SUSE-SU-2018:4235-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:4235-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2018:4235-1
- Related
- Published
- 2018-12-21T17:47:33Z
- Modified
- 2018-12-21T17:47:33Z
- Summary
- Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
- Details
-
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
- References
-
- https://www.suse.com/support/update/announcement/2018/suse-su-20184235-1/
- https://bugzilla.suse.com/1097410
- https://bugzilla.suse.com/1106873
- https://bugzilla.suse.com/1119069
- https://bugzilla.suse.com/1119105
- https://www.suse.com/security/cve/CVE-2018-0495
- https://www.suse.com/security/cve/CVE-2018-12384
- https://www.suse.com/security/cve/CVE-2018-12404
- https://www.suse.com/security/cve/CVE-2018-12405
- https://www.suse.com/security/cve/CVE-2018-17466
- https://www.suse.com/security/cve/CVE-2018-18492
- https://www.suse.com/security/cve/CVE-2018-18493
- https://www.suse.com/security/cve/CVE-2018-18494
- https://www.suse.com/security/cve/CVE-2018-18498
Affected packages
SUSE:Linux Enterprise Module for Basesystem 15 / mozilla-nspr
Package
- Name
- mozilla-nspr
- Purl
- purl:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.20-3.3.2
Ecosystem specific
{
"binaries": [
{
"mozilla-nss-sysinit": "3.40.1-3.7.2",
"mozilla-nss-32bit": "3.40.1-3.7.2",
"mozilla-nss-certs": "3.40.1-3.7.2",
"mozilla-nss-devel": "3.40.1-3.7.2",
"libfreebl3-32bit": "3.40.1-3.7.2",
"mozilla-nspr-devel": "4.20-3.3.2",
"libfreebl3": "3.40.1-3.7.2",
"mozilla-nspr": "4.20-3.3.2",
"mozilla-nss-certs-32bit": "3.40.1-3.7.2",
"mozilla-nss-tools": "3.40.1-3.7.2",
"libsoftokn3": "3.40.1-3.7.2",
"mozilla-nspr-32bit": "4.20-3.3.2",
"libsoftokn3-32bit": "3.40.1-3.7.2",
"mozilla-nss": "3.40.1-3.7.2"
}
]
}
SUSE:Linux Enterprise Module for Basesystem 15 / mozilla-nss
Package
- Name
- mozilla-nss
- Purl
- purl:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.40.1-3.7.2
Ecosystem specific
{
"binaries": [
{
"mozilla-nss-sysinit": "3.40.1-3.7.2",
"mozilla-nss-32bit": "3.40.1-3.7.2",
"mozilla-nss-certs": "3.40.1-3.7.2",
"mozilla-nss-devel": "3.40.1-3.7.2",
"libfreebl3-32bit": "3.40.1-3.7.2",
"mozilla-nspr-devel": "4.20-3.3.2",
"libfreebl3": "3.40.1-3.7.2",
"mozilla-nspr": "4.20-3.3.2",
"mozilla-nss-certs-32bit": "3.40.1-3.7.2",
"mozilla-nss-tools": "3.40.1-3.7.2",
"libsoftokn3": "3.40.1-3.7.2",
"mozilla-nspr-32bit": "4.20-3.3.2",
"libsoftokn3-32bit": "3.40.1-3.7.2",
"mozilla-nss": "3.40.1-3.7.2"
}
]
}