Security update for MozillaFirefox, mozilla-nss SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2386-1 Final 1 1 2016-09-26T12:57:34Z current 2016-09-26T12:57:34Z 2016-09-26T12:57:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox, mozilla-nss MozillaFirefox was updated to version 49.0 (boo#999701) - New features * Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP logins. * Added features to Reader Mode that make it easier on the eyes and the ears * Improved video performance for users on systems that support SSE3 without hardware acceleration * Added context menu controls to HTML5 audio and video that let users loops files or play files at 1.25x speed * Improvements in about:memory reports for tracking font memory usage - Security related fixes * MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274 (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5279 (bmo#1249522) - Full local path of files is available to web pages after drag and drop CVE-2016-5280 (bmo#1289970) - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons from non-whitelisted schemes CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can reveal cross-origin data CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 - requires NSS 3.25 - Mozilla Firefox 48.0.2: * Mitigate a startup crash issue caused on Windows (bmo#1291738) mozilla-nss was updated to NSS 3.25. New functionality: * Implemented DHE key agreement for TLS 1.3 * Added support for ChaCha with TLS 1.3 * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF * In previous versions, when using client authentication with TLS 1.2, NSS only supported certificate_verify messages that used the same signature hash algorithm as used by the PRF. This limitation has been removed. * Several functions have been added to the public API of the NSS Cryptoki Framework. New functions: * NSSCKFWSlot_GetSlotID * NSSCKFWSession_GetFWSlot * NSSCKFWInstance_DestroySessionHandle * NSSCKFWInstance_FindSessionHandle Notable changes: * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3 * Regression fix: NSS no longer reports a failure if an application attempts to disable the SSLv2 protocol. * The list of trusted CA certificates has been updated to version 2.8 * The following CA certificate was Removed Sonera Class1 CA * The following CA certificates were Added Hellenic Academic and Research Institutions RootCA 2015 Hellenic Academic and Research Institutions ECC RootCA 2015 Certplus Root CA G1 Certplus Root CA G2 OpenTrust Root CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html E-Mail link for openSUSE-SU-2016:2386-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings MozillaFirefox-49.0.1-125.2 MozillaFirefox-branding-upstream-49.0.1-125.2 MozillaFirefox-buildsymbols-49.0.1-125.2 MozillaFirefox-devel-49.0.1-125.2 MozillaFirefox-translations-common-49.0.1-125.2 MozillaFirefox-translations-other-49.0.1-125.2 libfreebl3-3.25-91.1 libfreebl3-32bit-3.25-91.1 libsoftokn3-3.25-91.1 libsoftokn3-32bit-3.25-91.1 mozilla-nss-3.25-91.1 mozilla-nss-32bit-3.25-91.1 mozilla-nss-certs-3.25-91.1 mozilla-nss-certs-32bit-3.25-91.1 mozilla-nss-devel-3.25-91.1 mozilla-nss-sysinit-3.25-91.1 mozilla-nss-sysinit-32bit-3.25-91.1 mozilla-nss-tools-3.25-91.1 The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a Content Security Policy (CSP) referrer directive with zero values. CVE-2016-2827 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-2827.html CVE-2016-2827 https://bugzilla.suse.com/999701 SUSE Bug 999701 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-5256 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5256.html CVE-2016-5256 https://bugzilla.suse.com/999701 SUSE Bug 999701 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4 and Thunderbird < 45.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-5257 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5257.html CVE-2016-5257 https://bugzilla.suse.com/999701 SUSE Bug 999701 Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to cause a denial of service (boolean out-of-bounds write) or possibly have unspecified other impact via Unicode characters that are mishandled during text conversion. CVE-2016-5270 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5270.html CVE-2016-5270 https://bugzilla.suse.com/999701 SUSE Bug 999701 The PropertyProvider::GetSpacingInternal function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via text runs in conjunction with a "display: contents" Cascading Style Sheets (CSS) property. CVE-2016-5271 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5271.html CVE-2016-5271 https://bugzilla.suse.com/999701 SUSE Bug 999701 The nsImageGeometryMixin class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 does not properly perform a cast of an unspecified variable during handling of INPUT elements, which allows remote attackers to execute arbitrary code via a crafted web site. CVE-2016-5272 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5272.html CVE-2016-5272 https://bugzilla.suse.com/999701 SUSE Bug 999701 The mozilla::a11y::HyperTextAccessible::GetChildOffset function in the accessibility implementation in Mozilla Firefox before 49.0 allows remote attackers to execute arbitrary code via a crafted web site. CVE-2016-5273 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5273.html CVE-2016-5273 https://bugzilla.suse.com/999701 SUSE Bug 999701 Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between restyling and the Web Animations model implementation. CVE-2016-5274 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5274.html CVE-2016-5274 https://bugzilla.suse.com/999701 SUSE Bug 999701 Buffer overflow in the mozilla::gfx::FilterSupport::ComputeSourceNeededRegions function in Mozilla Firefox before 49.0 allows remote attackers to execute arbitrary code by leveraging improper interaction between empty filters and CANVAS element rendering. CVE-2016-5275 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5275.html CVE-2016-5275 https://bugzilla.suse.com/999701 SUSE Bug 999701 Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an aria-owns attribute. CVE-2016-5276 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5276.html CVE-2016-5276 https://bugzilla.suse.com/999701 SUSE Bug 999701 Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation. CVE-2016-5277 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5277.html CVE-2016-5277 https://bugzilla.suse.com/999701 SUSE Bug 999701 Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code via a crafted image data that is mishandled during the encoding of an image frame to an image. CVE-2016-5278 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5278.html CVE-2016-5278 https://bugzilla.suse.com/999701 SUSE Bug 999701 Mozilla Firefox before 49.0 allows user-assisted remote attackers to obtain sensitive full-pathname information during a local-file drag-and-drop operation via crafted JavaScript code. CVE-2016-5279 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5279.html CVE-2016-5279 https://bugzilla.suse.com/999701 SUSE Bug 999701 Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code via bidirectional text. CVE-2016-5280 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5280.html CVE-2016-5280 https://bugzilla.suse.com/999701 SUSE Bug 999701 Use-after-free vulnerability in the DOMSVGLength class in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between JavaScript code and an SVG document. CVE-2016-5281 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5281.html CVE-2016-5281 https://bugzilla.suse.com/999701 SUSE Bug 999701 Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource. CVE-2016-5282 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5282.html CVE-2016-5282 https://bugzilla.suse.com/999701 SUSE Bug 999701 Mozilla Firefox before 49.0 allows remote attackers to bypass the Same Origin Policy via a crafted fragment identifier in the SRC attribute of an IFRAME element, leading to insufficient restrictions on link-color information after a document is resized. CVE-2016-5283 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5283.html CVE-2016-5283 https://bugzilla.suse.com/999701 SUSE Bug 999701 Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority. CVE-2016-5284 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00021.html https://www.suse.com/security/cve/CVE-2016-5284.html CVE-2016-5284 https://bugzilla.suse.com/999701 SUSE Bug 999701