SynopsisThe remote openSUSE host is missing a security update.
DescriptionThis update brings Mozilla Firefox to the 3.0.14 stable release.
It also fixes various security issues: MFSA 2009-47 / CVE-2009-3069 / CVE-2009-3070 / CVE-2009-3071 / CVE-2009-3072 / CVE-2009-3073 / CVE-2009-3074 / CVE-2009-3075: Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
MFSA 2009-48 / CVE-2009-3076: Mozilla security researcher Jesse Rudermanreported that when security modules were added or removed via pkcs11.addmodule or pkcs11.deletemodule, the resulting dialog was not sufficiently informative. Without sufficient warning, an attacker could entice a victim to install a malicious PKCS11 module and affect the cryptographic integrity of the victim's browser. Security researcher Dan Kaminsky reported that this issue had not been fixed in Firefox 3.0 and that under certain circumstances pkcs11 modules could be installed from a remote location. Firefox 3.5 releases are not affected.
MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.
MFSA 2009-50 / CVE-2009-3078: Security researcher Juan Pablo Lopez Yacubian reported that the default Windows font used to render the locationbar and other text fields was improperly displaying certain Unicode characters with tall line-height. In such cases the tall line-height would cause the rest of the text in the input field to be scrolled vertically out of view. An attacker could use this vulnerability to prevent a user from seeing the URL of a malicious site. Corrie Sloot also independently reported this issue to Mozilla.
SolutionUpdate the affected MozillaFirefox packages.