Overview

File _patchinfo of Package patchinfo.6879

<patchinfo incident="6879">
  <issue id="1043960" tracker="bnc">VUL-0: MozillaFirefox: 54/52.2 security release</issue>
  <issue id="1040105" tracker="bnc">Firefox build using gcc7 has unusable UI</issue>
  <issue id="2017-7775" tracker="cve" />
  <issue id="2017-7774" tracker="cve" />
  <issue id="2017-7777" tracker="cve" />
  <issue id="2017-7776" tracker="cve" />
  <issue id="2017-7771" tracker="cve" />
  <issue id="2017-7773" tracker="cve" />
  <issue id="2017-7772" tracker="cve" />
  <issue id="2017-7778" tracker="cve" />
  <issue id="2017-7749" tracker="cve" />
  <issue id="2017-7766" tracker="cve" />
  <issue id="2017-7767" tracker="cve" />
  <issue id="2017-7764" tracker="cve" />
  <issue id="2017-7765" tracker="cve" />
  <issue id="2017-7760" tracker="cve" />
  <issue id="2017-7761" tracker="cve" />
  <issue id="2017-7768" tracker="cve" />
  <issue id="2017-5470" tracker="cve" />
  <issue id="2017-5472" tracker="cve" />
  <issue id="2017-7758" tracker="cve" />
  <issue id="2017-7752" tracker="cve" />
  <issue id="2017-7751" tracker="cve" />
  <issue id="2017-7750" tracker="cve" />
  <issue id="2017-7757" tracker="cve" />
  <issue id="2017-7756" tracker="cve" />
  <issue id="2017-7755" tracker="cve" />
  <issue id="2017-7754" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>wrosenauer</packager>
  <description>This update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues:

Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16:

* CVE-2017-5472 (bmo#1365602)
  Use-after-free using destroyed node when regenerating trees
* CVE-2017-7749 (bmo#1355039)
  Use-after-free during docshell reloading
* CVE-2017-7750 (bmo#1356558)
  Use-after-free with track elements
* CVE-2017-7751 (bmo#1363396)
  Use-after-free with content viewer listeners
* CVE-2017-7752 (bmo#1359547)
  Use-after-free with IME input
* CVE-2017-7754 (bmo#1357090)
  Out-of-bounds read in WebGL with ImageInfo object
* CVE-2017-7755 (bmo#1361326)
  Privilege escalation through Firefox Installer with same
  directory DLL files (Windows only)
* CVE-2017-7756 (bmo#1366595)
  Use-after-free and use-after-scope logging XHR header errors
* CVE-2017-7757 (bmo#1356824)
  Use-after-free in IndexedDB
* CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772,
  CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776,
  CVE-2017-7777
  Vulnerabilities in the Graphite 2 library
* CVE-2017-7758 (bmo#1368490)
  Out-of-bounds read in Opus encoder
* CVE-2017-7760 (bmo#1348645)
  File manipulation and privilege escalation via callback parameter
  in Mozilla Windows Updater and Maintenance Service (Windows only)
* CVE-2017-7761 (bmo#1215648)
  File deletion and privilege escalation through Mozilla Maintenance
  Service helper.exe application (Windows only)
* CVE-2017-7764 (bmo#1364283)
  Domain spoofing with combination of Canadian Syllabics and other
  unicode blocks
* CVE-2017-7765 (bmo#1273265)
  Mark of the Web bypass when saving executable files (Windows only)
* CVE-2017-7766 (bmo#1342742)
  File execution and privilege escalation through updater.ini,
  Mozilla Windows Updater, and Mozilla Maintenance Service
  (Windows only)
* CVE-2017-7767 (bmo#1336964)
  Privilege escalation and arbitrary file overwrites through Mozilla
  Windows Updater and Mozilla Maintenance Service (Windows only)
* CVE-2017-7768 (bmo#1336979)
  32 byte arbitrary file read through Mozilla Maintenance Service
  (Windows only)
* CVE-2017-5470
  Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

- remove -fno-inline-small-functions and explicitely optimize with
  -O2 for openSUSE &gt; 13.2/Leap 42 to work with gcc7 (boo#1040105)

Mozilla NSS was updated to NSS 3.28.5
* Implemented domain name constraints for CA: TUBITAK Kamu SM SSL
  Kok Sertifikasi - Surum 1. (bmo#1350859)
* March 2017 batch of root CA changes (bmo#1350859) (version 2.14)
  CA certificates removed:
    O = Japanese Government, OU = ApplicationCA
    CN = WellsSecure Public Root Certificate Authority
    CN = TURKTRUST Elektronik Sertifika Hizmet H6
    CN = Microsec e-Szigno Root
  CA certificates added:
    CN = D-TRUST Root CA 3 2013
    CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
    
java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency.
</description>
  <summary>Security update for Mozilla based packages</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places