Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Patches » SUSE-2012:6951

Overview

Id SUSE-2012:6951
Name Novell SUSE 2012:6951 firefox-201210 security update for SLE 11 SP2 i586
Vendor Name novell
Product None
Content Type Critical Critical
Language(s)
Operating System(s) Linux 
Released On 15 Oct 2012 12:00:00

SUSE-2012:6951

Novell SUSE 2012:6951 firefox-201210 security update for SLE 11 SP2 i586

Vendor Name

novell

Product

None

Released On

15 Oct 2012 12:00:00

Url

http://www.novell.com/support/search.do?usemicrosite=true&searchString=9df8424f201589e4fca1abdc2e0b1023

Description

LSAC(v2)
MozillaFirefox was updated to the 10.0.9ESR security release which fixes bugs and security issues: * MFSA 2012-73 / CVE-2012-3977: Security researchers Thai Duong and Juliano Rizzo reported that SPDY's request header compression leads to information leakage, which can allow the extraction of private data such as session cookies, even over an encrypted SSL connection. (This does not affect Firefox 10 as it does not feature the SPDY extension. It was silently fixed for Firefox 15.) * MFSA 2012-74: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. * CVE-2012-3983: Henrik Skupin, Jesse Ruderman and moz_bug_r_a4 reported memory safety problems and crashes that affect Firefox 15. * CVE-2012-3982: Christian Holler and Jesse Ruderman reported memory safety problems and crashes that affect Firefox ESR 10 and Firefox 15. * MFSA 2012-75 / CVE-2012-3984: Security researcher David Bloom of Cue discovered that "select" elements are always-on-top chromeless windows and that navigation away from a page with an active "select" menu does not remove this window.When another menu is opened programmatically on a new page, the original "select" menu can be retained and arbitrary HTML content within it rendered, allowing an attacker to cover arbitrary portions of the new page through absolute positioning/scrolling, leading to spoofing attacks. Security researcher Jordi Chancel found a variation that would allow for click-jacking attacks was well. In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products. References Navigation away from a page with an active "select" dropdown menu can be used for URL spoofing, other evil Firefox 10.0.1 : Navigation away from a page with multiple active "select" dropdown menu can be used for Spoofing And ClickJacking with XPI using window.open and geolocalisation * MFSA 2012-76 / CVE-2012-3985: Security researcher Collin Jackson reported a violation of the HTML5 specifications for document.domain behavior. Specified behavior requires pages to only have access to windows in a new document.domain but the observed violation allowed pages to retain access to windows from the page's initial origin in addition to the new document.domain. This could potentially lead to cross-site scripting (XSS) attacks. * MFSA 2012-77 / CVE-2012-3986: Mozilla developer Johnny Stenback discovered that several methods of a feature used for testing (DOMWindowUtils) are not protected by existing security checks, allowing these methods to be called thr

Related Resources

Related Vulnerabilities

CVE-2012-3983   CVE-2012-3982   CVE-2012-3984   CVE-2012-3985   CVE-2012-3986   CVE-2012-3987   CVE-2012-3988   CVE-2012-3989   CVE-2012-3991   CVE-2012-3994   CVE-2012-3993   CVE-2012-4184   CVE-2012-3992   CVE-2012-3995   CVE-2012-4179   CVE-2012-4180   CVE-2012-4181   CVE-2012-4182   CVE-2012-4183   CVE-2012-4185   CVE-2012-4186   CVE-2012-4187   CVE-2012-4188   CVE-2012-3990   CVE-2012-4192   CVE-2012-4193  

Related Patches

Superseded Patches

None


Last Updated: 27 May 2016 11:15:19