openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2015-185)
High Nessus Plugin ID 81589
SynopsisThe remote openSUSE host is missing a security update.
DescriptionMozillaFirefox, mozilla-nss were updated to fix 18 security issues.
MozillaFirefox was updated to version 36.0. These security issues were fixed :
- CVE-2015-0835, CVE-2015-0836: Miscellaneous memory safety hazards
- CVE-2015-0832: Appended period to hostnames can bypass HPKP and HSTS protections
- CVE-2015-0830: Malicious WebGL content crash when writing strings
- CVE-2015-0834: TLS TURN and STUN connections silently fail to simple TCP connections
- CVE-2015-0831: Use-after-free in IndexedDB
- CVE-2015-0829: Buffer overflow in libstagefright during MP4 video playback
- CVE-2015-0828: Double-free when using non-default memory allocators with a zero-length XHR
- CVE-2015-0827: Out-of-bounds read and write while rendering SVG content
- CVE-2015-0826: Buffer overflow during CSS restyling
- CVE-2015-0825: Buffer underflow during MP3 playback
- CVE-2015-0824: Crash using DrawTarget in Cairo graphics library
- CVE-2015-0823: Use-after-free in Developer Console date with OpenType Sanitiser
- CVE-2015-0822: Reading of local files through manipulation of form autocomplete
- CVE-2015-0821: Local files or privileged URLs in pages can be opened into new tabs
- CVE-2015-0819: UI Tour whitelisted sites in background tab can spoof foreground tabs
mozilla-nss was updated to version 3.17.4 to fix the following issues :
- CVE-2014-1569: QuickDER decoder length issue (bnc#910647).
- bmo#1084986: If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP).
- bmo#1112461: libpkix was fixed to prefer the newest certificate, if multiple certificates match.
- bmo#1094492: fixed a memory corruption issue during failure of keypair generation.
- bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode.
- bmo#1119983: fixed interoperability of NSS server code with a LibreSSL client.
SolutionUpdate the affected MozillaFirefox / mozilla-nss packages.