commit patchinfo.5638 for openSUSE:13.2:Update

Sat, 24 Sep 2016 07:51:05 -0700 

Hello community,

here is the log from the commit of package patchinfo.5638 for 
openSUSE:13.2:Update checked in at 2016-09-24 16:50:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/patchinfo.5638 (Old)
 and      /work/SRC/openSUSE:13.2:Update/.patchinfo.5638.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "patchinfo.5638"

Changes:
--------
New Changes file:

NO CHANGES FILE!!!

New:
----
  _patchinfo

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo incident="5638">
  <issue id="999701" tracker="bnc">VUL-0: MozillaFirefox 49 / 45.4 security 
release "MFSA 2016-85" and "MFSA 2016-86"</issue>
  <issue id="2016-5279" tracker="cve" />
  <issue id="2016-2827" tracker="cve" />
  <issue id="2016-5278" tracker="cve" />
  <issue id="2016-5270" tracker="cve" />
  <issue id="2016-5284" tracker="cve" />
  <issue id="2016-5271" tracker="cve" />
  <issue id="2016-5280" tracker="cve" />
  <issue id="2016-5281" tracker="cve" />
  <issue id="2016-5282" tracker="cve" />
  <issue id="2016-5283" tracker="cve" />
  <issue id="2016-5257" tracker="cve" />
  <issue id="2016-5256" tracker="cve" />
  <issue id="2016-5273" tracker="cve" />
  <issue id="2016-5272" tracker="cve" />
  <issue id="2016-5275" tracker="cve" />
  <issue id="2016-5274" tracker="cve" />
  <issue id="2016-5277" tracker="cve" />
  <issue id="2016-5276" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>wrosenauer</packager>
  <description>
This update for MozillaFirefox and mozilla-nss fixes the following issues:

MozillaFirefox was updated to version 49.0 (boo#999701)
- New features
  * Updated Firefox Login Manager to allow HTTPS pages to use saved
    HTTP logins.
  * Added features to Reader Mode that make it easier on the eyes and
    the ears
  * Improved video performance for users on systems that support
    SSE3 without hardware acceleration
  * Added context menu controls to HTML5 audio and video that let users
    loops files or play files at 1.25x speed
  * Improvements in about:memory reports for tracking font memory usage
- Security related fixes
  * MFSA 2016-85
    CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
    mozilla::net::IsValidReferrerPolicy
    CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
    nsCaseTransformTextRunFactory::TransformString
    CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
    PropertyProvider::GetSpacingInternal
    CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
    CVE-2016-5273 (bmo#1280387) - crash in
    mozilla::a11y::HyperTextAccessible::GetChildOffset
    CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
    mozilla::a11y::DocAccessible::ProcessInvalidationList
    CVE-2016-5274 (bmo#1282076) - use-after-free in
    nsFrameManager::CaptureFrameState
    CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
    CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
    mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
    CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
    nsBMPEncoder::AddImageFrame
    CVE-2016-5279 (bmo#1249522) - Full local path of files is available
    to web pages after drag and drop
    CVE-2016-5280 (bmo#1289970) - Use-after-free in
    mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
    CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
    CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
    from non-whitelisted schemes
    CVE-2016-5283 (bmo#928187) - &lt;iframe src&gt; fragment timing attack can
    reveal cross-origin data
    CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
    CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
    CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
- requires NSS 3.25

- Mozilla Firefox 48.0.2:
  * Mitigate a startup crash issue caused on Windows (bmo#1291738)

mozilla-nss was updated to NSS 3.25.
  New functionality:
  * Implemented DHE key agreement for TLS 1.3
  * Added support for ChaCha with TLS 1.3
  * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
  * In previous versions, when using client authentication with TLS 1.2,
    NSS only supported certificate_verify messages that used the same
    signature hash algorithm as used by the PRF. This limitation has
    been removed.
  * Several functions have been added to the public API of the
    NSS Cryptoki Framework.
  New functions:
  * NSSCKFWSlot_GetSlotID
  * NSSCKFWSession_GetFWSlot
  * NSSCKFWInstance_DestroySessionHandle
  * NSSCKFWInstance_FindSessionHandle
  Notable changes:
  * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3
  * Regression fix: NSS no longer reports a failure if an application
    attempts to disable the SSLv2 protocol.
  * The list of trusted CA certificates has been updated to version 2.8
  * The following CA certificate was Removed
    Sonera Class1 CA
  * The following CA certificates were Added
    Hellenic Academic and Research Institutions RootCA 2015
    Hellenic Academic and Research Institutions ECC RootCA 2015
    Certplus Root CA G1
    Certplus Root CA G2
    OpenTrust Root CA G1
    OpenTrust Root CA G2
    OpenTrust Root CA G3
</description>
  <summary>Security update for MozillaFirefox, mozilla-nss</summary>
</patchinfo>

Reply via email to