Update to Firefox 31.7.0esr SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0892-1 Final 1 1 2015-05-18T06:51:46Z current 2015-05-18T06:51:46Z 2015-05-18T06:51:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Update to Firefox 31.7.0esr - update to Firefox 31.7.0esr (bnc#930622) * MFSA 2015-46/CVE-2015-2708 Miscellaneous memory safety hazards * MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow parsing H.264 video with Linux Gstreamer * MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow with SVG content and CSS * MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free during text processing with vertical text enabled * MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow when parsing compressed XML * MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege escalation through IPC channel messages The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html E-Mail link for openSUSE-SU-2015:0892-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Evergreen 11.4 MozillaFirefox-31.7.0-140.1 MozillaFirefox-branding-upstream-31.7.0-140.1 MozillaFirefox-buildsymbols-31.7.0-140.1 MozillaFirefox-debuginfo-31.7.0-140.1 MozillaFirefox-debugsource-31.7.0-140.1 MozillaFirefox-devel-31.7.0-140.1 MozillaFirefox-translations-common-31.7.0-140.1 MozillaFirefox-translations-other-31.7.0-140.1 MozillaFirefox-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-branding-upstream-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-buildsymbols-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-debuginfo-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-debugsource-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-devel-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-translations-common-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 MozillaFirefox-translations-other-31.7.0-140.1 as a component of openSUSE Evergreen 11.4 The Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168, as used in Mozilla Firefox before 38.0 and other products, does not properly validate messages, which has unspecified impact and attack vectors. CVE-2011-3079 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2011-3079.html CVE-2011-3079 https://bugzilla.suse.com/760264 SUSE Bug 760264 https://bugzilla.suse.com/930622 SUSE Bug 930622 Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818. CVE-2015-0801 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-0801.html CVE-2015-0801 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925401 SUSE Bug 925401 The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638. CVE-2015-0807 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-0807.html CVE-2015-0807 https://bugzilla.suse.com/913068 SUSE Bug 913068 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925398 SUSE Bug 925398 Use-after-free vulnerability in the AppendElements function in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 on Linux, when the Fluendo MP3 plugin for GStreamer is used, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted MP3 file. CVE-2015-0813 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-0813.html CVE-2015-0813 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925393 SUSE Bug 925393 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-0815 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-0815.html CVE-2015-0815 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925392 SUSE Bug 925392 Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. CVE-2015-0816 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-0816.html CVE-2015-0816 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925395 SUSE Bug 925395 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-2708 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-2708.html CVE-2015-2708 https://bugzilla.suse.com/930622 SUSE Bug 930622 Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code via crafted SVG graphics data in conjunction with a crafted Cascading Style Sheets (CSS) token sequence. CVE-2015-2710 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-2710.html CVE-2015-2710 https://bugzilla.suse.com/930622 SUSE Bug 930622 Use-after-free vulnerability in the SetBreaks function in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a document containing crafted text in conjunction with a Cascading Style Sheets (CSS) token sequence containing properties related to vertical text. CVE-2015-2713 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-2713.html CVE-2015-2713 https://bugzilla.suse.com/930622 SUSE Bug 930622 Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. CVE-2015-2716 openSUSE Evergreen 11.4:MozillaFirefox-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-branding-upstream-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-buildsymbols-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debuginfo-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-debugsource-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-devel-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-common-31.7.0-140.1 openSUSE Evergreen 11.4:MozillaFirefox-translations-other-31.7.0-140.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html https://www.suse.com/security/cve/CVE-2015-2716.html CVE-2015-2716 https://bugzilla.suse.com/930622 SUSE Bug 930622 https://bugzilla.suse.com/980391 SUSE Bug 980391 https://bugzilla.suse.com/983985 SUSE Bug 983985