openSUSE Security Update : firefox / seamonkey / thunderbird (openSUSE-SU-2013:0149-1)
Critical Nessus Plugin ID 74918
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThe Mozilla January 8th 2013 security release contains updates :
Mozilla Firefox was updated to version 18.0. Mozilla SeaMonkey was updated to version 2.15. Mozilla Thunderbird was updated to version 17.0.2. Mozilla XULRunner was updated to version 17.0.2.
- MFSA 2013-01/CVE-2013-0749/CVE-2013-0769/CVE-2013-0770 Miscellaneous memory safety hazards
- MFSA 2013-02/CVE-2013-0760/CVE-2013-0762/CVE-2013-0766/CVE-20 13-0767 CVE-2013-0761/CVE-2013-0763/CVE-2013-0771/CVE-2012-5829 Use-after-free and buffer overflow issues found using Address Sanitizer
- MFSA 2013-03/CVE-2013-0768 (bmo#815795) Buffer Overflow in Canvas
- MFSA 2013-04/CVE-2012-0759 (bmo#802026) URL spoofing in addressbar during page loads
- MFSA 2013-05/CVE-2013-0744 (bmo#814713) Use-after-free when displaying table with many columns and column groups
- MFSA 2013-06/CVE-2013-0751 (bmo#790454) Touch events are shared across iframes
- MFSA 2013-07/CVE-2013-0764 (bmo#804237) Crash due to handling of SSL on threads
- MFSA 2013-08/CVE-2013-0745 (bmo#794158) AutoWrapperChanger fails to keep objects alive during garbage collection
- MFSA 2013-09/CVE-2013-0746 (bmo#816842) Compartment mismatch with quickstubs returned values
- MFSA 2013-10/CVE-2013-0747 (bmo#733305) Event manipulation in plugin handler to bypass same-origin policy
- MFSA 2013-11/CVE-2013-0748 (bmo#806031) Address space layout leaked in XBL objects
- MFSA 2013-13/CVE-2013-0752 (bmo#805024) Memory corruption in XBL with XML bindings containing SVG
- MFSA 2013-14/CVE-2013-0757 (bmo#813901) Chrome Object Wrapper (COW) bypass through changing prototype
- MFSA 2013-15/CVE-2013-0758 (bmo#813906) Privilege escalation through plugin objects
- MFSA 2013-16/CVE-2013-0753 (bmo#814001) Use-after-free in serializeToStream
- MFSA 2013-17/CVE-2013-0754 (bmo#814026) Use-after-free in ListenerManager
- MFSA 2013-18/CVE-2013-0755 (bmo#814027) Use-after-free in Vibrate
Mozilla NSPR was updated to 4.9.4, containing some small bugfixes and new features.
Mozilla NSS was updated to 3.14.1 containing various new features, security fix and bugfixes :
- MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST
Cryptographic changes done :
- Support for TLS 1.1 (RFC 4346)
- Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
- Support for AES-CTR, AES-CTS, and AES-GCM
- Support for Keying Material Exporters for TLS (RFC 5705)
- Support for certificate signatures using the MD5 hash algorithm is now disabled by default
- The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code.
- Export and DES cipher suites are disabled by default.
Non-ECC AES and Triple DES cipher suites are enabled by default
Please see http://www.mozilla.org/security/announce/ for more information.
SolutionUpdate the affected firefox / seamonkey / thunderbird packages.