Overview

File _patchinfo of Package patchinfo.9788

<patchinfo incident="9788">
  <issue tracker="bnc" id="1119105">VUL-0: MozillaFirefox,MozillaThunderbird: 64.0, 60.4.0 ESR security releases</issue>
  <issue tracker="bnc" id="1097410">VUL-0: CVE-2018-0495: Novel side-channel attack "ROHNP"- Key Extraction Side Channel in Multiple Crypto Libraries</issue>
  <issue tracker="bnc" id="1119069">VUL-0: CVE-2018-12404: mozilla-nss: nss: Cache side-channel variant of the Bleichenbacher attack</issue>
  <issue tracker="bnc" id="1106873">VUL-0: CVE-2018-12384: mozilla-nss: ServerHello.random is all zero when handling a v2-compatible ClientHello</issue>
  <issue tracker="cve" id="2018-17466"/>
  <issue tracker="cve" id="2018-18494"/>
  <issue tracker="cve" id="2018-18492"/>
  <issue tracker="cve" id="2018-18493"/>
  <issue tracker="cve" id="2018-12405"/>
  <issue tracker="cve" id="2018-18498"/>
  <issue tracker="cve" id="2018-0495"/>
  <issue tracker="cve" id="2018-12404"/>
  <issue tracker="cve" id="2018-12384"/>
  <category>security</category>
  <rating>important</rating>
  <packager>cgrobertson</packager>
  <description>This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:

Issues fixed in MozillaFirefox:

- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
  to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs

Issues fixed in mozilla-nss:

- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
  SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code

Issues fixed in mozilla-nspr:

- Update mozilla-nspr to 4.20 (bsc#1119105)
</description>
  <summary>Security update for MozillaFirefox, mozilla-nspr and mozilla-nss</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places