#1281482,
boo#1021840)

- CVE-2017-5374: Memory safety bugs (boo#1021841)

- CVE-2017-5373: Memory safety bugs (boo#1021824)

These non-security issues in MozillaFirefox were fixed :

- Added support for FLAC (Free Lossless Audio Codec)
playback

- Added support for WebGL 2

- Added Georgian (ka) and Kabyle (kab) locales

- Support saving passwords for forms without 'submit'
events

- Improved video performance for users without GPU
acceleration

- Zoom indicator is shown in the URL bar if the zoom level
is not at default level

- View passwords from the prompt before saving them

- Remove Belarusian (be) locale

- Use Skia for content rendering (Linux)

- Improve recognition of LANGUAGE env variable
(boo#1017174)

- Multiprocess incompatibility did not correctly register
with some add-ons (bmo#1333423)

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1017174
https://bugzilla.opensuse.org/show_bug.cgi?id=1021814
https://bugzilla.opensuse.org/show_bug.cgi?id=1021817
https://bugzilla.opensuse.org/show_bug.cgi?id=1021818
https://bugzilla.opensuse.org/show_bug.cgi?id=1021819
https://bugzilla.opensuse.org/show_bug.cgi?id=1021820
https://bugzilla.opensuse.org/show_bug.cgi?id=1021821
https://bugzilla.opensuse.org/show_bug.cgi?id=1021822
https://bugzilla.opensuse.org/show_bug.cgi?id=1021823
https://bugzilla.opensuse.org/show_bug.cgi?id=1021824
https://bugzilla.opensuse.org/show_bug.cgi?id=1021826
https://bugzilla.opensuse.org/show_bug.cgi?id=1021827
https://bugzilla.opensuse.org/show_bug.cgi?id=1021828
https://bugzilla.opensuse.org/show_bug.cgi?id=1021830
https://bugzilla.opensuse.org/show_bug.cgi?id=1021831
https://bugzilla.opensuse.org/show_bug.cgi?id=1021832
https://bugzilla.opensuse.org/show_bug.cgi?id=1021833
https://bugzilla.opensuse.org/show_bug.cgi?id=1021835
https://bugzilla.opensuse.org/show_bug.cgi?id=1021837
https://bugzilla.opensuse.org/show_bug.cgi?id=1021839
https://bugzilla.opensuse.org/show_bug.cgi?id=1021840
https://bugzilla.opensuse.org/show_bug.cgi?id=1021841

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

High