Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Patches » SUSE-2014:9049

Overview

Id SUSE-2014:9049
Name Novell SUSE 2014:9049 firefox-201403 security update for SLE 11 SP3 x86_64
Vendor Name novell
Product Novell
Content Type Critical Critical
Language(s)
Operating System(s) Linux 
Released On 20 Mar 2014 12:00:00

SUSE-2014:9049

Novell SUSE 2014:9049 firefox-201403 security update for SLE 11 SP3 x86_64

Vendor Name

novell

Product

Novell

Released On

20 Mar 2014 12:00:00

Url

http://www.novell.com/support

Description

LSAC(v2)
Mozilla Firefox was updated to 24.4.0ESR release, fixing various security issues and bugs: * MFSA 2014-15: Mozilla developers and community identified identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. * Benoit Jacob, Olli Pettay, Jan Varga, Jan de Mooij, Jesse Ruderman, Dan Gohman, and Christoph Diehl reported memory safety problems and crashes that affect Firefox ESR 24.3 and Firefox 27. (CVE-2014-1493) * Gregor Wagner, Olli Pettay, Gary Kwong, Jesse Ruderman, Luke Wagner, Rob Fletcher, and Makoto Kato reported memory safety problems and crashes that affect Firefox 27. (CVE-2014-1494) * MFSA 2014-16 / CVE-2014-1496: Security researcher Ash reported an issue where the extracted files for updates to existing files are not read only during the update process. This allows for the potential replacement or modification of these files during the update process if a malicious application is present on the local system. * MFSA 2014-17 / CVE-2014-1497: Security researcher Atte Kettunen from OUSPG reported an out of bounds read during the decoding of WAV format audio files for playback. This could allow web content access to heap data as well as causing a crash. * MFSA 2014-18 / CVE-2014-1498: Mozilla developer David Keeler reported that the crypto.generateCRFMRequest method did not correctly validate the key type of the KeyParams argument when generating ec-dual-use requests. This could lead to a crash and a denial of service (DOS) attack. * MFSA 2014-19 / CVE-2014-1499: Mozilla developer Ehsan Akhgari reported a spoofing attack where the permission prompt for a WebRTC session can appear to be from a different site than its actual originating site if a timed navigation occurs during the prompt generation. This allows an attacker to potentially gain access to the webcam or microphone by masquerading as another site and gaining user permission through spoofing. * MFSA 2014-20 / CVE-2014-1500: Security researchers Tim Philipp Schaefers and Sebastian Neef, the team of Internetwache.org, reported a mechanism using JavaScript onbeforeunload events with page navigation to prevent users from closing a malicious page's tab and causing the browser to become unresponsive. This allows for a denial of service (DOS) attack due to resource consumption and blocks the ability of users to exit the application. * MFSA 2014-21 / CVE-2014-1501: Security researcher Alex Infuehr reported that on Firefox for Android it is possible to open links to local files from web content by selecting "Open Link in New Tab" from the context menu using the file: protocol. The web content would have to know the precise location of a malicious local file in order to exploit this issue. This issue does not affect Firefox on non-Android systems. * MFSA 2014-22 / CVE-2014-1502: Mozilla developer Jeff Gilbert discovered a mechanism where a malicious site wi

Related Resources

Related Vulnerabilities

None

Related Patches

Superseded Patches

None


Last Updated: 27 May 2016 11:18:37