Security update for MozillaFirefox

SUSE Security Update: Security update for MozillaFirefox
Announcement ID: SUSE-SU-2014:1120-2
Rating: important
References: #882881 #894370
Affected Products:
  • SUSE Linux Enterprise Server 10 SP4 LTSS

  • An update that fixes two vulnerabilities is now available. It includes two new package versions.

    Description:


    Mozilla Firefox was updated to the 24.8.0ESR release, fixing security
    issues and bugs.

    Only some of the published security advisories affect the Mozilla Firefox
    24ESR codestream:

    * MFSA 2014-72 / CVE-2014-1567: Security researcher regenrecht
    reported, via TippingPoint's Zero Day Initiative, a use-after-free
    during text layout when interacting with the setting of text
    direction. This results in a use-after-free which can lead to
    arbitrary code execution.
    * MFSA 2014-67: Mozilla developers and community identified and fixed
    several memory safety bugs in the browser engine used in Firefox and
    other Mozilla-based products. Some of these bugs showed evidence of
    memory corruption under certain circumstances, and we presume that with
    enough effort at least some of these could be exploited to run arbitrary
    code.
    * Jan de Mooij reported a memory safety problem that affects Firefox
    ESR 24.7, ESR 31 and Firefox 31. (CVE-2014-1562)

    More information is referenced on:
    https://www.mozilla.org/security/announce/
    .

    Security Issues:

    * CVE-2014-1567

    * CVE-2014-1562

    Package List:

    • SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64) [New Version: 3.16.4 and 4.10.7]:
      • firefox-gtk2-2.18.9-0.11.1
      • firefox-gtk2-lang-2.18.9-0.11.1
      • mozilla-nspr-4.10.7-0.5.1
      • mozilla-nspr-devel-4.10.7-0.5.1
      • mozilla-nss-3.16.4-0.5.2
      • mozilla-nss-devel-3.16.4-0.5.2
      • mozilla-nss-tools-3.16.4-0.5.2
    • SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64) [New Version: 3.16.4 and 4.10.7]:
      • firefox-gtk2-32bit-2.18.9-0.11.1
      • mozilla-nspr-32bit-4.10.7-0.5.1
      • mozilla-nss-32bit-3.16.4-0.5.2
    • SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x):
      • MozillaFirefox-24.8.0esr-0.5.1
      • MozillaFirefox-translations-24.8.0esr-0.5.1

    References:

    • http://support.novell.com/security/cve/CVE-2014-1562.html
    • http://support.novell.com/security/cve/CVE-2014-1567.html
    • https://bugzilla.novell.com/882881
    • https://bugzilla.novell.com/894370
    • http://download.suse.com/patch/finder/?keywords=24d0f20857a99b68fbd08945af76c27a