Security update for MozillaFirefox, mozilla-nss (important)

This update for MozillaFirefox and mozilla-nss fixes the following issues:

MozillaFirefox was updated to version 49.0 (boo#999701)

• New features

  • Updated Firefox Login Manager to allow HTTPS pages to use saved HTTP
    logins.
  • Added features to Reader Mode that make it easier on the eyes and the
    ears
  • Improved video performance for users on systems that support SSE3
    without hardware acceleration
  • Added context menu controls to HTML5 audio and video that let users
    loops files or play files at 1.25x speed
  • Improvements in about:memory reports for tracking font memory usage

• Security related fixes

  • MFSA 2016-85 CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
    mozilla::net::IsValidReferrerPolicy CVE-2016-5270 (bmo#1291016) -
    Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString
    CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
    PropertyProvider::GetSpacingInternal CVE-2016-5272 (bmo#1297934) - Bad
    cast in nsImageGeometryMixin CVE-2016-5273 (bmo#1280387) - crash in
    mozilla::a11y::HyperTextAccessible::GetChildOffset CVE-2016-5276
    (bmo#1287721) - Heap-use-after-free in
    mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5274
    (bmo#1282076) - use-after-free in nsFrameManager::CaptureFrameState
    CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in
    nsRefreshDriver::Tick CVE-2016-5275 (bmo#1287316) -
    global-buffer-overflow in
    mozilla::gfx::FilterSupport::ComputeSourceNeededRegions CVE-2016-5278
    (bmo#1294677) - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame
    CVE-2016-5279 (bmo#1249522) - Full local path of files is available to
    web pages after drag and drop CVE-2016-5280 (bmo#1289970) -
    Use-after-free in
    mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
    CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
    CVE-2016-5282 (bmo#932335) - Don’t allow content to request favicons
    from non-whitelisted schemes CVE-2016-5283 (bmo#928187) - <iframe src>
    fragment timing attack can reveal cross-origin data CVE-2016-5284
    (bmo#1303127) - Add-on update site certificate pin expiration
    CVE-2016-5256 - Memory safety bugs fixed in Firefox 49 CVE-2016-5257 -
    Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4

• requires NSS 3.25

• Mozilla Firefox 48.0.2:

  • Mitigate a startup crash issue caused on Windows (bmo#1291738)

mozilla-nss was updated to NSS 3.25. New functionality:
* Implemented DHE key agreement for TLS 1.3
* Added support for ChaCha with TLS 1.3
* Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
* In previous versions, when using client authentication with TLS 1.2,
NSS only supported certificate_verify messages that used the same
signature hash algorithm as used by the PRF. This limitation has been
removed.
* Several functions have been added to the public API of the NSS
Cryptoki Framework. New functions:
* NSSCKFWSlot_GetSlotID
* NSSCKFWSession_GetFWSlot
* NSSCKFWInstance_DestroySessionHandle
* NSSCKFWInstance_FindSessionHandle Notable changes:
* An SSL socket can no longer be configured to allow both TLS 1.3 and
SSLv3
* Regression fix: NSS no longer reports a failure if an application
attempts to disable the SSLv2 protocol.
* The list of trusted CA certificates has been updated to version 2.8
* The following CA certificate was Removed Sonera Class1 CA
* The following CA certificates were Added Hellenic Academic and
Research Institutions RootCA 2015 Hellenic Academic and Research
Institutions ECC RootCA 2015 Certplus Root CA G1 Certplus Root CA G2
OpenTrust Root CA G1 OpenTrust Root CA G2 OpenTrust Root CA G3