SUSE Security Update: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:14260-1
Rating:             important
References:         #1158328 #1158527 
Cross-References:   CVE-2019-11745 CVE-2019-13722 CVE-2019-17005
                    CVE-2019-17008 CVE-2019-17009 CVE-2019-17010
                    CVE-2019-17011 CVE-2019-17012
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4-LTSS
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:

   This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the
   following issues:

   Update Firefox Extended Support Release to 68.3.0 ESR (MFSA 2019-37 /
   bsc#1158328)

   Security issues fixed:

   - CVE-2019-17008: Use-after-free in worker destruction (bmo#1546331).
   - CVE-2019-13722: Stack corruption due to incorrect number of arguments in
     WebRTC code (bmo#1580156).
   - CVE-2019-11745: Out of bounds write in NSS when encrypting with a block
     cipher (bmo#1586176).
   - CVE-2019-17009: Updater temporary files accessible to unprivileged
     processes (bmo#1510494).
   - CVE-2019-17010: Use-after-free when performing device orientation checks
     (bmo#1581084).
   - CVE-2019-17005: Buffer overflow in plain text serializer (bmo#1584170).
   - CVE-2019-17011: Use-after-free when retrieving a document in
     antitracking (bmo#1591334).
   - CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR
     68.3 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288,
     bmo#1585760, bmo#1592502).

   Update mozilla-nss to version 3.47.1 (bsc#1158527):

   Security issues fixed:

   - CVE-2019-11745: EncryptUpdate should use maxout, not block size.

   Bug fixes:

   - Fix a crash that could be caused by client certificates during startup
     (bmo#1590495, bsc#1158527)
   - Fix compile-time warnings from uninitialized variables in a perl script
     (bmo#1589810)
   - Support AES HW acceleration on ARMv8 (bmo#1152625)
   - Allow per-socket run-time ordering of the cipher suites presented in
     ClientHello (bmo#1267894)
   - Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501)
   - Remove arbitrary HKDF output limit by allocating space as needed
     (bmo#1577953)

   Update mozilla-nspr to version 4.23:

   Bug fixes:

   - fixed a build failure that was introduced in 4.22
   - correctness fix for Win64 socket polling
   - whitespace in C files was cleaned up and no longer uses tab characters     for indenting
   - added support for the ARC architecture
   - removed support for the following platforms: OSF1/Tru64, DGUX, IRIX,
     Symbian, BeOS
   - correctness and build fixes


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4-LTSS:

      zypper in -t patch slessp4-MozillaFirefox-14260=1



Package List:

   - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64):

      MozillaFirefox-68.3.0-78.54.1
      MozillaFirefox-translations-common-68.3.0-78.54.1
      MozillaFirefox-translations-other-68.3.0-78.54.1
      libfreebl3-3.47.1-38.12.1
      libfreebl3-32bit-3.47.1-38.12.1
      libsoftokn3-3.47.1-38.12.1
      libsoftokn3-32bit-3.47.1-38.12.1
      mozilla-nspr-32bit-4.23-29.9.1
      mozilla-nspr-4.23-29.9.1
      mozilla-nspr-devel-4.23-29.9.1
      mozilla-nss-3.47.1-38.12.1
      mozilla-nss-32bit-3.47.1-38.12.1
      mozilla-nss-certs-3.47.1-38.12.1
      mozilla-nss-certs-32bit-3.47.1-38.12.1
      mozilla-nss-devel-3.47.1-38.12.1
      mozilla-nss-tools-3.47.1-38.12.1


References:

   https://www.suse.com/security/cve/CVE-2019-11745.html
   https://www.suse.com/security/cve/CVE-2019-13722.html
   https://www.suse.com/security/cve/CVE-2019-17005.html
   https://www.suse.com/security/cve/CVE-2019-17008.html
   https://www.suse.com/security/cve/CVE-2019-17009.html
   https://www.suse.com/security/cve/CVE-2019-17010.html
   https://www.suse.com/security/cve/CVE-2019-17011.html
   https://www.suse.com/security/cve/CVE-2019-17012.html
   https://bugzilla.suse.com/1158328
   https://bugzilla.suse.com/1158527

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2019:14260-1 important: MozillaFirefox, mozilla-nspr, mozilla-nss

December 20, 2019
An update that fixes 8 vulnerabilities is now available

Summary

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues: Update Firefox Extended Support Release to 68.3.0 ESR (MFSA 2019-37 / bsc#1158328) Security issues fixed: - CVE-2019-17008: Use-after-free in worker destruction (bmo#1546331). - CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code (bmo#1580156). - CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher (bmo#1586176). - CVE-2019-17009: Updater temporary files accessible to unprivileged processes (bmo#1510494). - CVE-2019-17010: Use-after-free when performing device orientation checks (bmo#1581084). - CVE-2019-17005: Buffer overflow in plain text serializer (bmo#1584170). - CVE-2019-17011: Use-after-free when retrieving a document in antitracking (bmo#1591334). - CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (bmo#1449736, bmo#1533957, bmo#15606...

Read the Full Advisory

References

#1158328 #1158527

Cross- CVE-2019-11745 CVE-2019-13722 CVE-2019-17005

CVE-2019-17008 CVE-2019-17009 CVE-2019-17010

CVE-2019-17011 CVE-2019-17012

Affected Products:

SUSE Linux Enterprise Server 11-SP4-LTSS

https://www.suse.com/security/cve/CVE-2019-11745.html

https://www.suse.com/security/cve/CVE-2019-13722.html

https://www.suse.com/security/cve/CVE-2019-17005.html

https://www.suse.com/security/cve/CVE-2019-17008.html

https://www.suse.com/security/cve/CVE-2019-17009.html

https://www.suse.com/security/cve/CVE-2019-17010.html

https://www.suse.com/security/cve/CVE-2019-17011.html

https://www.suse.com/security/cve/CVE-2019-17012.html

https://bugzilla.suse.com/1158328

https://bugzilla.suse.com/1158527

Severity
Announcement ID: SUSE-SU-2019:14260-1
Rating: important

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved