Security update for MozillaFirefox, MozillaThunderbird, mozilla-nspr SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0677-1 Final 1 1 2015-04-07T19:58:43Z current 2015-04-07T19:58:43Z 2015-04-07T19:58:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox, MozillaThunderbird, mozilla-nspr Mozilla Firefox and Thunderbird were updated to fix several important vulnerabilities. Mozilla Firefox was updated to 37.0.1. Mozilla Thunderbird was updated to 31.6.0. mozilla-nspr was updated to 4.10.8 as a dependency. The following vulnerabilities were fixed in Mozilla Firefox: * Miscellaneous memory safety hazards (MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392) * Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31/CVE-2015-0813 bmo#1106596 boo#925393) * Add-on lightweight theme installation approval bypassed through MITM attack (MFSA 2015-32/CVE-2015-0812 bmo#1128126 boo#925394) * resource:// documents can load privileged pages (MFSA 2015-33/CVE-2015-0816 bmo#1144991 boo#925395) * Out of bounds read in QCMS library (MFSA-2015-34/CVE-2015-0811 bmo#1132468 boo#925396) * Incorrect memory management for simple-type arrays in WebRTC (MFSA-2015-36/CVE-2015-0808 bmo#1109552 boo#925397) * CORS requests should not follow 30x redirections after preflight (MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398) * Memory corruption crashes in Off Main Thread Compositing (MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 bmo#1135511 bmo#1099437 boo#925399) * Use-after-free due to type confusion flaws (MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (mo#1134560 boo#925400) * Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801 bmo#1146339 boo#925401) * Windows can retain access to privileged content on navigation to unprivileged pages (MFSA-2015-42/CVE-2015-0802 bmo#1124898 boo#925402) The following vulnerability was fixed in functionality that was not released as an update to openSUSE: * Certificate verification could be bypassed through the HTTP/2 Alt-Svc header (MFSA 2015-44/CVE-2015-0799 bmo#1148328 bnc#926166) The functionality added in 37.0 and thus removed in 37.0.1 was: * Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc The following functionality was added or updated in Mozilla Firefox: * Heartbeat user rating system * Yandex set as default search provider for the Turkish locale * Bing search now uses HTTPS for secure searching * Improved protection against site impersonation via OneCRL centralized certificate revocation * some more behaviour changes for TLS The following vulnerabilities were fixed in Mozilla Thunderbird: * Miscellaneous memory safety hazards (MFSA 2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392) * Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31/CVE-2015-0813 bmo#1106596 boo#925393) * resource:// documents can load privileged pages (MFSA 2015-33/CVE-2015-0816 bmo#1144991 boo#925395) * CORS requests should not follow 30x redirections after preflight (MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398) * Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801 bmo#1146339 boo#925401) mozilla-nspr was updated to 4.10.8 as a dependency and received the following changes: * bmo#573192: remove the stack-based PRFileDesc cache. * bmo#756047: check for _POSIX_THREAD_PRIORITY_SCHEDULING > 0 instead of only checking if the identifier is defined. * bmo#1089908: Fix variable shadowing in _PR_MD_LOCKFILE. Use PR_ARRAY_SIZE to get the array size of _PR_RUNQ(t->cpu). * bmo#1106600: Replace PR_ASSERT(!'foo') with PR_NOT_REACHED('foo') to fix clang -Wstring-conversion warnings. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html E-Mail link for openSUSE-SU-2015:0677-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings MozillaFirefox-37.0.1-68.1 MozillaFirefox-branding-upstream-37.0.1-68.1 MozillaFirefox-buildsymbols-37.0.1-68.1 MozillaFirefox-devel-37.0.1-68.1 MozillaFirefox-translations-common-37.0.1-68.1 MozillaFirefox-translations-other-37.0.1-68.1 MozillaThunderbird-31.6.0-70.50.2 MozillaThunderbird-buildsymbols-31.6.0-70.50.2 MozillaThunderbird-devel-31.6.0-70.50.2 MozillaThunderbird-translations-common-31.6.0-70.50.2 MozillaThunderbird-translations-other-31.6.0-70.50.2 mozilla-nspr-4.10.8-22.1 mozilla-nspr-32bit-4.10.8-22.1 mozilla-nspr-devel-4.10.8-22.1 The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header. CVE-2015-0799 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0799.html CVE-2015-0799 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/926166 SUSE Bug 926166 Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818. CVE-2015-0801 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0801.html CVE-2015-0801 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925401 SUSE Bug 925401 Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods. CVE-2015-0802 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0802.html CVE-2015-0802 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925402 SUSE Bug 925402 The HTMLSourceElement::AfterSetAttr function in Mozilla Firefox before 37.0 does not properly constrain the original data type of a casted value during the setting of a SOURCE element's attributes, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted HTML document. CVE-2015-0803 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0803.html CVE-2015-0803 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925400 SUSE Bug 925400 The HTMLSourceElement::BindToTree function in Mozilla Firefox before 37.0 does not properly constrain a data type after omitting namespace validation during certain tree-binding operations, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted HTML document containing a SOURCE element. CVE-2015-0804 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0804.html CVE-2015-0804 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925400 SUSE Bug 925400 The Off Main Thread Compositing (OMTC) implementation in Mozilla Firefox before 37.0 makes an incorrect memset call during interaction with the mozilla::layers::BufferTextureClient::AllocateForSurface function, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors that trigger rendering of 2D graphics content. CVE-2015-0805 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0805.html CVE-2015-0805 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925399 SUSE Bug 925399 The Off Main Thread Compositing (OMTC) implementation in Mozilla Firefox before 37.0 attempts to use memset for a memory region of negative length during interaction with the mozilla::layers::BufferTextureClient::AllocateForSurface function, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors that trigger rendering of 2D graphics content. CVE-2015-0806 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0806.html CVE-2015-0806 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925399 SUSE Bug 925399 The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638. CVE-2015-0807 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0807.html CVE-2015-0807 https://bugzilla.suse.com/913068 SUSE Bug 913068 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925398 SUSE Bug 925398 The webrtc::VPMContentAnalysis::Release function in the WebRTC implementation in Mozilla Firefox before 37.0 uses incompatible approaches to the deallocation of memory for simple-type arrays, which might allow remote attackers to cause a denial of service (memory corruption) via unspecified vectors. CVE-2015-0808 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0808.html CVE-2015-0808 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925397 SUSE Bug 925397 The QCMS implementation in Mozilla Firefox before 37.0 allows remote attackers to obtain sensitive information from process heap memory or cause a denial of service (out-of-bounds read) via an image that is improperly handled during transformation. CVE-2015-0811 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0811.html CVE-2015-0811 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925396 SUSE Bug 925396 Mozilla Firefox before 37.0 does not require an HTTPS session for lightweight theme add-on installations, which allows man-in-the-middle attackers to bypass an intended user-confirmation requirement by deploying a crafted web site and conducting a DNS spoofing attack against a mozilla.org subdomain. CVE-2015-0812 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0812.html CVE-2015-0812 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925394 SUSE Bug 925394 Use-after-free vulnerability in the AppendElements function in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 on Linux, when the Fluendo MP3 plugin for GStreamer is used, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted MP3 file. CVE-2015-0813 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0813.html CVE-2015-0813 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925393 SUSE Bug 925393 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-0814 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0814.html CVE-2015-0814 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925392 SUSE Bug 925392 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-0815 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0815.html CVE-2015-0815 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925392 SUSE Bug 925392 Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. CVE-2015-0816 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html https://www.suse.com/security/cve/CVE-2015-0816.html CVE-2015-0816 https://bugzilla.suse.com/925368 SUSE Bug 925368 https://bugzilla.suse.com/925395 SUSE Bug 925395