Overview

File _patchinfo of Package patchinfo.3044

<patchinfo incident="3044">
  <issue id="990856" tracker="bnc">VUL-1: CVE-2016-6354: flex,flex-old: buffer overflow in generated code (yy_get_next_buffer)</issue>
  <issue id="991809" tracker="bnc">VUL-0: MozillaFirefox: multiple vulnerabilities fixed in 48.0/45.3</issue>
  <issue id="990628" tracker="bnc">L3: Firefox 45.2.0esr crashes frequently</issue>
  <issue id="989196" tracker="bnc">MozillaFirefox 45.2.0esr exhibits stalls in rendering web pages in tabs</issue>
  <issue id="2016-2835" tracker="cve" />
  <issue id="2016-5258" tracker="cve" />
  <issue id="2016-2837" tracker="cve" />
  <issue id="2016-2836" tracker="cve" />
  <issue id="2016-6354" tracker="cve" />
  <issue id="2016-2830" tracker="cve" />
  <issue id="2016-5259" tracker="cve" />
  <issue id="2016-5254" tracker="cve" />
  <issue id="2016-5252" tracker="cve" />
  <issue id="2016-2839" tracker="cve" />
  <issue id="2016-2838" tracker="cve" />
  <issue id="2016-5263" tracker="cve" />
  <issue id="2016-5262" tracker="cve" />
  <issue id="2016-5265" tracker="cve" />
  <issue id="2016-5264" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>pcerny</packager>
  <description>
MozillaFirefox was updated to 45.3.0 ESR to fix the following issues
(bsc#991809):

* MFSA 2016-62/CVE-2016-2835/CVE-2016-2836
  Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
* MFSA 2016-63/CVE-2016-2830
  Favicon network connection can persist when page is closed
* MFSA 2016-64/CVE-2016-2838
  Buffer overflow rendering SVG with bidirectional content
* MFSA 2016-65/CVE-2016-2839
  Cairo rendering crash due to memory allocation issue with
  FFmpeg 0.10
* MFSA 2016-67/CVE-2016-5252
  Stack underflow during 2D graphics rendering
* MFSA 2016-70/CVE-2016-5254
  Use-after-free when using alt key and toplevel menus
* MFSA 2016-72/CVE-2016-5258
  Use-after-free in DTLS during WebRTC session shutdown
* MFSA 2016-73/CVE-2016-5259
  Use-after-free in service workers with nested sync events
* MFSA 2016-76/CVE-2016-5262
  Scripts on marquee tag can execute in sandboxed iframes
* MFSA 2016-77/CVE-2016-2837
  Buffer overflow in ClearKey Content Decryption Module (CDM)
  during video playback
* MFSA 2016-78/CVE-2016-5263
  Type confusion in display transformation
* MFSA 2016-79/CVE-2016-5264
  Use-after-free when applying SVG effects
* MFSA 2016-80/CVE-2016-5265
  Same-origin policy violation using local HTML file and saved
  shortcut file
* CVE-2016-6354: Fix for possible buffer overrun (bsc#990856)

Also a temporary workaround was added:
- Temporarily bind Firefox to the first CPU as a hotfix
  for an apparent race condition (bsc#989196, bsc#990628)
</description>
  <summary>Security update for MozillaFirefox</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places