Overview

File _patchinfo of Package patchinfo.5017

<patchinfo incident="5017">
  <packager>wrosenauer</packager>
  <issue tracker="cve" id="CVE-2016-2804"></issue>
  <issue tracker="cve" id="CVE-2016-2806"></issue>
  <issue tracker="cve" id="CVE-2016-2807"></issue>
  <issue tracker="cve" id="CVE-2016-2808"></issue>
  <issue tracker="cve" id="CVE-2016-2811"></issue>
  <issue tracker="cve" id="CVE-2016-2812"></issue>
  <issue tracker="cve" id="CVE-2016-2814"></issue>
  <issue tracker="cve" id="CVE-2016-2816"></issue>
  <issue tracker="cve" id="CVE-2016-2817"></issue>
  <issue tracker="cve" id="CVE-2016-2820"></issue>
  <issue tracker="bnc" id="977333">VUL-0: MozillaFirefox 46 / 45.1 ESR / 38.8 ESR security release</issue>
  <issue tracker="bnc" id="977373">VUL-0: CVE-2016-2804: MozillaFirefox: Memory safety bugs fixed in Firefox 46 (MFSA 2016-39)</issue>
  <issue tracker="bnc" id="977375">VUL-0: CVE-2016-2806: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 45.1 and Firefox 46 (MFSA 2016-39)</issue>
  <issue tracker="bnc" id="977376">VUL-0: CVE-2016-2807: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46 (MFSA 2016-39</issue>
  <issue tracker="bnc" id="977386">VUL-0: CVE-2016-2808: MozillaFirefox: Write to invalid HashMap entry through JavaScript.watch() (MFSA 2016-47)</issue>
  <issue tracker="bnc" id="977379">VUL-0: CVE-2016-2811, CVE-2016-2812: MozillaFirefox: Use-after-free and buffer overflow in Service Workers (MFSA 2016-42)</issue>
  <issue tracker="bnc" id="977381">VUL-0: CVE-2016-2814: MozillaFirefox: Buffer overflow in libstagefright with CENC offsets (MFSA 2016-44)</issue>
  <issue tracker="bnc" id="977382">VUL-0: CVE-2016-2816: MozillaFirefox: CSP not applied to pages sent with multipart/x-mixed-replace (MFSA 2016-45)</issue>
  <issue tracker="bnc" id="977384">VUL-0: CVE-2016-2817: MozillaFirefox: Elevation of privilege with chrome.tabs.update API in web extensions (MFSA 2016-46)</issue>
  <issue tracker="bnc" id="977388">VUL-0: CVE-2016-2820: MozillaFirefox: Firefox Health Reports could accept events from untrusted domains (MFSA 2016-48)</issue>
  <category>security</category>
  <rating>important</rating>
  <summary>Security update update for MozillaFirefox, mozilla-nss</summary>
  <description>This update to Mozilla Firefox 46.0 fixes several security issues and bugs (boo#977333).

The following vulnerabilities were fixed:

- CVE-2016-2804: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977373)
- CVE-2016-2806: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977375)
- CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977376)
- CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() - MFSA 2016-47 (boo#977386)
- CVE-2016-2811: Use-after-free in Service Worker - MFSA 2016-42 (boo#977379)
- CVE-2016-2812: Buffer overflow in Service Worker - MFSA 2016-42 (boo#977379)
- CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (boo#977381)
- CVE-2016-2816: CSP not applied to pages sent with multipart/x-mixed-replace - MFSA 2016-45 (boo#977382)
- CVE-2016-2817: Elevation of privilege with chrome.tabs.update API in web extensions - MFSA 2016-46 (boo#977384)
- CVE-2016-2820: Firefox Health Reports could accept events from untrusted domains - MFSA 2016-48 (boo#977388)

The following miscellaneous changes are included:

- Improved security of the JavaScript Just In Time (JIT) Compiler
- WebRTC fixes to improve performance and stability
- Added support for document.elementsFromPoint
- Added HKDF support for Web Crypto API

The following changes from Mozilla Firefox 45.0.2 are included:
- Fix an issue impacting the cookie header when third-party cookies are blocked
- Fix a web compatibility regression impacting the srcset attribute of the image tag
- Fix a crash impacting the video playback with Media Source Extension
- Fix a regression impacting some specific uploads
- Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird

The following changes from Mozilla Firefox 45.0.2 are included:
    
- Fix a regression causing search engine settings to be lost in some context
- Bring back non-standard jar: URIs to fix a regression in IBM iNotes
- XSLTProcessor.importStylesheet was failing when import was used
- Fix an issue which could cause the list of search provider to be empty
- Fix a regression when using the location bar (bmo#1254503)
- Fix some loading issues when Accept third-party cookies: was set to Never
- Disabled Graphite font shaping library

The minimum requirements increased to NSPR 4.12 and NSS 3.22.3.

Mozilla NSS was updated to 3.22.3 as a dependency for Mozilla Firefox 46.0, with the following changes:

- Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake (bmo#1243641)
- RSA-PSS signatures are now supported
- Pseudorandom functions based on hashes other than SHA-1 are now supported
- Enforce an External Policy on NSS from a config file
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places