openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2015:1390-1
Rating:             important
References:         #940806 #940918 
Cross-References:   CVE-2015-4473 CVE-2015-4474 CVE-2015-4475
                    CVE-2015-4477 CVE-2015-4478 CVE-2015-4479
                    CVE-2015-4480 CVE-2015-4481 CVE-2015-4482
                    CVE-2015-4483 CVE-2015-4484 CVE-2015-4485
                    CVE-2015-4486 CVE-2015-4487 CVE-2015-4488
                    CVE-2015-4489 CVE-2015-4490 CVE-2015-4491
                    CVE-2015-4492 CVE-2015-4493 CVE-2015-4495
                   
Affected Products:
                    openSUSE 13.1
______________________________________________________________________________

   An update that fixes 21 vulnerabilities is now available.

Description:


   - update to Firefox 40.0 (bnc#940806)
     * Added protection against unwanted software downloads
     * Suggested Tiles show sites of interest, based on categories from your
       recent browsing history
     * Hello allows adding a link to conversations to provide context
       on what the conversation will be about
     * New style for add-on manager based on the in-content preferences style
     * Improved scrolling, graphics, and video playback performance with off
       main thread compositing (GNU/Linux only)
     * Graphic blocklist mechanism improved: Firefox version ranges can be
       specified, limiting the number of devices blocked security fixes:
     * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety
       hazards
     * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with
       malformed MP3 file
     * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream
       playback
     * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of
       non-configurable JavaScript object properties
     * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues
       in libstagefright
     * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting
       through Mozilla Maintenance Service with hard links (only affected
       Windows)
     * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with
       Updater and malicious MAR file (does not affect openSUSE RPM packages
       which do not ship the updater)
     * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST
       bypasses mixed content protections
     * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared
       memory in JavaScript
     * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf
       when scaling bitmap images
     * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148)
       Buffer overflows on Libvpx when decoding WebM video
     * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities
       found through code inspection
     * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security
       Policy allows for asterisk wildcards in violation of CSP specification
     * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in
       XMLHttpRequest with shared workers   - added mozilla-no-stdcxx-check.patch
   - removed obsolete patches
     * mozilla-add-glibcxx_use_cxx11_abi.patch
     * firefox-multilocale-chrome.patch
   - rebased patches
   - requires version 40 of the branding package
   - removed browser/searchplugins/ location as it's not valid anymore

   - includes security update to Firefox 39.0.3 (bnc#940918)
     * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin
       violation and local file stealing via PDF reader


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2015-547=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.1 (i586 x86_64):

      MozillaFirefox-40.0-82.1
      MozillaFirefox-branding-openSUSE-40-2.3.1
      MozillaFirefox-branding-upstream-40.0-82.1
      MozillaFirefox-buildsymbols-40.0-82.1
      MozillaFirefox-debuginfo-40.0-82.1
      MozillaFirefox-debugsource-40.0-82.1
      MozillaFirefox-devel-40.0-82.1
      MozillaFirefox-translations-common-40.0-82.1
      MozillaFirefox-translations-other-40.0-82.1


References:

   https://www.suse.com/security/cve/CVE-2015-4473.html
   https://www.suse.com/security/cve/CVE-2015-4474.html
   https://www.suse.com/security/cve/CVE-2015-4475.html
   https://www.suse.com/security/cve/CVE-2015-4477.html
   https://www.suse.com/security/cve/CVE-2015-4478.html
   https://www.suse.com/security/cve/CVE-2015-4479.html
   https://www.suse.com/security/cve/CVE-2015-4480.html
   https://www.suse.com/security/cve/CVE-2015-4481.html
   https://www.suse.com/security/cve/CVE-2015-4482.html
   https://www.suse.com/security/cve/CVE-2015-4483.html
   https://www.suse.com/security/cve/CVE-2015-4484.html
   https://www.suse.com/security/cve/CVE-2015-4485.html
   https://www.suse.com/security/cve/CVE-2015-4486.html
   https://www.suse.com/security/cve/CVE-2015-4487.html
   https://www.suse.com/security/cve/CVE-2015-4488.html
   https://www.suse.com/security/cve/CVE-2015-4489.html
   https://www.suse.com/security/cve/CVE-2015-4490.html
   https://www.suse.com/security/cve/CVE-2015-4491.html
   https://www.suse.com/security/cve/CVE-2015-4492.html
   https://www.suse.com/security/cve/CVE-2015-4493.html
   https://www.suse.com/security/cve/CVE-2015-4495.html
   https://bugzilla.suse.com/940806
   https://bugzilla.suse.com/940918

openSUSE: 2015:1390-1: important: MozillaFirefox

August 14, 2015
An update that fixes 21 vulnerabilities is now available

Description

- update to Firefox 40.0 (bnc#940806) * Added protection against unwanted software downloads * Suggested Tiles show sites of interest, based on categories from your recent browsing history * Hello allows adding a link to conversations to provide context on what the conversation will be about * New style for add-on manager based on the in-content preferences style * Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only) * Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes: * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards * MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file * MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback * MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties * MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright * MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows) * MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater) * MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections * MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript * MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection * MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification * MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers - added mozilla-no-stdcxx-check.patch - removed obsolete patches * mozilla-add-glibcxx_use_cxx11_abi.patch * firefox-multilocale-chrome.patch - rebased patches - requires version 40 of the branding package - removed browser/searchplugins/ location as it's not valid anymore - includes security update to Firefox 39.0.3 (bnc#940918) * MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2015-547=1 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 13.1 (i586 x86_64): MozillaFirefox-40.0-82.1 MozillaFirefox-branding-openSUSE-40-2.3.1 MozillaFirefox-branding-upstream-40.0-82.1 MozillaFirefox-buildsymbols-40.0-82.1 MozillaFirefox-debuginfo-40.0-82.1 MozillaFirefox-debugsource-40.0-82.1 MozillaFirefox-devel-40.0-82.1 MozillaFirefox-translations-common-40.0-82.1 MozillaFirefox-translations-other-40.0-82.1


References

https://www.suse.com/security/cve/CVE-2015-4473.html https://www.suse.com/security/cve/CVE-2015-4474.html https://www.suse.com/security/cve/CVE-2015-4475.html https://www.suse.com/security/cve/CVE-2015-4477.html https://www.suse.com/security/cve/CVE-2015-4478.html https://www.suse.com/security/cve/CVE-2015-4479.html https://www.suse.com/security/cve/CVE-2015-4480.html https://www.suse.com/security/cve/CVE-2015-4481.html https://www.suse.com/security/cve/CVE-2015-4482.html https://www.suse.com/security/cve/CVE-2015-4483.html https://www.suse.com/security/cve/CVE-2015-4484.html https://www.suse.com/security/cve/CVE-2015-4485.html https://www.suse.com/security/cve/CVE-2015-4486.html https://www.suse.com/security/cve/CVE-2015-4487.html https://www.suse.com/security/cve/CVE-2015-4488.html https://www.suse.com/security/cve/CVE-2015-4489.html https://www.suse.com/security/cve/CVE-2015-4490.html https://www.suse.com/security/cve/CVE-2015-4491.html https://www.suse.com/security/cve/CVE-2015-4492.html https://www.suse.com/security/cve/CVE-2015-4493.html https://www.suse.com/security/cve/CVE-2015-4495.html https://bugzilla.suse.com/940806 https://bugzilla.suse.com/940918


Severity
Announcement ID: openSUSE-SU-2015:1390-1
Rating: important
Affected Products: openSUSE 13.1 .

Related News

22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved