Описание
Security update for MozillaFirefox, MozillaFirefox-branding-SLED, MozillaFirefox-branding-SLES-for-VMware, mozilla-nss
This update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss fixes the following issues:
Firefox 38.6.1 ESR (bsc#967087)
The following vulnerabilities were fixed:
- CVE-2016-1523: Fixed denial of service in Graphite 2 library (MFSA 2016-14/bmo#1246093)
Firefox 38.6.0 ESR + Mozilla NSS 3.20.2. (bsc#963520)
The following vulnerabilities were fixed:
- CVE-2016-1930: Memory safety bugs fixed in Firefox ESR 38.6 (bsc#963632)
- CVE-2016-1935: Buffer overflow in WebGL after out of memory allocation (bsc#963635)
- CVE-2016-1938: Calculations with mp_div and mp_exptmod in Network Security Services (NSS) canproduce wrong results (bsc#963731)
- CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature (bsc#959888)
The following improvements were added:
- bsc#954447: Mozilla NSS now supports a number of new DHE ciphersuites
- Tracking protection is now enabled by default
Список пакетов
SUSE Linux Enterprise Server 11 SP2-LTSS
Ссылки
- Link for SUSE-SU-2016:0584-1
- E-Mail link for SUSE-SU-2016:0584-1
- SUSE Security Ratings
- SUSE Bug 954447
- SUSE Bug 959888
- SUSE Bug 963520
- SUSE Bug 963632
- SUSE Bug 963635
- SUSE Bug 963731
- SUSE Bug 967087
- SUSE CVE CVE-2015-7575 page
- SUSE CVE CVE-2016-1523 page
- SUSE CVE CVE-2016-1930 page
- SUSE CVE CVE-2016-1935 page
- SUSE CVE CVE-2016-1938 page
Описание
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Затронутые продукты
Ссылки
- CVE-2015-7575
- SUSE Bug 959888
- SUSE Bug 960402
- SUSE Bug 960996
- SUSE Bug 961280
- SUSE Bug 961281
- SUSE Bug 961282
- SUSE Bug 961283
- SUSE Bug 961284
- SUSE Bug 961290
- SUSE Bug 961357
- SUSE Bug 962743
- SUSE Bug 963937
- SUSE Bug 967521
- SUSE Bug 981087
Описание
The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font.
Затронутые продукты
Ссылки
- CVE-2016-1523
- SUSE Bug 965803
- SUSE Bug 965806
- SUSE Bug 965807
- SUSE Bug 965810
- SUSE Bug 967087
Описание
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Затронутые продукты
Ссылки
- CVE-2016-1930
- SUSE Bug 963520
- SUSE Bug 963632
Описание
Buffer overflow in the BufferSubData function in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allows remote attackers to execute arbitrary code via crafted WebGL content.
Затронутые продукты
Ссылки
- CVE-2016-1935
- SUSE Bug 963520
- SUSE Bug 963635
Описание
The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.
Затронутые продукты
Ссылки
- CVE-2016-1938
- SUSE Bug 963731