MozillaFirefox: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2023
         SUSE Security Update: Security update for MozillaFirefox
                              23 August 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          MozillaFirefox
Publisher:        SUSE
Operating System: SUSE
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Provide Misleading Information  -- Remote with User Interaction
                  Access Confidential Data        -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-6354 CVE-2016-5265 CVE-2016-5264
                  CVE-2016-5263 CVE-2016-5262 CVE-2016-5259
                  CVE-2016-5258 CVE-2016-5254 CVE-2016-5252
                  CVE-2016-2839 CVE-2016-2838 CVE-2016-2837
                  CVE-2016-2836 CVE-2016-2835 CVE-2016-2830

Reference:        ASB-2016.0081

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:2131-1
Rating:             important
References:         #989196 #990628 #990856 #991809 
Cross-References:   CVE-2016-2830 CVE-2016-2835 CVE-2016-2836
                    CVE-2016-2837 CVE-2016-2838 CVE-2016-2839
                    CVE-2016-5252 CVE-2016-5254 CVE-2016-5258
                    CVE-2016-5259 CVE-2016-5262 CVE-2016-5263
                    CVE-2016-5264 CVE-2016-5265 CVE-2016-6354
                   
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP1
                    SUSE Linux Enterprise Server for SAP 12
                    SUSE Linux Enterprise Server 12-SP1
                    SUSE Linux Enterprise Server 12-LTSS
                    SUSE Linux Enterprise Desktop 12-SP1
______________________________________________________________________________

   An update that fixes 15 vulnerabilities is now available.

Description:


   MozillaFirefox was updated to 45.3.0 ESR to fix the following issues
   (bsc#991809):

   * MFSA 2016-62/CVE-2016-2835/CVE-2016-2836 Miscellaneous memory safety
     hazards (rv:48.0 / rv:45.3)
   * MFSA 2016-63/CVE-2016-2830 Favicon network connection can persist when
     page is closed
   * MFSA 2016-64/CVE-2016-2838 Buffer overflow rendering SVG with
     bidirectional content
   * MFSA 2016-65/CVE-2016-2839 Cairo rendering crash due to memory
     allocation issue with FFmpeg 0.10
   * MFSA 2016-67/CVE-2016-5252 Stack underflow during 2D graphics rendering
   * MFSA 2016-70/CVE-2016-5254 Use-after-free when using alt key and
     toplevel menus
   * MFSA 2016-72/CVE-2016-5258 Use-after-free in DTLS during WebRTC session
     shutdown
   * MFSA 2016-73/CVE-2016-5259 Use-after-free in service workers with nested
     sync events
   * MFSA 2016-76/CVE-2016-5262 Scripts on marquee tag can execute in
     sandboxed iframes
   * MFSA 2016-77/CVE-2016-2837 Buffer overflow in ClearKey Content
     Decryption Module (CDM) during video playback
   * MFSA 2016-78/CVE-2016-5263 Type confusion in display transformation
   * MFSA 2016-79/CVE-2016-5264 Use-after-free when applying SVG effects
   * MFSA 2016-80/CVE-2016-5265 Same-origin policy violation using local HTML
     file and saved shortcut file
   * CVE-2016-6354: Fix for possible buffer overrun (bsc#990856)

   Also a temporary workaround was added:
   - Temporarily bind Firefox to the first CPU as a hotfix for an apparent
     race condition (bsc#989196, bsc#990628)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP1:

      zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1254=1

   - SUSE Linux Enterprise Server for SAP 12:

      zypper in -t patch SUSE-SLE-SAP-12-2016-1254=1

   - SUSE Linux Enterprise Server 12-SP1:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1254=1

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2016-1254=1

   - SUSE Linux Enterprise Desktop 12-SP1:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1254=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64):

      MozillaFirefox-debuginfo-45.3.0esr-78.1
      MozillaFirefox-debugsource-45.3.0esr-78.1
      MozillaFirefox-devel-45.3.0esr-78.1

   - SUSE Linux Enterprise Server for SAP 12 (x86_64):

      MozillaFirefox-45.3.0esr-78.1
      MozillaFirefox-debuginfo-45.3.0esr-78.1
      MozillaFirefox-debugsource-45.3.0esr-78.1
      MozillaFirefox-translations-45.3.0esr-78.1

   - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

      MozillaFirefox-45.3.0esr-78.1
      MozillaFirefox-debuginfo-45.3.0esr-78.1
      MozillaFirefox-debugsource-45.3.0esr-78.1
      MozillaFirefox-translations-45.3.0esr-78.1

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

      MozillaFirefox-45.3.0esr-78.1
      MozillaFirefox-debuginfo-45.3.0esr-78.1
      MozillaFirefox-debugsource-45.3.0esr-78.1
      MozillaFirefox-translations-45.3.0esr-78.1

   - SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

      MozillaFirefox-45.3.0esr-78.1
      MozillaFirefox-debuginfo-45.3.0esr-78.1
      MozillaFirefox-debugsource-45.3.0esr-78.1
      MozillaFirefox-translations-45.3.0esr-78.1


References:

   https://www.suse.com/security/cve/CVE-2016-2830.html
   https://www.suse.com/security/cve/CVE-2016-2835.html
   https://www.suse.com/security/cve/CVE-2016-2836.html
   https://www.suse.com/security/cve/CVE-2016-2837.html
   https://www.suse.com/security/cve/CVE-2016-2838.html
   https://www.suse.com/security/cve/CVE-2016-2839.html
   https://www.suse.com/security/cve/CVE-2016-5252.html
   https://www.suse.com/security/cve/CVE-2016-5254.html
   https://www.suse.com/security/cve/CVE-2016-5258.html
   https://www.suse.com/security/cve/CVE-2016-5259.html
   https://www.suse.com/security/cve/CVE-2016-5262.html
   https://www.suse.com/security/cve/CVE-2016-5263.html
   https://www.suse.com/security/cve/CVE-2016-5264.html
   https://www.suse.com/security/cve/CVE-2016-5265.html
   https://www.suse.com/security/cve/CVE-2016-6354.html
   https://bugzilla.suse.com/989196
   https://bugzilla.suse.com/990628
   https://bugzilla.suse.com/990856
   https://bugzilla.suse.com/991809

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV7uV3ox+lLeg9Ub1AQgu9Q/+JMucQboYHmXetPgBWPbVKeOA932X5Ni7
eLT3OopFYe897QDyxI7eW8Fwi3ZiTP49UKhUH9k1wASEFcF4IBPNc0J4VMW9hObL
peV7CUgAmla805BjEWwAxBZhWr0QmdWxbWfUI0FSHmUgZtyPJJZ1KSLwULImTmKB
PBsAuZPL/uEbsAEfo/+6P2fBatRpFU2L+k4JEaPM5zfZVRgU0ibzSHQkLu/dtspq
B4hbCjNOddR/TH69jNrtbVkiyZC38C6oImA74my0hc7/tJTJ1/M+o265M9fGfUOa
Nf64dFT/Mq+uYpAmzRQ9b/0d5G8kyPGMTOvHOoEr+5nmVJP1WB+bKvtcl36PQQ+t
SorlB2FR5dzpySqViDbHh1M8RHOqTh+COhxCzuYsAQX9RxjNT0+Ptddfor9EBRpw
UZQQ7Mw5vfmccMAualo2vjxsN1YUIG/9pt2OAG57NINhbj5lucFmgRYCYDMHwLlx
MGK2sAnz2sfNnue6/GzYOWhWXCb88O6/oKEAbjo6d+NyJCkrfOuyndQX8QePddki
1XLg2ZmW/h6i3Czv/NXWpeYi4ksXTJ0Jyrzw4uHPzVt1VmSFydpQ44VR+6yzYTv7
qtHkywj1x/Ot3zsLbedZAUoKkg19NOk9dFkqWALcBzP9jvn2f1RvmQORDgS286RO
QLWkKWtRiuk=
=nBrc
-----END PGP SIGNATURE-----