Overview
Security update for Mozilla based packages

This update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues:

Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16:

* CVE-2017-5472 (bmo#1365602)
Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755 (bmo#1361326)
Privilege escalation through Firefox Installer with same
directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595)
Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
CVE-2017-7777
Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645)
File manipulation and privilege escalation via callback parameter
in Mozilla Windows Updater and Maintenance Service (Windows only)
* CVE-2017-7761 (bmo#1215648)
File deletion and privilege escalation through Mozilla Maintenance
Service helper.exe application (Windows only)
* CVE-2017-7764 (bmo#1364283)
Domain spoofing with combination of Canadian Syllabics and other
unicode blocks
* CVE-2017-7765 (bmo#1273265)
Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-7766 (bmo#1342742)
File execution and privilege escalation through updater.ini,
Mozilla Windows Updater, and Mozilla Maintenance Service
(Windows only)
* CVE-2017-7767 (bmo#1336964)
Privilege escalation and arbitrary file overwrites through Mozilla
Windows Updater and Mozilla Maintenance Service (Windows only)
* CVE-2017-7768 (bmo#1336979)
32 byte arbitrary file read through Mozilla Maintenance Service
(Windows only)
* CVE-2017-5470
Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

- remove -fno-inline-small-functions and explicitely optimize with
-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

Mozilla NSS was updated to NSS 3.28.5
* Implemented domain name constraints for CA: TUBITAK Kamu SM SSL
Kok Sertifikasi - Surum 1. (bmo#1350859)
* March 2017 batch of root CA changes (bmo#1350859) (version 2.14)
CA certificates removed:
O = Japanese Government, OU = ApplicationCA
CN = WellsSecure Public Root Certificate Authority
CN = TURKTRUST Elektronik Sertifika Hizmet H6
CN = Microsec e-Szigno Root
CA certificates added:
CN = D-TRUST Root CA 3 2013
CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1

java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency.

Fixed bugs
bnc#1043960
VUL-0: MozillaFirefox: 54/52.2 security release
bnc#1040105
Firefox build using gcc7 has unusable UI
CVE-2017-7775
CVE-2017-7774
CVE-2017-7777
CVE-2017-7776
CVE-2017-7771
CVE-2017-7773
CVE-2017-7772
CVE-2017-7778
CVE-2017-7749
CVE-2017-7766
CVE-2017-7767
CVE-2017-7764
CVE-2017-7765
CVE-2017-7760
CVE-2017-7761
CVE-2017-7768
CVE-2017-5470
CVE-2017-5472
CVE-2017-7758
CVE-2017-7752
CVE-2017-7751
CVE-2017-7750
CVE-2017-7757
CVE-2017-7756
CVE-2017-7755
CVE-2017-7754
Selected Binaries
openSUSE Build Service is sponsored by
Places