Security update for MozillaFirefox, mozilla-nspr, mozilla-nss

Announcement ID:	SUSE-SU-2019:14260-1
Rating:	important
References:	bsc#1158328 bsc#1158527
Cross-References:	CVE-2019-11745 CVE-2019-13722 CVE-2019-17005 CVE-2019-17008 CVE-2019-17009 CVE-2019-17010 CVE-2019-17011 CVE-2019-17012
CVSS scores:	CVE-2019-11745 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11745 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-13722 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-13722 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-17005 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17005 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17008 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17008 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17009 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-17009 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-17010 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17010 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17011 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17011 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17012 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-17012 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server 11 SP4 LTSS 11-SP4

An update that solves eight vulnerabilities can now be installed.

Description:

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues:

Update Firefox Extended Support Release to 68.3.0 ESR (MFSA 2019-37 / bsc#1158328)

Security issues fixed:

• CVE-2019-17008: Use-after-free in worker destruction (bmo#1546331).
• CVE-2019-13722: Stack corruption due to incorrect number of arguments in WebRTC code (bmo#1580156).
• CVE-2019-11745: Out of bounds write in NSS when encrypting with a block cipher (bmo#1586176).
• CVE-2019-17009: Updater temporary files accessible to unprivileged processes (bmo#1510494).
• CVE-2019-17010: Use-after-free when performing device orientation checks (bmo#1581084).
• CVE-2019-17005: Buffer overflow in plain text serializer (bmo#1584170).
• CVE-2019-17011: Use-after-free when retrieving a document in antitracking (bmo#1591334).
• CVE-2019-17012: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 (bmo#1449736, bmo#1533957, bmo#1560667, bmo#1567209, bmo#1580288, bmo#1585760, bmo#1592502).

Update mozilla-nss to version 3.47.1 (bsc#1158527):

Security issues fixed:

• CVE-2019-11745: EncryptUpdate should use maxout, not block size.

Bug fixes:

• Fix a crash that could be caused by client certificates during startup (bmo#1590495, bsc#1158527)
• Fix compile-time warnings from uninitialized variables in a perl script (bmo#1589810)
• Support AES HW acceleration on ARMv8 (bmo#1152625)
• Allow per-socket run-time ordering of the cipher suites presented in ClientHello (bmo#1267894)
• Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501)
• Remove arbitrary HKDF output limit by allocating space as needed (bmo#1577953)

Update mozilla-nspr to version 4.23:

Bug fixes:

• fixed a build failure that was introduced in 4.22
• correctness fix for Win64 socket polling
• whitespace in C files was cleaned up and no longer uses tab characters for indenting
• added support for the ARC architecture
• removed support for the following platforms: OSF1/Tru64, DGUX, IRIX, Symbian, BeOS
• correctness and build fixes

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 11 SP4 LTSS 11-SP4
  zypper in -t patch slessp4-MozillaFirefox-14260=1
• SUSE Linux Enterprise Server 11 SP4
  zypper in -t patch slessp4-MozillaFirefox-14260=1

Package List:

• SUSE Linux Enterprise Server 11 SP4 LTSS 11-SP4 (x86_64)
  • mozilla-nss-certs-32bit-3.47.1-38.12.1
  • libfreebl3-32bit-3.47.1-38.12.1
  • mozilla-nss-32bit-3.47.1-38.12.1
  • mozilla-nspr-devel-4.23-29.9.1
  • libsoftokn3-32bit-3.47.1-38.12.1
  • mozilla-nss-certs-3.47.1-38.12.1
  • mozilla-nss-devel-3.47.1-38.12.1
  • libsoftokn3-3.47.1-38.12.1
  • libfreebl3-3.47.1-38.12.1
  • MozillaFirefox-68.3.0-78.54.1
  • MozillaFirefox-translations-common-68.3.0-78.54.1
  • mozilla-nspr-4.23-29.9.1
  • MozillaFirefox-translations-other-68.3.0-78.54.1
  • mozilla-nspr-32bit-4.23-29.9.1
  • mozilla-nss-3.47.1-38.12.1
  • mozilla-nss-tools-3.47.1-38.12.1
• SUSE Linux Enterprise Server 11 SP4 (x86_64)
  • mozilla-nss-certs-32bit-3.47.1-38.12.1
  • libfreebl3-32bit-3.47.1-38.12.1
  • mozilla-nss-32bit-3.47.1-38.12.1
  • mozilla-nspr-devel-4.23-29.9.1
  • libsoftokn3-32bit-3.47.1-38.12.1
  • mozilla-nss-certs-3.47.1-38.12.1
  • mozilla-nss-devel-3.47.1-38.12.1
  • libsoftokn3-3.47.1-38.12.1
  • libfreebl3-3.47.1-38.12.1
  • MozillaFirefox-68.3.0-78.54.1
  • MozillaFirefox-translations-common-68.3.0-78.54.1
  • mozilla-nspr-4.23-29.9.1
  • MozillaFirefox-translations-other-68.3.0-78.54.1
  • mozilla-nspr-32bit-4.23-29.9.1
  • mozilla-nss-3.47.1-38.12.1
  • mozilla-nss-tools-3.47.1-38.12.1

References:

• https://www.suse.com/security/cve/CVE-2019-11745.html
• https://www.suse.com/security/cve/CVE-2019-13722.html
• https://www.suse.com/security/cve/CVE-2019-17005.html
• https://www.suse.com/security/cve/CVE-2019-17008.html
• https://www.suse.com/security/cve/CVE-2019-17009.html
• https://www.suse.com/security/cve/CVE-2019-17010.html
• https://www.suse.com/security/cve/CVE-2019-17011.html
• https://www.suse.com/security/cve/CVE-2019-17012.html
• https://bugzilla.suse.com/show_bug.cgi?id=1158328
• https://bugzilla.suse.com/show_bug.cgi?id=1158527