Overview

File _patchinfo of Package patchinfo.5200

<patchinfo incident="5200">
  <issue id="983549" tracker="bnc">VUL-0: MozillaFirefox 47 / 45.2 ESR security release</issue>
  <issue id="981695" tracker="bnc">Firefox configure options cleanup</issue>
  <issue id="980384" tracker="bnc">Enable PIE and full relro build for firefox</issue>
  <issue id="983640" tracker="bnc">VUL-0: CVE-2016-2833: MozillaFirefox: Java applets bypass CSP protections (MFSA-2016-60)</issue>
  <issue id="983651" tracker="bnc">VUL-0: CVE-2016-2824: MozillaFirefox: Out-of-bounds write with WebGL shader (MFSA 2016-53)</issue>
  <issue id="983643" tracker="bnc">VUL-0: CVE-2016-2831: MozillaFirefox: Entering fullscreen and persistent pointerlock without user permission (MFSA 2016-58)</issue>
  <issue id="983653" tracker="bnc">VUL-0: CVE-2016-2821: MozillaFirefox: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51)</issue>
  <issue id="983652" tracker="bnc">VUL-0: CVE-2016-2822: MozillaFirefox: Addressbar spoofing though the SELECT element (MFSA 2016-52)</issue>
  <issue id="983655" tracker="bnc">VUL-0: CVE-2016-2819: MozillaFirefox: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)</issue>
  <issue id="983632" tracker="bnc">VUL-0: CVE-2016-2832: MozillaFirefox: Information disclosure of disabled plugins through CSS pseudo-classes (MFSA 2016-59)</issue>
  <issue id="983644" tracker="bnc">VUL-0: CVE-2016-2829: MozillaFirefox: Incorrect icon displayed on permissions notifications (MFSA 2016-57)</issue>
  <issue id="983646" tracker="bnc">VUL-0: CVE-2016-2828: MozillaFirefox: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56)</issue>
  <issue id="983649" tracker="bnc">VUL-0: CVE-2016-2825: MozillaFirefox: Partial same-origin-policy through setting location.host through data URI (MFSA 2016-54)</issue>
  <issue id="983638" tracker="bnc">VUL-0: CVE-2016-2815 CVE-2016-2818: MozillaFirefox: Miscellaneous memory safety hazards (rv:45.2) (MFSA 2016-49)</issue>
  <issue id="CVE-2016-2818" tracker="cve" />
  <issue id="CVE-2016-2824" tracker="cve" />
  <issue id="CVE-2016-2825" tracker="cve" />
  <issue id="CVE-2016-2822" tracker="cve" />
  <issue id="CVE-2016-2815" tracker="cve" />
  <issue id="CVE-2016-2833" tracker="cve" />
  <issue id="CVE-2016-2821" tracker="cve" />
  <issue id="CVE-2016-2819" tracker="cve" />
  <issue id="CVE-2016-2832" tracker="cve" />
  <issue id="CVE-2016-2828" tracker="cve" />
  <issue id="CVE-2016-2829" tracker="cve" />
  <issue id="CVE-2016-2831" tracker="cve" />
  <issue id="983639" tracker="bnc">VUL-0: CVE-2016-2834: mozilla-nss: Memory safety bugs fixed in NSS 3.23 (MFSA 2016-61)</issue>
  <issue id="CVE-2016-2834" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>wrosenauer</packager>
  <description>This update to Mozilla Firefox 47 fixes the following issues (boo#983549):

Security fixes:

- CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety hazards (boo#983638 MFSA 2016-49)
- CVE-2016-2819: Buffer overflow parsing HTML5 fragments (boo#983655 MFSA 2016-50)
- CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (boo#983653 MFSA 2016-51)
- CVE-2016-2822: Addressbar spoofing though the SELECT element (boo#983652 MFSA 2016-52)
- CVE-2016-2824: Out-of-bounds write with WebGL shader (boo#983651 MFSA 2016-53)
- CVE-2016-2825: Partial same-origin-policy through setting location.host through data URI (boo#983649 MFSA 2016-54)
- CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (boo#983646 MFSA 2016-56)
- CVE-2016-2829: Incorrect icon displayed on permissions notifications (boo#983644 MFSA 2016-57)
- CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (boo#983643 MFSA 2016-58)
- CVE-2016-2832: Information disclosure of disabled plugins through CSS pseudo-classes (boo#983632 MFSA 2016-59)
- CVE-2016-2833: Java applets bypass CSP protections (boo#983640 MFSA 2016-60)

Mozilla NSS was updated to 3.23 to address the following vulnerabilities:

- CVE-2016-2834: Memory safety bugs (boo#983639 MFSA-2016-61)
    
The following non-security changes are included:

- Enable VP9 video codec for users with fast machines
- Embedded YouTube videos now play with HTML5 video if Flash is not installed
- View and search open tabs from your smartphone or another computer in a sidebar
- Allow no-cache on back/forward navigations for https resources

The following packaging changes are included:

- boo#981695: cleanup configure options, notably removing GStreamer support which is gone from FF
- boo#980384: enable build with PIE and full relro on x86_64

The following new functionality is provided:

- ChaCha20/Poly1305 cipher and TLS cipher suites now supported
- The list of TLS extensions sent in the TLS handshake has been reordered to increase compatibility of the Extended Master Secret with with servers
</description>
  <summary>Security update for MozillaFirefox, mozilla-nss</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places