openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2017-344)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for MozillaFirefox and mozilla-nss fixes the following
issues :

MozillaFirefox was updated to Firefox 52.0 (boo#1028391)

- requires NSS >= 3.28.3

- Pages containing insecure password fields now display a
warning directly within username and password fields.

- Send and open a tab from one device to another with Sync

- Removed NPAPI support for plugins other than Flash.
Silverlight, Java, Acrobat and the like are no longer
supported.

- Removed Battery Status API to reduce fingerprinting of
users by trackers

- MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of
ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory
Corruption when handling ErrorResult (bmo#1328861)
CVE-2017-5402: Use-after-free working with events in
FontFace objects (bmo#1334876) CVE-2017-5403:
Use-after-free using addRange to add range to an
incorrect root object (bmo#1340186) CVE-2017-5404:
Use-after-free working with ranges in selections
(bmo#1340138) CVE-2017-5406: Segmentation fault in Skia
with canvas operations (bmo#1306890) CVE-2017-5407:
Pixel and history stealing via floating-point timing
side channel with SVG filters (bmo#1336622)
CVE-2017-5410: Memory corruption during JavaScript
garbage collection incremental sweeping (bmo#1330687)
CVE-2017-5408: Cross-origin reading of video captions in
violation of CORS (bmo#1313711) CVE-2017-5412: Buffer
overflow read in SVG filters (bmo#1328323)
CVE-2017-5413: Segmentation fault during bidirectional
operations (bmo#1337504) CVE-2017-5414: File picker can
choose incorrect default directory (bmo#1319370)
CVE-2017-5415: Addressbar spoofing through blob URL
(bmo#1321719) CVE-2017-5416: Null dereference crash in
HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar
spoofing by draging and dropping URLs (bmo#791597)
CVE-2017-5426: Gecko Media Plugin sandbox is not started
if seccomp-bpf filter is running (bmo#1257361)
CVE-2017-5427: Non-existent chrome.manifest file loaded
during startup (bmo#1295542) CVE-2017-5418: Out of
bounds read when parsing HTTP digest authorization
responses (bmo#1338876) CVE-2017-5419: Repeated
authentication prompts lead to DOS attack (bmo#1312243)
CVE-2017-5420: Javascript: URLs can obfuscate addressbar
location (bmo#1284395) CVE-2017-5405: FTP response codes
can cause use of uninitialized values for ports
(bmo#1336699) CVE-2017-5421: Print preview spoofing
(bmo#1301876) CVE-2017-5422: DOS attack by using
view-source: protocol repeatedly in one hyperlink
(bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in
Firefox 52 CVE-2017-5398: Memory safety bugs fixed in
Firefox 52 and Firefox ESR 45.8

mozilla-nss was updated to NSS 3.28.3

- This is a patch release to fix binary compatibility
issues. NSS version 3.28, 3.28.1 and 3.28.2 contained
changes that were in violation with the NSS
compatibility promise. ECParams, which is part of the
public API of the freebl/softokn parts of NSS, had been
changed to include an additional attribute. That size
increase caused crashes or malfunctioning with
applications that use that data structure directly, or
indirectly through ECPublicKey, ECPrivateKey,
NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially
other data structures that reference ECParams. The
change has been reverted to the original state in bug
bmo#1334108. SECKEYECPublicKey had been extended with a
new attribute, named 'encoding'. If an application
passed type SECKEYECPublicKey to NSS (as part of
SECKEYPublicKey), the NSS library read the uninitialized
attribute. With this NSS release
SECKEYECPublicKey.encoding is deprecated. NSS no longer
reads the attribute, and will always set it to
ECPoint_Undefined. See bug bmo#1340103.

- requires NSPR >= 4.13.1

- update to NSS 3.28.2 This is a stability and
compatibility release. Below is a summary of the
changes.

- Fixed a NSS 3.28 regression in the signature scheme
flexibility that causes connectivity issues between iOS
8 clients and NSS servers with ECDSA certificates
(bmo#1334114)

- Fixed a possible crash on some Windows systems
(bmo#1323150)

- Fixed a compatibility issue with TLS clients that do not
provide a list of supported key exchange groups
(bmo#1330612)

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1028391

Solution :

Update the affected MozillaFirefox / mozilla-nss packages.

Risk factor :

High