Operating System:

[SUSE]

Published:

18 November 2011

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2011.1163 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1163
         SUSE Security Update: Security update for Mozilla Firefox
                             18 November 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Mozilla Firefox
Publisher:        SUSE
Operating System: SUSE
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Increased Privileges            -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Unauthorised Access             -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2011-3655 CVE-2011-3653 CVE-2011-3651
                  CVE-2011-3650 CVE-2011-3649 CVE-2011-3648
                  CVE-2011-3647 CVE-2011-3001 CVE-2011-3000
                  CVE-2011-2999 CVE-2011-2998 CVE-2011-2996
                  CVE-2011-2372  

Reference:        ASB-2011.0100
                  ESB-2011.1004
                  ESB-2011.0985

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for Mozilla Firefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2011:1256-1
Rating:             critical
References:         #726096 #728520 
Cross-References:   CVE-2011-2372 CVE-2011-2996 CVE-2011-2998
                    CVE-2011-2999 CVE-2011-3000 CVE-2011-3001
                    CVE-2011-3647 CVE-2011-3648 CVE-2011-3649
                    CVE-2011-3650 CVE-2011-3651 CVE-2011-3653
                    CVE-2011-3655
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP1
                    SUSE Linux Enterprise Server 11 SP1 for VMware
                    SUSE Linux Enterprise Server 11 SP1
                    SUSE Linux Enterprise Desktop 11 SP1
______________________________________________________________________________

   An update that fixes 13 vulnerabilities is now available.
   It includes three new package versions.

Description:


   MozillaFirefox has been updated to version 1.9.2.24
   (bnc#728520) to fix the  following security issues:

   * MFSA 2011-46/CVE-2011-3647 (bmo#680880) loadSubScript
   unwraps XPCNativeWrapper scope parameter
   * MFSA 2011-47/CVE-2011-3648 (bmo#690225) Potential XSS
   against sites using Shift-JIS
   * MFSA 2011-49/CVE-2011-3650 (bmo#674776) Memory
   corruption while profiling using Firebug

   Security Issue references:

   * CVE-2011-3648
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648
   >
   * CVE-2011-3000
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000
   >
   * CVE-2011-3001
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3001
   >
   * CVE-2011-3647
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647
   >
   * CVE-2011-2372
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372
   >
   * CVE-2011-2999
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2999
   >
   * CVE-2011-3650
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650
   >
   * CVE-2011-2998
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2998
   >
   * CVE-2011-2996
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2996
   >
   * CVE-2011-3655
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3655
   >
   * CVE-2011-3653
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3653
   >
   * CVE-2011-3649
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3649
   >
   * CVE-2011-3651
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP1:

      zypper in -t patch sdksp1-MozillaFirefox-5429

   - SUSE Linux Enterprise Server 11 SP1 for VMware:

      zypper in -t patch slessp1-MozillaFirefox-5429

   - SUSE Linux Enterprise Server 11 SP1:

      zypper in -t patch slessp1-MozillaFirefox-5429

   - SUSE Linux Enterprise Desktop 11 SP1:

      zypper in -t patch sledsp1-MozillaFirefox-5429

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.24 and 3.13.1]:

      mozilla-nss-devel-3.13.1-0.2.1
      mozilla-xulrunner192-devel-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (s390x x86_64) [New Version: 1.9.2.24]:

      mozilla-xulrunner192-gnome-32bit-1.9.2.24-0.3.1
      mozilla-xulrunner192-translations-32bit-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (ppc64) [New Version: 1.9.2.24]:

      mozilla-xulrunner192-gnome-32bit-1.9.2.24-0.3.2
      mozilla-xulrunner192-translations-32bit-1.9.2.24-0.3.2

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (ia64) [New Version: 1.9.2.24]:

      mozilla-xulrunner192-gnome-x86-1.9.2.24-0.3.1
      mozilla-xulrunner192-translations-x86-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 3.13.1 and 3.6.24]:

      MozillaFirefox-3.6.24-0.3.1
      MozillaFirefox-translations-3.6.24-0.3.1
      libfreebl3-3.13.1-0.2.1
      mozilla-nss-3.13.1-0.2.1
      mozilla-nss-tools-3.13.1-0.2.1
      mozilla-xulrunner192-1.9.2.24-0.3.1
      mozilla-xulrunner192-gnome-1.9.2.24-0.3.1
      mozilla-xulrunner192-translations-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Server 11 SP1 for VMware (x86_64) [New Version: 3.13.1]:

      libfreebl3-32bit-3.13.1-0.2.1
      mozilla-nss-32bit-3.13.1-0.2.1
      mozilla-xulrunner192-32bit-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.9.2.24,3.13.1 and 3.6.24]:

      MozillaFirefox-3.6.24-0.3.1
      MozillaFirefox-translations-3.6.24-0.3.1
      libfreebl3-3.13.1-0.2.1
      mozilla-nss-3.13.1-0.2.1
      mozilla-nss-tools-3.13.1-0.2.1
      mozilla-xulrunner192-1.9.2.24-0.3.1
      mozilla-xulrunner192-gnome-1.9.2.24-0.3.1
      mozilla-xulrunner192-translations-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Server 11 SP1 (ppc64 s390x x86_64) [New Version: 3.13.1]:

      libfreebl3-32bit-3.13.1-0.2.1
      mozilla-nss-32bit-3.13.1-0.2.1

   - SUSE Linux Enterprise Server 11 SP1 (s390x x86_64) [New Version: 1.9.2.24]:

      mozilla-xulrunner192-32bit-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Server 11 SP1 (ppc64) [New Version: 1.9.2.24]:

      mozilla-xulrunner192-32bit-1.9.2.24-0.3.2

   - SUSE Linux Enterprise Server 11 SP1 (ia64) [New Version: 1.9.2.24 and 3.13.1]:

      libfreebl3-x86-3.13.1-0.2.1
      mozilla-nss-x86-3.13.1-0.2.1
      mozilla-xulrunner192-x86-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 1.9.2.24,3.13.1 and 3.6.24]:

      MozillaFirefox-3.6.24-0.3.1
      MozillaFirefox-translations-3.6.24-0.3.1
      libfreebl3-3.13.1-0.2.1
      mozilla-nss-3.13.1-0.2.1
      mozilla-nss-tools-3.13.1-0.2.1
      mozilla-xulrunner192-1.9.2.24-0.3.1
      mozilla-xulrunner192-gnome-1.9.2.24-0.3.1
      mozilla-xulrunner192-translations-1.9.2.24-0.3.1

   - SUSE Linux Enterprise Desktop 11 SP1 (x86_64) [New Version: 1.9.2.24 and 3.13.1]:

      libfreebl3-32bit-3.13.1-0.2.1
      mozilla-nss-32bit-3.13.1-0.2.1
      mozilla-xulrunner192-32bit-1.9.2.24-0.3.1
      mozilla-xulrunner192-gnome-32bit-1.9.2.24-0.3.1
      mozilla-xulrunner192-translations-32bit-1.9.2.24-0.3.1


References:

   http://support.novell.com/security/cve/CVE-2011-2372.html
   http://support.novell.com/security/cve/CVE-2011-2996.html
   http://support.novell.com/security/cve/CVE-2011-2998.html
   http://support.novell.com/security/cve/CVE-2011-2999.html
   http://support.novell.com/security/cve/CVE-2011-3000.html
   http://support.novell.com/security/cve/CVE-2011-3001.html
   http://support.novell.com/security/cve/CVE-2011-3647.html
   http://support.novell.com/security/cve/CVE-2011-3648.html
   http://support.novell.com/security/cve/CVE-2011-3649.html
   http://support.novell.com/security/cve/CVE-2011-3650.html
   http://support.novell.com/security/cve/CVE-2011-3651.html
   http://support.novell.com/security/cve/CVE-2011-3653.html
   http://support.novell.com/security/cve/CVE-2011-3655.html
   https://bugzilla.novell.com/726096
   https://bugzilla.novell.com/728520
   http://download.novell.com/patch/finder/?keywords=c78d5ba357ca9d7cf302f1609efa467f

- --

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTsWj1u4yVqjM2NGpAQJosg//XT+TjhFqF+k1eVseXPScFGi3cvMFxm/R
GVYnaTtrrTCCPMP7j65UHkFoVKlRv5IpAVUd8Q4r3clyerzd7snzgjMDXZjrWE7+
mH7F9n4MAJLJrI84HQ/ZZJNmW0rBOHVwBYyFh+TLyVzO0VAcNJmW5SPDfovgTdzD
O7Kz6eGSmUIcq80MPyhlrqX/vzhvtJrc3OP6z9Xp3N0dKgBjsS6o/Naq5Kl7ej2l
0E93wh1YbaGa9xJK0WuxS4yhbLXaY8ZuAE1C1H7US40X7cILfGJq5Tn6nDMYMFTN
90WXSKjnU3DGgRPHZ8FWqV/b3Ordu1qFB9SfUGY+qsKvRIG4amslVvci49tPmytn
4J4y9npXAVIpifDqGqEbSsTbC+eZsvHDfCRQSWmSIoCmCLnFjyoGBSgEiCKqG7Pd
k6o8ha9ZQi6PAh1ZTOQi5YIi0LnvVKh270iRi6YUEbM6sWGKpWKkFgWgj1uvI9ja
d5OdnGY1DiRnUMVyGAEJVF98ugXwzRnfiJ4FVIroGTrMJQlEadR1ruA4rL21Vqpk
m9zPZSqGgqiZ6n6wRHs5EVvL5ZVOBM/1lKrnwHL5gI7IBxr/mnbdqgXvQE4W/dSd
6en5fn5FKXMqhPIxcBsPc1hOXZU6alH+m3E8yCfYvQga0zHA1sq35YLpzn8sAZm/
EHe2CXTTIwc=
=ss0v
-----END PGP SIGNATURE-----