Security update for MozillaFirefox, MozillaThunderbird, mozilla-nspr (important)

Mozilla Firefox and Thunderbird were updated to fix several important
vulnerabilities.

Mozilla Firefox was updated to 37.0.1. Mozilla Thunderbird was updated to
31.6.0. mozilla-nspr was updated to 4.10.8 as a dependency.

The following vulnerabilities were fixed in Mozilla Firefox:

• Miscellaneous memory safety hazards (MFSA
  2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)
• Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA
  2015-31/CVE-2015-0813 bmo#1106596 boo#925393)
• Add-on lightweight theme installation approval bypassed through MITM
  attack (MFSA 2015-32/CVE-2015-0812 bmo#1128126 boo#925394)
• resource:// documents can load privileged pages (MFSA
  2015-33/CVE-2015-0816 bmo#1144991 boo#925395)
• Out of bounds read in QCMS library (MFSA-2015-34/CVE-2015-0811
  bmo#1132468 boo#925396)
• Incorrect memory management for simple-type arrays in WebRTC
  (MFSA-2015-36/CVE-2015-0808 bmo#1109552 boo#925397)
• CORS requests should not follow 30x redirections after preflight
  (MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398)
• Memory corruption crashes in Off Main Thread Compositing
  (MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 bmo#1135511 bmo#1099437
  boo#925399)
• Use-after-free due to type confusion flaws
  (MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (mo#1134560 boo#925400)
• Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801
  bmo#1146339 boo#925401)
• Windows can retain access to privileged content on navigation to
  unprivileged pages (MFSA-2015-42/CVE-2015-0802 bmo#1124898 boo#925402)

The following vulnerability was fixed in functionality that was not
released as an update to openSUSE:

• Certificate verification could be bypassed through the HTTP/2 Alt-Svc
  header (MFSA 2015-44/CVE-2015-0799 bmo#1148328 bnc#926166)

The functionality added in 37.0 and thus removed in 37.0.1 was:

• Opportunistically encrypt HTTP traffic where the server supports HTTP/2
  AltSvc

The following functionality was added or updated in Mozilla Firefox:

 * Heartbeat user rating system
 * Yandex set as default search provider for the Turkish locale
 * Bing search now uses HTTPS for secure searching
 * Improved protection against site impersonation via OneCRL centralized
   certificate revocation
 * some more behaviour changes for TLS

The following vulnerabilities were fixed in Mozilla Thunderbird:

• Miscellaneous memory safety hazards (MFSA
  2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)
• Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA
  2015-31/CVE-2015-0813 bmo#1106596 boo#925393)
• resource:// documents can load privileged pages (MFSA
  2015-33/CVE-2015-0816 bmo#1144991 boo#925395)
• CORS requests should not follow 30x redirections after preflight
  (MFSA-2015-37/CVE-2015-0807 bmo#1111834 boo#925398)
• Same-origin bypass through anchor navigation (MFSA-2015-40/CVE-2015-0801
  bmo#1146339 boo#925401)

mozilla-nspr was updated to 4.10.8 as a dependency and received the
following changes:
* bmo#573192: remove the stack-based PRFileDesc cache.
* bmo#756047: check for _POSIX_THREAD_PRIORITY_SCHEDULING > 0 instead of
only checking if the identifier is defined.
* bmo#1089908: Fix variable shadowing in _PR_MD_LOCKFILE. Use
PR_ARRAY_SIZE to get the array size of _PR_RUNQ(t->cpu).
* bmo#1106600: Replace PR_ASSERT(!"foo") with PR_NOT_REACHED("foo") to
fix clang -Wstring-conversion warnings.