openSUSE Security Update: Security update for Mozilla based packages
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:1620-1
Rating:             important
References:         #1040105 #1043960 
Cross-References:   CVE-2017-5470 CVE-2017-5472 CVE-2017-7749
                    CVE-2017-7750 CVE-2017-7751 CVE-2017-7752
                    CVE-2017-7754 CVE-2017-7755 CVE-2017-7756
                    CVE-2017-7757 CVE-2017-7758 CVE-2017-7760
                    CVE-2017-7761 CVE-2017-7764 CVE-2017-7765
                    CVE-2017-7766 CVE-2017-7767 CVE-2017-7768
                    CVE-2017-7771 CVE-2017-7772 CVE-2017-7773
                    CVE-2017-7774 CVE-2017-7775 CVE-2017-7776
                    CVE-2017-7777 CVE-2017-7778
Affected Products:
                    openSUSE Leap 42.2
______________________________________________________________________________

   An update that fixes 26 vulnerabilities is now available.

Description:

   This update for Mozilla Firefox, Thunderbird, and NSS fixes the following
   issues:

   Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16:

   * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when
     regenerating trees
   * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading
   * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements
   * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners   * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input
   * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo
     object
   * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox
     Installer with same directory DLL files (Windows only)
   * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging
     XHR header errors   * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB
   * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
     CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
     CVE-2017-7777 Vulnerabilities in the Graphite 2 library
   * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder
   * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation
     via callback parameter in Mozilla Windows Updater and Maintenance
     Service (Windows only)
   * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation
     through Mozilla Maintenance Service helper.exe application (Windows only)
   * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian
     Syllabics and other unicode blocks
   * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving
     executable files (Windows only)
   * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation
     through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance
     Service (Windows only)
   * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file
     overwrites through Mozilla Windows Updater and Mozilla Maintenance
     Service (Windows only)
   * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla
     Maintenance Service (Windows only)
   * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

   - remove -fno-inline-small-functions and explicitely optimize with
     -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

   Mozilla NSS was updated to NSS 3.28.5
   * Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok
     Sertifikasi - Surum 1. (bmo#1350859)
   * March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA
     certificates removed: O = Japanese Government, OU = ApplicationCA CN      WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik
     Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added:
     CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi -
     Surum 1

   java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime
   dependency.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.2:

      zypper in -t patch openSUSE-2017-712=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE Leap 42.2 (i586 x86_64):

      MozillaFirefox-52.2-57.12.2
      MozillaFirefox-branding-upstream-52.2-57.12.2
      MozillaFirefox-buildsymbols-52.2-57.12.2
      MozillaFirefox-debuginfo-52.2-57.12.2
      MozillaFirefox-debugsource-52.2-57.12.2
      MozillaFirefox-devel-52.2-57.12.2
      MozillaFirefox-translations-common-52.2-57.12.2
      MozillaFirefox-translations-other-52.2-57.12.2
      MozillaThunderbird-52.2-41.9.2
      MozillaThunderbird-buildsymbols-52.2-41.9.2
      MozillaThunderbird-debuginfo-52.2-41.9.2
      MozillaThunderbird-debugsource-52.2-41.9.2
      MozillaThunderbird-devel-52.2-41.9.2
      MozillaThunderbird-translations-common-52.2-41.9.2
      MozillaThunderbird-translations-other-52.2-41.9.2
      java-1_8_0-openjdk-1.8.0.131-10.10.3
      java-1_8_0-openjdk-accessibility-1.8.0.131-10.10.3
      java-1_8_0-openjdk-debuginfo-1.8.0.131-10.10.3
      java-1_8_0-openjdk-debugsource-1.8.0.131-10.10.3
      java-1_8_0-openjdk-demo-1.8.0.131-10.10.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-10.10.3
      java-1_8_0-openjdk-devel-1.8.0.131-10.10.3
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-10.10.3
      java-1_8_0-openjdk-headless-1.8.0.131-10.10.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-10.10.3
      java-1_8_0-openjdk-src-1.8.0.131-10.10.3
      libfreebl3-3.28.5-40.6.1
      libfreebl3-debuginfo-3.28.5-40.6.1
      libsoftokn3-3.28.5-40.6.1
      libsoftokn3-debuginfo-3.28.5-40.6.1
      mozilla-nss-3.28.5-40.6.1
      mozilla-nss-certs-3.28.5-40.6.1
      mozilla-nss-certs-debuginfo-3.28.5-40.6.1
      mozilla-nss-debuginfo-3.28.5-40.6.1
      mozilla-nss-debugsource-3.28.5-40.6.1
      mozilla-nss-devel-3.28.5-40.6.1
      mozilla-nss-sysinit-3.28.5-40.6.1
      mozilla-nss-sysinit-debuginfo-3.28.5-40.6.1
      mozilla-nss-tools-3.28.5-40.6.1
      mozilla-nss-tools-debuginfo-3.28.5-40.6.1

   - openSUSE Leap 42.2 (noarch):

      java-1_8_0-openjdk-javadoc-1.8.0.131-10.10.3

   - openSUSE Leap 42.2 (x86_64):

      libfreebl3-32bit-3.28.5-40.6.1
      libfreebl3-debuginfo-32bit-3.28.5-40.6.1
      libsoftokn3-32bit-3.28.5-40.6.1
      libsoftokn3-debuginfo-32bit-3.28.5-40.6.1
      mozilla-nss-32bit-3.28.5-40.6.1
      mozilla-nss-certs-32bit-3.28.5-40.6.1
      mozilla-nss-certs-debuginfo-32bit-3.28.5-40.6.1
      mozilla-nss-debuginfo-32bit-3.28.5-40.6.1
      mozilla-nss-sysinit-32bit-3.28.5-40.6.1
      mozilla-nss-sysinit-debuginfo-32bit-3.28.5-40.6.1


References:

   https://www.suse.com/security/cve/CVE-2017-5470.html
   https://www.suse.com/security/cve/CVE-2017-5472.html
   https://www.suse.com/security/cve/CVE-2017-7749.html
   https://www.suse.com/security/cve/CVE-2017-7750.html
   https://www.suse.com/security/cve/CVE-2017-7751.html
   https://www.suse.com/security/cve/CVE-2017-7752.html
   https://www.suse.com/security/cve/CVE-2017-7754.html
   https://www.suse.com/security/cve/CVE-2017-7755.html
   https://www.suse.com/security/cve/CVE-2017-7756.html
   https://www.suse.com/security/cve/CVE-2017-7757.html
   https://www.suse.com/security/cve/CVE-2017-7758.html
   https://www.suse.com/security/cve/CVE-2017-7760.html
   https://www.suse.com/security/cve/CVE-2017-7761.html
   https://www.suse.com/security/cve/CVE-2017-7764.html
   https://www.suse.com/security/cve/CVE-2017-7765.html
   https://www.suse.com/security/cve/CVE-2017-7766.html
   https://www.suse.com/security/cve/CVE-2017-7767.html
   https://www.suse.com/security/cve/CVE-2017-7768.html
   https://www.suse.com/security/cve/CVE-2017-7771.html
   https://www.suse.com/security/cve/CVE-2017-7772.html
   https://www.suse.com/security/cve/CVE-2017-7773.html
   https://www.suse.com/security/cve/CVE-2017-7774.html
   https://www.suse.com/security/cve/CVE-2017-7775.html
   https://www.suse.com/security/cve/CVE-2017-7776.html
   https://www.suse.com/security/cve/CVE-2017-7777.html
   https://www.suse.com/security/cve/CVE-2017-7778.html
   https://bugzilla.suse.com/1040105
   https://bugzilla.suse.com/1043960

openSUSE: 2017:1620-1: important: Mozilla based packages

June 20, 2017
An update that fixes 26 vulnerabilities is now available

Description

This update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues: Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16: * CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees * CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading * CVE-2017-7750 (bmo#1356558) Use-after-free with track elements * CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners * CVE-2017-7752 (bmo#1359547) Use-after-free with IME input * CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object * CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only) * CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors * CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB * CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library * CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder * CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only) * CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only) * CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks * CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only) * CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only) * CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only) * CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only) * CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2 - remove -fno-inline-small-functions and explicitely optimize with -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) Mozilla NSS was updated to NSS 3.28.5 * Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. (bmo#1350859) * March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA certificates removed: O = Japanese Government, OU = ApplicationCA CN WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added: CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency.

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-712=1 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE Leap 42.2 (i586 x86_64): MozillaFirefox-52.2-57.12.2 MozillaFirefox-branding-upstream-52.2-57.12.2 MozillaFirefox-buildsymbols-52.2-57.12.2 MozillaFirefox-debuginfo-52.2-57.12.2 MozillaFirefox-debugsource-52.2-57.12.2 MozillaFirefox-devel-52.2-57.12.2 MozillaFirefox-translations-common-52.2-57.12.2 MozillaFirefox-translations-other-52.2-57.12.2 MozillaThunderbird-52.2-41.9.2 MozillaThunderbird-buildsymbols-52.2-41.9.2 MozillaThunderbird-debuginfo-52.2-41.9.2 MozillaThunderbird-debugsource-52.2-41.9.2 MozillaThunderbird-devel-52.2-41.9.2 MozillaThunderbird-translations-common-52.2-41.9.2 MozillaThunderbird-translations-other-52.2-41.9.2 java-1_8_0-openjdk-1.8.0.131-10.10.3 java-1_8_0-openjdk-accessibility-1.8.0.131-10.10.3 java-1_8_0-openjdk-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-debugsource-1.8.0.131-10.10.3 java-1_8_0-openjdk-demo-1.8.0.131-10.10.3 java-1_8_0-openjdk-demo-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-devel-1.8.0.131-10.10.3 java-1_8_0-openjdk-devel-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-headless-1.8.0.131-10.10.3 java-1_8_0-openjdk-headless-debuginfo-1.8.0.131-10.10.3 java-1_8_0-openjdk-src-1.8.0.131-10.10.3 libfreebl3-3.28.5-40.6.1 libfreebl3-debuginfo-3.28.5-40.6.1 libsoftokn3-3.28.5-40.6.1 libsoftokn3-debuginfo-3.28.5-40.6.1 mozilla-nss-3.28.5-40.6.1 mozilla-nss-certs-3.28.5-40.6.1 mozilla-nss-certs-debuginfo-3.28.5-40.6.1 mozilla-nss-debuginfo-3.28.5-40.6.1 mozilla-nss-debugsource-3.28.5-40.6.1 mozilla-nss-devel-3.28.5-40.6.1 mozilla-nss-sysinit-3.28.5-40.6.1 mozilla-nss-sysinit-debuginfo-3.28.5-40.6.1 mozilla-nss-tools-3.28.5-40.6.1 mozilla-nss-tools-debuginfo-3.28.5-40.6.1 - openSUSE Leap 42.2 (noarch): java-1_8_0-openjdk-javadoc-1.8.0.131-10.10.3 - openSUSE Leap 42.2 (x86_64): libfreebl3-32bit-3.28.5-40.6.1 libfreebl3-debuginfo-32bit-3.28.5-40.6.1 libsoftokn3-32bit-3.28.5-40.6.1 libsoftokn3-debuginfo-32bit-3.28.5-40.6.1 mozilla-nss-32bit-3.28.5-40.6.1 mozilla-nss-certs-32bit-3.28.5-40.6.1 mozilla-nss-certs-debuginfo-32bit-3.28.5-40.6.1 mozilla-nss-debuginfo-32bit-3.28.5-40.6.1 mozilla-nss-sysinit-32bit-3.28.5-40.6.1 mozilla-nss-sysinit-debuginfo-32bit-3.28.5-40.6.1


References

https://www.suse.com/security/cve/CVE-2017-5470.html https://www.suse.com/security/cve/CVE-2017-5472.html https://www.suse.com/security/cve/CVE-2017-7749.html https://www.suse.com/security/cve/CVE-2017-7750.html https://www.suse.com/security/cve/CVE-2017-7751.html https://www.suse.com/security/cve/CVE-2017-7752.html https://www.suse.com/security/cve/CVE-2017-7754.html https://www.suse.com/security/cve/CVE-2017-7755.html https://www.suse.com/security/cve/CVE-2017-7756.html https://www.suse.com/security/cve/CVE-2017-7757.html https://www.suse.com/security/cve/CVE-2017-7758.html https://www.suse.com/security/cve/CVE-2017-7760.html https://www.suse.com/security/cve/CVE-2017-7761.html https://www.suse.com/security/cve/CVE-2017-7764.html https://www.suse.com/security/cve/CVE-2017-7765.html https://www.suse.com/security/cve/CVE-2017-7766.html https://www.suse.com/security/cve/CVE-2017-7767.html https://www.suse.com/security/cve/CVE-2017-7768.html https://www.suse.com/security/cve/CVE-2017-7771.html https://www.suse.com/security/cve/CVE-2017-7772.html https://www.suse.com/security/cve/CVE-2017-7773.html https://www.suse.com/security/cve/CVE-2017-7774.html https://www.suse.com/security/cve/CVE-2017-7775.html https://www.suse.com/security/cve/CVE-2017-7776.html https://www.suse.com/security/cve/CVE-2017-7777.html https://www.suse.com/security/cve/CVE-2017-7778.html https://bugzilla.suse.com/1040105 https://bugzilla.suse.com/1043960


Severity
Announcement ID: openSUSE-SU-2017:1620-1
Rating: important
Affected Products: openSUSE Leap 42.2 .

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved