openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2017-344)
Critical Nessus Plugin ID 97747
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThis update for MozillaFirefox and mozilla-nss fixes the following issues :
MozillaFirefox was updated to Firefox 52.0 (boo#1028391)
- requires NSS >= 3.28.3
- Pages containing insecure password fields now display a warning directly within username and password fields.
- Send and open a tab from one device to another with Sync
- Removed NPAPI support for plugins other than Flash.
Silverlight, Java, Acrobat and the like are no longer supported.
- Removed Battery Status API to reduce fingerprinting of users by trackers
- MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory Corruption when handling ErrorResult (bmo#1328861) CVE-2017-5402: Use-after-free working with events in FontFace objects (bmo#1334876) CVE-2017-5403:
Use-after-free using addRange to add range to an incorrect root object (bmo#1340186) CVE-2017-5404:
Use-after-free working with ranges in selections (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia with canvas operations (bmo#1306890) CVE-2017-5407:
mozilla-nss was updated to NSS 3.28.3
- This is a patch release to fix binary compatibility issues. NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation with the NSS compatibility promise. ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to include an additional attribute. That size increase caused crashes or malfunctioning with applications that use that data structure directly, or indirectly through ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that reference ECParams. The change has been reverted to the original state in bug bmo#1334108. SECKEYECPublicKey had been extended with a new attribute, named 'encoding'. If an application passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no longer reads the attribute, and will always set it to ECPoint_Undefined. See bug bmo#1340103.
- requires NSPR >= 4.13.1
- update to NSS 3.28.2 This is a stability and compatibility release. Below is a summary of the changes.
- Fixed a NSS 3.28 regression in the signature scheme flexibility that causes connectivity issues between iOS 8 clients and NSS servers with ECDSA certificates (bmo#1334114)
- Fixed a possible crash on some Windows systems (bmo#1323150)
- Fixed a compatibility issue with TLS clients that do not provide a list of supported key exchange groups (bmo#1330612)
SolutionUpdate the affected MozillaFirefox / mozilla-nss packages.