File _patchinfo of Package patchinfo.3781
<patchinfo incident="3781">
<issue id="930622" tracker="bnc">VUL-0: MozillaFirefox 38 / 31.7 security release</issue>
<issue id="CVE-2015-2711" tracker="cve" />
<issue id="CVE-2015-2710" tracker="cve" />
<issue id="CVE-2015-2713" tracker="cve" />
<issue id="CVE-2015-2712" tracker="cve" />
<issue id="CVE-2015-2715" tracker="cve" />
<issue id="CVE-2015-2717" tracker="cve" />
<issue id="CVE-2015-2716" tracker="cve" />
<issue id="CVE-2015-2718" tracker="cve" />
<issue id="CVE-2015-2708" tracker="cve" />
<issue id="CVE-2015-2709" tracker="cve" />
<issue id="CVE-2011-3079" tracker="cve" />
<category>security</category>
<rating>moderate</rating>
<packager>wrosenauer</packager>
<description>The Mozilla Firefox web browser was updated to version 38.0.1 to fix several security and non-security issues.
This update also includes a Mozilla Network Security Services (NSS) update to version 3.18.1.
The following vulnerabilities and issues were fixed:
Changes in Mozilla Firefox:
- update to Firefox 38.0.1
stability and regression fixes
* Systems with first generation NVidia Optimus graphics cards
may crash on start-up
* Users who import cookies from Google Chrome can end up with
broken websites
* Large animated images may fail to play and may stop other
images from loading
- update to Firefox 38.0 (bnc#930622)
* New tab-based preferences
* Ruby annotation support
* more info: https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
security fixes:
* MFSA 2015-46/CVE-2015-2708/CVE-2015-2709
Miscellaneous memory safety hazards
* MFSA 2015-47/VE-2015-0797 (bmo#1080995)
Buffer overflow parsing H.264 video with Linux Gstreamer
* MFSA 2015-48/CVE-2015-2710 (bmo#1149542)
Buffer overflow with SVG content and CSS
* MFSA 2015-49/CVE-2015-2711 (bmo#1113431)
Referrer policy ignored when links opened by middle-click and
context menu
* MFSA 2015-50/CVE-2015-2712 (bmo#1152280)
Out-of-bounds read and write in asm.js validation
* MFSA 2015-51/CVE-2015-2713 (bmo#1153478)
Use-after-free during text processing with vertical text enabled
* MFSA 2015-53/CVE-2015-2715 (bmo#988698)
Use-after-free due to Media Decoder Thread creation during shutdown
* MFSA 2015-54/CVE-2015-2716 (bmo#1140537)
Buffer overflow when parsing compressed XML
* MFSA 2015-55/CVE-2015-2717 (bmo#1154683)
Buffer overflow and out-of-bounds read while parsing MP4 video
metadata
* MFSA 2015-56/CVE-2015-2718 (bmo#1146724)
Untrusted site hosting trusted page can intercept webchannel
responses
* MFSA 2015-57/CVE-2011-3079 (bmo#1087565)
Privilege escalation through IPC channel messages
Changes in Mozilla NSS:
- update to 3.18.1
* Firefox target release 38
* No new functionality is introduced in this release.
Notable Changes:
* The following CA certificate had the Websites and Code Signing
trust bits restored to their original state to allow more time
to develop a better transition strategy for affected sites:
- OU = Equifax Secure Certificate Authority
* The following CA certificate was removed:
- CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
* The following intermediate CA certificate has been added as
actively distrusted because it was mis-used to issue certificates
for domain names the holder did not own or control:
- CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG
* The version number of the updated root CA list has been set
to 2.4
- update to 3.18
* Firefox target release 38
New functionality:
* When importing certificates and keys from a PKCS#12 source,
it's now possible to override the nicknames, prior to importing
them into the NSS database, using new API
SEC_PKCS12DecoderRenameCertNicknames.
* The tstclnt test utility program has new command-line options
-C, -D, -b and -R.
Use -C one, two or three times to print information about the
certificates received from a server, and information about the
locally found and trusted issuer certificates, to diagnose
server side configuration issues. It is possible to run tstclnt</description>
<summary>Security update for MozillaFirefox</summary>
</patchinfo>
