Lucene search

K
suseSuseOPENSUSE-SU-2016:1557-1
HistoryJun 11, 2016 - 10:07 p.m.

Security update for MozillaFirefox, mozilla-nss (important)

2016-06-1122:07:57
lists.opensuse.org
19

0.597 Medium

EPSS

Percentile

97.4%

This update to Mozilla Firefox 47 fixes the following issues (boo#983549):

  Security fixes:

  - CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety hazards
    (boo#983638 MFSA 2016-49)
  - CVE-2016-2819: Buffer overflow parsing HTML5 fragments (boo#983655
    MFSA 2016-50)
  - CVE-2016-2821: Use-after-free deleting tables from a contenteditable
    document (boo#983653 MFSA 2016-51)
  - CVE-2016-2822: Addressbar spoofing though the SELECT element
    (boo#983652 MFSA 2016-52)
  - CVE-2016-2824: Out-of-bounds write with WebGL shader (boo#983651 MFSA
    2016-53)
  - CVE-2016-2825: Partial same-origin-policy through setting
    location.host through data URI (boo#983649 MFSA 2016-54)
  - CVE-2016-2828: Use-after-free when textures are used in WebGL
    operations after recycle pool destruction (boo#983646 MFSA 2016-56)
  - CVE-2016-2829: Incorrect icon displayed on permissions notifications
    (boo#983644 MFSA 2016-57)
  - CVE-2016-2831: Entering fullscreen and persistent pointerlock without
    user permission (boo#983643 MFSA 2016-58)
  - CVE-2016-2832: Information disclosure of disabled plugins through CSS
    pseudo-classes (boo#983632 MFSA 2016-59)
  - CVE-2016-2833: Java applets bypass CSP protections (boo#983640 MFSA
    2016-60)

Mozilla NSS was updated to 3.23 to address the following vulnerabilities:

  - CVE-2016-2834: Memory safety bugs (boo#983639 MFSA-2016-61)

  The following non-security changes are included:

  - Enable VP9 video codec for users with fast machines
  - Embedded YouTube videos now play with HTML5 video if Flash is not
    installed
  - View and search open tabs from your smartphone or another computer in
    a sidebar
  - Allow no-cache on back/forward navigations for https resources

  The following packaging changes are included:

  - boo#981695: cleanup configure options, notably removing GStreamer
    support which is gone from FF
  - boo#980384: enable build with PIE and full relro on x86_64

  The following new functionality is provided:

  - ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  - The list of TLS extensions sent in the TLS handshake has been
    reordered to increase compatibility of the Extended Master Secret
    with with servers