SUSE-SU-2019:14260-1
- Source
- https://www.suse.com/support/update/announcement/2019/suse-su-201914260-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2019:14260-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2019:14260-1
- Related
- Published
- 2019-12-20T14:34:01Z
- Modified
- 2019-12-20T14:34:01Z
- Summary
- Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
- Details
-
This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues:
Update Firefox Extended Support Release to 68.3.0 ESR (MFSA 2019-37 / bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Use-after-free in worker destruction (bmo#1546331).
- CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code (bmo#1580156).
- CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher (bmo#1586176).
- CVE-2019-17009: Updater temporary files accessible to unprivileged processes (bmo#1510494).
- CVE-2019-17010: Use-after-free when performing device orientation checks (bmo#1581084).
- CVE-2019-17005: Buffer overflow in plain text serializer (bmo#1584170).
- CVE-2019-17011: Use-after-free when retrieving a document in antitracking (bmo#1591334).
- CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502).
Update mozilla-nss to version 3.47.1 (bsc#1158527):
Security issues fixed:
- CVE-2019-11745: EncryptUpdate should use maxout, not block size.
Bug fixes:
- Fix a crash that could be caused by client certificates during startup (bmo#1590495, bsc#1158527)
- Fix compile-time warnings from uninitialized variables in a perl script (bmo#1589810)
- Support AES HW acceleration on ARMv8 (bmo#1152625)
- Allow per-socket run-time ordering of the cipher suites presented in ClientHello (bmo#1267894)
- Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501)
- Remove arbitrary HKDF output limit by allocating space as needed (bmo#1577953)
Update mozilla-nspr to version 4.23:
Bug fixes:
- fixed a build failure that was introduced in 4.22
- correctness fix for Win64 socket polling
- whitespace in C files was cleaned up and no longer uses tab characters for indenting
- added support for the ARC architecture
- removed support for the following platforms: OSF1/Tru64, DGUX, IRIX, Symbian, BeOS
- correctness and build fixes
- References
-
- https://www.suse.com/support/update/announcement/2019/suse-su-201914260-1/
- https://bugzilla.suse.com/1158328
- https://bugzilla.suse.com/1158527
- https://www.suse.com/security/cve/CVE-2019-11745
- https://www.suse.com/security/cve/CVE-2019-13722
- https://www.suse.com/security/cve/CVE-2019-17005
- https://www.suse.com/security/cve/CVE-2019-17008
- https://www.suse.com/security/cve/CVE-2019-17009
- https://www.suse.com/security/cve/CVE-2019-17010
- https://www.suse.com/security/cve/CVE-2019-17011
- https://www.suse.com/security/cve/CVE-2019-17012
Affected packages
SUSE:Linux Enterprise Server 11 SP4-LTSS / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed68.3.0-78.54.1
Ecosystem specific
{
"binaries": [
{
"MozillaFirefox": "68.3.0-78.54.1",
"mozilla-nss-32bit": "3.47.1-38.12.1",
"mozilla-nss-certs": "3.47.1-38.12.1",
"MozillaFirefox-translations-common": "68.3.0-78.54.1",
"mozilla-nss-devel": "3.47.1-38.12.1",
"libfreebl3-32bit": "3.47.1-38.12.1",
"mozilla-nspr-devel": "4.23-29.9.1",
"MozillaFirefox-translations-other": "68.3.0-78.54.1",
"libfreebl3": "3.47.1-38.12.1",
"mozilla-nspr": "4.23-29.9.1",
"mozilla-nss-certs-32bit": "3.47.1-38.12.1",
"mozilla-nss-tools": "3.47.1-38.12.1",
"libsoftokn3": "3.47.1-38.12.1",
"mozilla-nspr-32bit": "4.23-29.9.1",
"libsoftokn3-32bit": "3.47.1-38.12.1",
"mozilla-nss": "3.47.1-38.12.1"
}
]
}
SUSE:Linux Enterprise Server 11 SP4-LTSS / mozilla-nspr
Package
- Name
- mozilla-nspr
- Purl
- purl:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.23-29.9.1
Ecosystem specific
{
"binaries": [
{
"MozillaFirefox": "68.3.0-78.54.1",
"mozilla-nss-32bit": "3.47.1-38.12.1",
"mozilla-nss-certs": "3.47.1-38.12.1",
"MozillaFirefox-translations-common": "68.3.0-78.54.1",
"mozilla-nss-devel": "3.47.1-38.12.1",
"libfreebl3-32bit": "3.47.1-38.12.1",
"mozilla-nspr-devel": "4.23-29.9.1",
"MozillaFirefox-translations-other": "68.3.0-78.54.1",
"libfreebl3": "3.47.1-38.12.1",
"mozilla-nspr": "4.23-29.9.1",
"mozilla-nss-certs-32bit": "3.47.1-38.12.1",
"mozilla-nss-tools": "3.47.1-38.12.1",
"libsoftokn3": "3.47.1-38.12.1",
"mozilla-nspr-32bit": "4.23-29.9.1",
"libsoftokn3-32bit": "3.47.1-38.12.1",
"mozilla-nss": "3.47.1-38.12.1"
}
]
}
SUSE:Linux Enterprise Server 11 SP4-LTSS / mozilla-nss
Package
- Name
- mozilla-nss
- Purl
- purl:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.47.1-38.12.1
Ecosystem specific
{
"binaries": [
{
"MozillaFirefox": "68.3.0-78.54.1",
"mozilla-nss-32bit": "3.47.1-38.12.1",
"mozilla-nss-certs": "3.47.1-38.12.1",
"MozillaFirefox-translations-common": "68.3.0-78.54.1",
"mozilla-nss-devel": "3.47.1-38.12.1",
"libfreebl3-32bit": "3.47.1-38.12.1",
"mozilla-nspr-devel": "4.23-29.9.1",
"MozillaFirefox-translations-other": "68.3.0-78.54.1",
"libfreebl3": "3.47.1-38.12.1",
"mozilla-nspr": "4.23-29.9.1",
"mozilla-nss-certs-32bit": "3.47.1-38.12.1",
"mozilla-nss-tools": "3.47.1-38.12.1",
"libsoftokn3": "3.47.1-38.12.1",
"mozilla-nspr-32bit": "4.23-29.9.1",
"libsoftokn3-32bit": "3.47.1-38.12.1",
"mozilla-nss": "3.47.1-38.12.1"
}
]
}