Bug 930622 – VUL-0: MozillaFirefox 38 / 31.7 security release

Bug 930622 - VUL-0: MozillaFirefox 38 / 31.7 security release


Summary:	VUL-0: MozillaFirefox 38 / 31.7 security release

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Petr Cerny
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:61746 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-05-12 20:16 UTC by Andreas Stieger
Modified:	2020-04-05 18:19 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-05-12 20:16:09 UTC

From https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

SLE (ESR) and openSUSE releases:

* CVE-2015-2708: Miscellaneous memory safety hazards (mfsa2015-46)
* CVE-2015-0797: heap-buffer-overflow when playing a m4v video (mfsa2015-47)
* CVE-2015-2710: Heap-buffer-overflow in SVGTextFrame (mfsa2015-48)
* CVE-2015-2713: heap-use-after-free in SetBreaks (mfsa2015-51)
* CVE-2015-2716: Buffer overflow xml parser (mfsa2015-54)

Additionally for MozillaFirefox 38 on openSUSE:

* CVE-2015-2709: Memory safety bugs fixed in Firefox 38. (mfsa2015-46)
* CVE-2015-2711: <meta name="referrer"> is ignored for navigations from the context menu and via a middle-click (mfsa2015-49)
* CVE-2015-2712: Incorrect asm.js bounds check elimination vulnerability (mfsa2015-50)
* CVE-2015-2715: heap-use-after-free in nsThreadManager::RegisterCurrentThread during shutdown (mfsa2015-53)
* CVE-2015-2717: Integer overflow in libstagefright might lead to heap overflow (mfsa2015-55)
* CVE-2015-2718: Untrusted page can see webchannel responses (mfsa2015-56)

Issues affecting MozillaThunderbird on openSUSE:

* CVE-2015-2708: Miscellaneous memory safety hazards (mfsa2015-46)
* CVE-2015-0797: heap-buffer-overflow when playing a m4v video (mfsa2015-47)
* CVE-2015-2710: Heap-buffer-overflow in SVGTextFrame (mfsa2015-48)
* CVE-2015-2713: heap-use-after-free in SetBreaks (mfsa2015-51)
* CVE-2015-2716: Buffer overflow xml parser (mfsa2015-54)

Not affecting GNU/Linux:

* CVE-2015-2714: Mixed content violation log on Fennec leaks sensitive info in URL (mfsa2015-52)
* CVE-2011-3079: IPC Channel does not validate the listener (mfsa2015-57)
* CVE-2015-2720: Run updater.exe from the application directory when not using the service for an update (mfsa2015-58)

References:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-47/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-49/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-52/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-53/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-55/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-56/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-58/

Comment 1 Swamp Workflow Management 2015-05-12 22:00:36 UTC

bugbot adjusting priority

Comment 3 Bernhard Wiedemann 2015-05-15 08:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (930622) was mentioned in
https://build.opensuse.org/request/show/307237 13.1 / MozillaThunderbird
https://build.opensuse.org/request/show/307238 13.2 / MozillaThunderbird
https://build.opensuse.org/request/show/307239 Factory / MozillaThunderbird

Comment 4 Bernhard Wiedemann 2015-05-15 10:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (930622) was mentioned in
https://build.opensuse.org/request/show/307241 Factory / xulrunner

Comment 5 Bernhard Wiedemann 2015-05-15 11:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (930622) was mentioned in
https://build.opensuse.org/request/show/307281 13.1 / MozillaFirefox
https://build.opensuse.org/request/show/307284 13.2 / MozillaFirefox

Comment 6 Bernhard Wiedemann 2015-05-15 12:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (930622) was mentioned in
https://build.opensuse.org/request/show/307294 Factory / MozillaFirefox

Comment 8 Bernhard Wiedemann 2015-05-15 21:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (930622) was mentioned in
https://build.opensuse.org/request/show/307399 Evergreen:11.4 / MozillaFirefox

Comment 9 Swamp Workflow Management 2015-05-18 11:05:14 UTC

openSUSE-SU-2015:0892-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 925368,930622
CVE References: CVE-2011-3079,CVE-2015-0801,CVE-2015-0807,CVE-2015-0813,CVE-2015-0815,CVE-2015-0816,CVE-2015-2708,CVE-2015-2710,CVE-2015-2713,CVE-2015-2716
Sources used:
openSUSE Evergreen 11.4 (src):    MozillaFirefox-31.7.0-140.1

Comment 10 Swamp Workflow Management 2015-05-18 12:08:38 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61737

Comment 11 Swamp Workflow Management 2015-05-18 12:18:12 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61738

Comment 16 Swamp Workflow Management 2015-05-24 15:06:01 UTC

openSUSE-SU-2015:0934-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 930622
CVE References: CVE-2011-3079,CVE-2015-2708,CVE-2015-2709,CVE-2015-2710,CVE-2015-2711,CVE-2015-2712,CVE-2015-2713,CVE-2015-2715,CVE-2015-2716,CVE-2015-2717,CVE-2015-2718
Sources used:
openSUSE 13.2 (src):    MozillaFirefox-38.0.1-30.1, mozilla-nss-3.18.1-12.1
openSUSE 13.1 (src):    MozillaFirefox-38.0.1-74.1, mozilla-nss-3.18.1-55.1

Comment 17 Swamp Workflow Management 2015-05-24 15:06:18 UTC

openSUSE-SU-2015:0935-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 930622
CVE References: CVE-2011-3079,CVE-2015-0797,CVE-2015-2708,CVE-2015-2710,CVE-2015-2713,CVE-2015-2716
Sources used:
openSUSE 13.2 (src):    MozillaThunderbird-31.7.0-18.1
openSUSE 13.1 (src):    MozillaThunderbird-31.7.0-70.53.1

Comment 18 Swamp Workflow Management 2015-05-28 10:05:12 UTC

SUSE-SU-2015:0960-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 930622
CVE References: CVE-2015-0797,CVE-2015-2708,CVE-2015-2709,CVE-2015-2710,CVE-2015-2713,CVE-2015-2716
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-31.7.0esr-34.1
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-31.7.0esr-34.1
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-31.7.0esr-34.1

Comment 19 Swamp Workflow Management 2015-06-01 13:06:00 UTC

SUSE-SU-2015:0978-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 930622
CVE References: CVE-2015-0797,CVE-2015-2708,CVE-2015-2709,CVE-2015-2710,CVE-2015-2713,CVE-2015-2716
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    MozillaFirefox-31.7.0esr-0.8.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    MozillaFirefox-31.7.0esr-0.8.1
SUSE Linux Enterprise Server 11 SP3 (src):    MozillaFirefox-31.7.0esr-0.8.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    MozillaFirefox-31.7.0esr-0.8.1

Comment 20 Marcus Meissner 2015-06-18 07:15:55 UTC

released

Comment 21 Bernhard Wiedemann 2015-07-17 07:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (930622) was mentioned in
https://build.opensuse.org/request/show/317220 Evergreen:11.4 / MozillaFirefox.openSUSE_Evergreen_11.4

Comment 22 Swamp Workflow Management 2015-07-18 17:09:33 UTC

openSUSE-SU-2015:1266-1: An update that fixes 52 vulnerabilities is now available.

Category: security (important)
Bug References: 894370,900639,900941,908009,910669,917597,925368,930622,935979
CVE References: CVE-2011-3079,CVE-2014-1553,CVE-2014-1562,CVE-2014-1563,CVE-2014-1564,CVE-2014-1565,CVE-2014-1567,CVE-2014-1574,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1585,CVE-2014-1586,CVE-2014-1587,CVE-2014-1590,CVE-2014-1592,CVE-2014-1593,CVE-2014-1594,CVE-2014-8634,CVE-2014-8635,CVE-2014-8638,CVE-2014-8639,CVE-2015-0801,CVE-2015-0807,CVE-2015-0813,CVE-2015-0815,CVE-2015-0816,CVE-2015-0822,CVE-2015-0827,CVE-2015-0831,CVE-2015-0833,CVE-2015-0836,CVE-2015-2708,CVE-2015-2710,CVE-2015-2713,CVE-2015-2716,CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000
Sources used:
openSUSE Evergreen 11.4 (src):    MozillaFirefox-31.8.0-143.1, MozillaThunderbird-31.8.0-110.1, mozilla-nspr-4.10.8-52.1, mozilla-nss-3.19.2-107.1