Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2015:1504-1
Rating:	important
References:	bsc#943557 bsc#943558 bsc#943608
Cross-References:	CVE-2015-4497 CVE-2015-4498
CVSS scores:
Affected Products:	SUSE Linux Enterprise Server 11 SP1 LTSS 11-SP1 SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2

An update that solves two vulnerabilities and has one security fix can now be installed.

Description:

Mozilla Firefox was updated to 38.2.1 ESR, fixing two severe security bugs. (bsc#943608)

• MFSA 2015-94/CVE-2015-4497 (bsc#943557): Use-after-free when resizing canvas element during restyling
• MFSA 2015-95/CVE-2015-4498 (bsc#943558): Add-on notification bypass through data URLs

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 11 SP1 LTSS 11-SP1
  zypper in -t patch slessp1-firefox-20150831-12071=1
• SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2
  zypper in -t patch slessp2-firefox-20150831-12071=1

Package List:

• SUSE Linux Enterprise Server 11 SP1 LTSS 11-SP1 (s390x x86_64 i586)
  • MozillaFirefox-38.2.1esr-17.1
  • MozillaFirefox-translations-38.2.1esr-17.1
• SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2 (s390x x86_64 i586)
  • MozillaFirefox-38.2.1esr-17.1
  • MozillaFirefox-translations-38.2.1esr-17.1

References:

• https://www.suse.com/security/cve/CVE-2015-4497.html
• https://www.suse.com/security/cve/CVE-2015-4498.html
• https://bugzilla.suse.com/show_bug.cgi?id=943557
• https://bugzilla.suse.com/show_bug.cgi?id=943558
• https://bugzilla.suse.com/show_bug.cgi?id=943608