File _patchinfo of Package patchinfo.972

<patchinfo incident="972">
  <issue id="940806" tracker="bnc">VUL-0: MozillaFirefox 40/38.2.0 ESR security release</issue>
  <issue id="943608" tracker="bnc">VUL-0: MozillaFirefox 40/38.2.1 ESR security release</issue>
  <issue id="943557" tracker="bnc">MFSA 2015-94/CVE-2015-4497</issue>
  <issue id="943558" tracker="bnc">MFSA 2015-95/CVE-2015-4498</issue>
  <issue id="CVE-2015-4487" tracker="cve" />
  <issue id="CVE-2015-4486" tracker="cve" />
  <issue id="CVE-2015-4485" tracker="cve" />
  <issue id="CVE-2015-4484" tracker="cve" />
  <issue id="CVE-2015-4489" tracker="cve" />
  <issue id="CVE-2015-4488" tracker="cve" />
  <issue id="CVE-2015-4473" tracker="cve" />
  <issue id="CVE-2015-4474" tracker="cve" />
  <issue id="CVE-2015-4475" tracker="cve" />
  <issue id="CVE-2015-4495" tracker="cve" />
  <issue id="CVE-2015-4478" tracker="cve" />
  <issue id="CVE-2015-4479" tracker="cve" />
  <issue id="CVE-2015-4491" tracker="cve" />
  <issue id="CVE-2015-4492" tracker="cve" />
  <issue id="CVE-2015-4497" tracker="cve" />
  <issue id="CVE-2015-4498" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>pcerny</packager>
  <description>
Mozilla Firefox was updated to version 38.2.1 ESR to fix several
critical and non critical security vulnerabilities.

- Firefox was updated to 38.2.1 ESR (bsc#943608)
  * MFSA 2015-94/CVE-2015-4497 (bsc#943557)
    Use-after-free when resizing canvas element during restyling
  * MFSA 2015-95/CVE-2015-4498 (bsc#943558)
    Add-on notification bypass through data URLs

- Firefox was updated to 38.2.0 ESR (bsc#940806)
  * MFSA 2015-78/CVE-2015-4495
    (bmo#1178058, bmo#1179262)
    Same origin violation and local file stealing via PDF reader
  * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
    (bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204,
     bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890,
     bmo#1182711)
    Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
  * MFSA 2015-80/CVE-2015-4475
    (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-82/CVE-2015-4478
    (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479
    (bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718)
    Overflow issues in libstagefright
  * MFSA 2015-87/CVE-2015-4484
    (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491
    (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486
    (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    (bmo#1176270, bmo#1182723, bmo#1171603)
    Vulnerabilities found through code inspection
  * MFSA 2015-92/CVE-2015-4492
    (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers

Mozilla NSS switched the CKBI ABI from 1.98 to 2.4, which is what Firefox 38ESR uses.
</description>
  <summary>Security update for MozillaFirefox, mozilla-nss</summary>
</patchinfo>
Places

File _patchinfo of Package patchinfo.972

Places
