Bug 750044

Summary: VUL-0: MozillaFirefox 11 / 10.0.3esr etc
Product: [openSUSE] openSUSE 12.1 Reporter: Wolfgang Rosenauer <wolfgang>
Component: FirefoxAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: meissner, pcerny, security-team
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp1:46216
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Rosenauer 2012-03-02 09:06:27 UTC 
Opening tracking bug for next Mozilla update round.

Upstream release planned for March, 13th. That's publically known. This bug is closed for now in case we post security related details here.

Scheduled versions and update targets (please verify):

Firefox 11        -> all openSUSE
Firefox 10.0.3esr -> SLE?
XulRunner 11      -> openSUSE 12.1
Thunderbird 11    -> openSUSE 12.1
Seamonkey 2.8     -> all openSUSE , Evergreen

# likely last versions
Firefox 3.6.28     -> Evergreen
mozilla-xulrunner192 1.9.2.28 -> all openSUSE , Evergreen
Thunderbird 3.1.20 -> Evergreen , openSUSE 11.4 (wondering if we should do the 
        switch to Thunderbird 11 in that round or only when absolutely needed)

For security reasons (i.e. Trustwave MITM certs) this round requires an NSS update to 3.13.3 which itself requires NSPR 4.9.0 which means

mozilla-nspr 4.9.0 -> everywhere
mozilla-nss 3.13.3 -> everywhere
Comment 1 Petr Cerny 2012-03-02 14:04:36 UTC 
(In reply to comment #0)
> Firefox 10.0.3esr -> SLE?

Yes, we already are using the ESR repos for SLE11. SLE10 will follow soon (not sure whether with this update or the next one, which will also be the EOL for 3.6).
Comment 2 Wolfgang Rosenauer 2012-03-11 21:17:00 UTC 
Releases might get delayed a bit upstream to avoid a possible chemspill release.

Another package I forgot in the update list:
chmsee
(Update is prepared already)
Comment 3 Wolfgang Rosenauer 2012-03-14 07:12:28 UTC 
*** Bug 752168 has been marked as a duplicate of this bug. ***
Comment 4 Marcus Meissner 2012-03-14 07:14:29 UTC 
MFSA 2012-19:
Mozilla developers identified and fixed several memory safety bugs in the
browser engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances, and we
presume that with enough effort at least some of these could be exploited to
run arbitrary code.

In general these flaws cannot be exploited through email in the Thunderbird and
SeaMonkey products because scripting is disabled, but are potentially a risk in
browser or browser-like contexts in those products.
References

Bob Clary reported two bugs that causes crashes that affected Firefox 3.6,
Firefox ESR, and Firefox 10.
CVE-2012-0461

Christian Holler, Jesse Ruderman, Nils, Michael Bebenita, Dindog, and David
Anderson reported memory safety problems and crashes that affect Firefox ESR
and Firefox 10.
CVE-2012-0462

Jeff Walden reported a memory safety problem in the array.join function. This
bug was independently reported by Vincenzo Iozzo via TippingPoint's Zero Day
Initiative Pwn2Own contest.
CVE-2012-0464

Masayuki Nakano reported a memory safety problem that affected Mobile Firefox
10.
CVE-2012-0463


MFSA 2012-18 / CVE-2012-0460: Mozilla developer Matt Brubeck reported that
window.fullScreen is writeable by untrusted content now that the DOM fullscreen
API is enabled. Because window.fullScreen does not include
mozRequestFullscreen's security protections, it could be used for UI spoofing.
This code change makes window.fullScreen read only by untrusted content,
forcing the use of the DOM fullscreen API in normal usage.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.


MFSA 2012-17 / CVE-2012-0459: Mozilla community member Daniel Glazman of
Disruptive Innovations reported a crash when accessing a keyframe's cssText
after dynamic modification. This crash may be potentially exploitable.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.


MFSA 2012-16 / CVE-2012-0458: Security researcher Mariusz Mlynski reported that
an attacker able to convince a potential victim to set a new home page by
dragging a link to the "home" button can set that user's home page to a
javascript: URL. Once this is done the attacker's page can cause repeated
crashes of the browser, eventually getting the script URL loaded in the
privileged about:sessionrestore context.


MFSA 2012-15 / CVE-2012-0451: Security Researcher Mike Brooks of Sitewatch
reported that if multiple Content Security Policy (CSP) headers are present on
a page, they have an additive effect page policy. Using carriage return line
feed (CRLF) injection, a new CSP rule can be introduced which allows for
cross-site scripting (XSS) on sites with a separate header injection
vulnerability.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.


MFSA 2012-14 / CVE-2012-0457 / CVE-2012-0456: Security researcher Atte Kettunen
from OUSPG found two issues with Firefox's handling of SVG using the Address
Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG
animation that could potentially lead to arbitrary code execution. The second
issue is rated moderate and is an out of bounds read in SVG Filters. This could
potentially incorporate data from the user's memory, making it accessible to
the page content.


MFSA 2012-13 / CVE-2012-0455: Firefox prevents the dropping of javascript:
links onto a frame to prevent malicious sites from tricking users into
performing a cross-site scripting (XSS) attacks on themselves. Security
researcher Soroush Dalili reported a way to bypass this protection.


MFSA 2012-12 / CVE-2012-0454: Security researchers Blair Strang and Scott Bell
of Security Assessment found that when a parent window spawns and closes a
child window that uses the file open dialog, a crash can be induced in
shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially
exploitable.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.
Comment 5 Bernhard Wiedemann 2012-03-14 08:00:38 UTC 
This is an autogenerated message for OBS integration:
This bug (750044) was mentioned in
https://build.opensuse.org/request/show/109200 11.4 / mozilla-nspr
https://build.opensuse.org/request/show/109201 12.1 / mozilla-nspr
https://build.opensuse.org/request/show/109204 11.4 / mozilla-nss
https://build.opensuse.org/request/show/109205 12.1 / mozilla-nss
https://build.opensuse.org/request/show/109206 11.4 / MozillaFirefox
https://build.opensuse.org/request/show/109207 12.1 / MozillaFirefox
https://build.opensuse.org/request/show/109208 Factory / MozillaFirefox
https://build.opensuse.org/request/show/109210 Evergreen:11.1 / mozilla-xulrunner192
https://build.opensuse.org/request/show/109211 Evergreen:11.2 / mozilla-xulrunner192
https://build.opensuse.org/request/show/109213 11.4 / mozilla-xulrunner192
https://build.opensuse.org/request/show/109214 12.1 / mozilla-xulrunner192
https://build.opensuse.org/request/show/109215 Evergreen:11.1 / MozillaFirefox
https://build.opensuse.org/request/show/109216 Evergreen:11.2 / MozillaFirefox
https://build.opensuse.org/request/show/109218 Evergreen:11.1 / MozillaThunderbird
https://build.opensuse.org/request/show/109219 Evergreen:11.2 / MozillaThunderbird
https://build.opensuse.org/request/show/109220 11.4 / MozillaThunderbird
https://build.opensuse.org/request/show/109221 12.1 / MozillaThunderbird
https://build.opensuse.org/request/show/109222 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/109223 Evergreen:11.2 / seamonkey
https://build.opensuse.org/request/show/109224 11.4 / seamonkey
https://build.opensuse.org/request/show/109225 12.1 / seamonkey
https://build.opensuse.org/request/show/109226 Factory / seamonkey
https://build.opensuse.org/request/show/109227 12.1 / chmsee
Comment 6 Wolfgang Rosenauer 2012-03-14 08:31:46 UTC 
I think I submitted everything needed for openSUSE.
Comment 7 Bernhard Wiedemann 2012-03-14 09:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (750044) was mentioned in
https://build.opensuse.org/request/show/109235 12.1 / xulrunner
https://build.opensuse.org/request/show/109236 Factory / xulrunner
Comment 8 Bernhard Wiedemann 2012-03-14 17:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (750044) was mentioned in
https://build.opensuse.org/request/show/109317 Evergreen:11.1 / mozilla-xulrunner192
https://build.opensuse.org/request/show/109318 Evergreen:11.1 / MozillaFirefox
https://build.opensuse.org/request/show/109319 Evergreen:11.1 / MozillaThunderbird
Comment 9 Swamp Workflow Management 2012-03-14 23:00:07 UTC 
bugbot adjusting priority
Comment 11 Bernhard Wiedemann 2012-03-16 18:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (750044) was mentioned in
https://build.opensuse.org/request/show/109618 Evergreen:11.2 / MozillaFirefox
https://build.opensuse.org/request/show/109619 Evergreen:11.2 / MozillaThunderbird
https://build.opensuse.org/request/show/109620 Evergreen:11.2 / mozilla-xulrunner192
Comment 12 Bernhard Wiedemann 2012-03-19 06:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (750044) was mentioned in
https://build.opensuse.org/request/show/109900 Evergreen:11.2 / seamonkey
Comment 15 Swamp Workflow Management 2012-03-27 08:09:47 UTC 
openSUSE-SU-2012:0417-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 745303,746591,747320,749440,750044,750673
CVE References: CVE-2011-3658,CVE-2012-0451,CVE-2012-0455,CVE-2012-0456,CVE-2012-0457,CVE-2012-0458,CVE-2012-0459,CVE-2012-0460,CVE-2012-0461,CVE-2012-0462,CVE-2012-0463,CVE-2012-0464
Sources used:
openSUSE 12.1 (src):    MozillaFirefox-11.0-2.23.1, MozillaThunderbird-11.0-33.14.1, chmsee-1.99.08-2.15.2, mozilla-nspr-4.9.0-3.3.1, mozilla-nss-3.13.3-9.13.1, mozilla-xulrunner192-1.9.2.28-2.12.2, seamonkey-2.8-2.15.1, xulrunner-11.0-2.23.1
openSUSE 11.4 (src):    MozillaFirefox-11.0-0.15.2, MozillaThunderbird-3.1.20-0.15.4, mozilla-nspr-4.9.0-0.13.1, mozilla-nss-3.13.3-0.41.2, mozilla-xulrunner192-1.9.2.28-0.22.2, seamonkey-2.8-0.15.1

Product List: openSUSE 12.1
openSUSE 11.4
Comment 16 Swamp Workflow Management 2012-03-28 15:43:19 UTC 
Update released for: MozillaFirefox, MozillaFirefox-branding-upstream, MozillaFirefox-debuginfo, MozillaFirefox-debugsource, MozillaFirefox-devel, MozillaFirefox-translations, libfreebl3, libfreebl3-32bit, libfreebl3-x86, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debuginfo-x86, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nspr-x86, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debuginfo-x86, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools, mozilla-nss-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 17 Swamp Workflow Management 2012-03-28 19:08:49 UTC 
SUSE-SU-2012:0424-1: An update that fixes 12 vulnerabilities is now available.

Category: security (critical)
Bug References: 745017,750044
CVE References: CVE-2012-0451,CVE-2012-0454,CVE-2012-0455,CVE-2012-0456,CVE-2012-0457,CVE-2012-0458,CVE-2012-0459,CVE-2012-0460,CVE-2012-0461,CVE-2012-0462,CVE-2012-0463,CVE-2012-0464
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP2 (src):    mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1
SUSE Linux Enterprise Software Development Kit 11 SP1 (src):    mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1
SUSE Linux Enterprise Server 11 SP2 (src):    MozillaFirefox-10.0.3-0.7.1, mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1
SUSE Linux Enterprise Server 11 SP1 for VMware (src):    MozillaFirefox-10.0.3-0.7.1, mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1
SUSE Linux Enterprise Server 11 SP1 (src):    MozillaFirefox-10.0.3-0.7.1, mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    MozillaFirefox-10.0.3-0.7.1, mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1
SUSE Linux Enterprise Desktop 11 SP1 (src):    MozillaFirefox-10.0.3-0.7.1, mozilla-nspr-4.9.0-0.3.1, mozilla-nss-3.13.3-0.2.1

Product List: SUSE Linux Enterprise Software Development Kit 11 SP2
SUSE Linux Enterprise Software Development Kit 11 SP1
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Server 11 SP1 for VMware
SUSE Linux Enterprise Server 11 SP1
SUSE Linux Enterprise Desktop 11 SP2
SUSE Linux Enterprise Desktop 11 SP1
Comment 18 Marcus Meissner 2012-03-28 20:52:43 UTC 
released
Comment 19 Swamp Workflow Management 2012-04-27 13:10:36 UTC 
openSUSE-SU-2012:0567-1: An update that fixes 38 vulnerabilities is now available.

Category: security (moderate)
Bug References: 712224,714931,720264,726758,728520,732898,733002,744275,746616,747328,749440,750044,755060,758408
CVE References: CVE-2011-1187,CVE-2011-2985,CVE-2011-2986,CVE-2011-2987,CVE-2011-2988,CVE-2011-2989,CVE-2011-2991,CVE-2011-2992,CVE-2011-3005,CVE-2011-3062,CVE-2011-3232,CVE-2011-3651,CVE-2011-3652,CVE-2011-3654,CVE-2011-3655,CVE-2011-3658,CVE-2011-3660,CVE-2011-3661,CVE-2011-3663,CVE-2012-0445,CVE-2012-0446,CVE-2012-0447,CVE-2012-0451,CVE-2012-0452,CVE-2012-0459,CVE-2012-0460,CVE-2012-0467,CVE-2012-0468,CVE-2012-0469,CVE-2012-0470,CVE-2012-0471,CVE-2012-0472,CVE-2012-0473,CVE-2012-0474,CVE-2012-0475,CVE-2012-0477,CVE-2012-0478,CVE-2012-0479
Sources used:
openSUSE 12.1 (src):    MozillaFirefox-12.0-2.26.1, MozillaThunderbird-12.0-33.20.1, seamonkey-2.9-2.18.1, xulrunner-12.0-2.26.1
openSUSE 11.4 (src):    MozillaFirefox-12.0-18.1, MozillaThunderbird-12.0-18.1, seamonkey-2.9-18.1
Comment 20 Swamp Workflow Management 2014-09-09 16:17:43 UTC 
openSUSE-SU-2014:1100-1: An update that fixes 475 vulnerabilities is now available.

Category: security (important)
Bug References: 104586,354469,385739,390992,417869,41903,429179,439841,441084,455804,484321,503151,518603,527418,528406,529180,542809,559819,576969,582276,586567,593807,603356,622506,637303,642502,645315,649492,657016,664211,667155,689281,701296,712224,714931,720264,726758,728520,732898,733002,737533,744275,746616,747328,749440,750044,755060,758408,765204,771583,777588,783533,786522,790140,796895,804248,808243,813026,819204,825935,833389,840485,847708,854370,861847,868603,875378,876833,881874,887746,894201,894370
CVE References: CVE-2007-3089,CVE-2007-3285,CVE-2007-3656,CVE-2007-3670,CVE-2007-3734,CVE-2007-3735,CVE-2007-3736,CVE-2007-3737,CVE-2007-3738,CVE-2008-0016,CVE-2008-1233,CVE-2008-1234,CVE-2008-1235,CVE-2008-1236,CVE-2008-1237,CVE-2008-3835,CVE-2008-4058,CVE-2008-4059,CVE-2008-4060,CVE-2008-4061,CVE-2008-4062,CVE-2008-4063,CVE-2008-4064,CVE-2008-4065,CVE-2008-4066,CVE-2008-4067,CVE-2008-4068,CVE-2008-4070,CVE-2008-5012,CVE-2008-5014,CVE-2008-5016,CVE-2008-5017,CVE-2008-5018,CVE-2008-5021,CVE-2008-5022,CVE-2008-5024,CVE-2008-5500,CVE-2008-5501,CVE-2008-5502,CVE-2008-5503,CVE-2008-5506,CVE-2008-5507,CVE-2008-5508,CVE-2008-5510,CVE-2008-5511,CVE-2008-5512,CVE-2009-0040,CVE-2009-0771,CVE-2009-0772,CVE-2009-0773,CVE-2009-0774,CVE-2009-0776,CVE-2009-1571,CVE-2009-3555,CVE-2010-0159,CVE-2010-0173,CVE-2010-0174,CVE-2010-0175,CVE-2010-0176,CVE-2010-0182,CVE-2010-0654,CVE-2010-1121,CVE-2010-1196,CVE-2010-1199,CVE-2010-1200,CVE-2010-1201,CVE-2010-1202,CVE-2010-1203,CVE-2010-1205,CVE-2010-1211,CVE-2010-1212,CVE-2010-1213,CVE-2010-1585,CVE-2010-2752,CVE-2010-2753,CVE-2010-2754,CVE-2010-2760,CVE-2010-2762,CVE-2010-2764,CVE-2010-2765,CVE-2010-2766,CVE-2010-2767,CVE-2010-2768,CVE-2010-2769,CVE-2010-3166,CVE-2010-3167,CVE-2010-3168,CVE-2010-3169,CVE-2010-3170,CVE-2010-3173,CVE-2010-3174,CVE-2010-3175,CVE-2010-3176,CVE-2010-3178,CVE-2010-3179,CVE-2010-3180,CVE-2010-3182,CVE-2010-3183,CVE-2010-3765,CVE-2010-3768,CVE-2010-3769,CVE-2010-3776,CVE-2010-3777,CVE-2010-3778,CVE-2011-0053,CVE-2011-0061,CVE-2011-0062,CVE-2011-0069,CVE-2011-0070,CVE-2011-0072,CVE-2011-0074,CVE-2011-0075,CVE-2011-0077,CVE-2011-0078,CVE-2011-0080,CVE-2011-0081,CVE-2011-0083,CVE-2011-0084,CVE-2011-0085,CVE-2011-1187,CVE-2011-2362,CVE-2011-2363,CVE-2011-2364,CVE-2011-2365,CVE-2011-2371,CVE-2011-2372,CVE-2011-2373,CVE-2011-2374,CVE-2011-2376,CVE-2011-2377,CVE-2011-2985,CVE-2011-2986,CVE-2011-2987,CVE-2011-2988,CVE-2011-2989,CVE-2011-2991,CVE-2011-2992,CVE-2011-3000,CVE-2011-3001,CVE-2011-3005,CVE-2011-3026,CVE-2011-3062,CVE-2011-3101,CVE-2011-3232,CVE-2011-3648,CVE-2011-3650,CVE-2011-3651,CVE-2011-3652,CVE-2011-3654,CVE-2011-3655,CVE-2011-3658,CVE-2011-3659,CVE-2011-3660,CVE-2011-3661,CVE-2011-3663,CVE-2012-0441,CVE-2012-0442,CVE-2012-0443,CVE-2012-0444,CVE-2012-0445,CVE-2012-0446,CVE-2012-0447,CVE-2012-0449,CVE-2012-0451,CVE-2012-0452,CVE-2012-0455,CVE-2012-0456,CVE-2012-0457,CVE-2012-0458,CVE-2012-0459,CVE-2012-0460,CVE-2012-0461,CVE-2012-0462,CVE-2012-0463,CVE-2012-0464,CVE-2012-0467,CVE-2012-0468,CVE-2012-0469,CVE-2012-0470,CVE-2012-0471,CVE-2012-0472,CVE-2012-0473,CVE-2012-0474,CVE-2012-0475,CVE-2012-0477,CVE-2012-0478,CVE-2012-0479,CVE-2012-0759,CVE-2012-1937,CVE-2012-1938,CVE-2012-1940,CVE-2012-1941,CVE-2012-1944,CVE-2012-1945,CVE-2012-1946,CVE-2012-1947,CVE-2012-1948,CVE-2012-1949,CVE-2012-1951,CVE-2012-1952,CVE-2012-1953,CVE-2012-1954,CVE-2012-1955,CVE-2012-1956,CVE-2012-1957,CVE-2012-1958,CVE-2012-1959,CVE-2012-1960,CVE-2012-1961,CVE-2012-1962,CVE-2012-1963,CVE-2012-1967,CVE-2012-1970,CVE-2012-1972,CVE-2012-1973,CVE-2012-1974,CVE-2012-1975,CVE-2012-1976,CVE-2012-3956,CVE-2012-3957,CVE-2012-3958,CVE-2012-3959,CVE-2012-3960,CVE-2012-3961,CVE-2012-3962,CVE-2012-3963,CVE-2012-3964,CVE-2012-3966,CVE-2012-3967,CVE-2012-3968,CVE-2012-3969,CVE-2012-3970,CVE-2012-3971,CVE-2012-3972,CVE-2012-3975,CVE-2012-3978,CVE-2012-3980,CVE-2012-3982,CVE-2012-3983,CVE-2012-3984,CVE-2012-3985,CVE-2012-3986,CVE-2012-3988,CVE-2012-3989,CVE-2012-3990,CVE-2012-3991,CVE-2012-3992,CVE-2012-3993,CVE-2012-3994,CVE-2012-3995,CVE-2012-4179,CVE-2012-4180,CVE-2012-4181,CVE-2012-4182,CVE-2012-4183,CVE-2012-4184,CVE-2012-4185,CVE-2012-4186,CVE-2012-4187,CVE-2012-4188,CVE-2012-4191,CVE-2012-4192,CVE-2012-4193,CVE-2012-4194,CVE-2012-4195,CVE-2012-4196,CVE-2012-4201,CVE-2012-4202,CVE-2012-4204,CVE-2012-4205,CVE-2012-4207,CVE-2012-4208,CVE-2012-4209,CVE-2012-4212,CVE-2012-4213,CVE-2012-4214,CVE-2012-4215,CVE-2012-4216,CVE-2012-4217,CVE-2012-4218,CVE-2012-5829,CVE-2012-5830,CVE-2012-5833,CVE-2012-5835,CVE-2012-5836,CVE-2012-5837,CVE-2012-5838,CVE-2012-5839,CVE-2012-5840,CVE-2012-5841,CVE-2012-5842,CVE-2012-5843,CVE-2013-0743,CVE-2013-0744,CVE-2013-0745,CVE-2013-0746,CVE-2013-0747,CVE-2013-0748,CVE-2013-0749,CVE-2013-0750,CVE-2013-0752,CVE-2013-0753,CVE-2013-0754,CVE-2013-0755,CVE-2013-0756,CVE-2013-0757,CVE-2013-0758,CVE-2013-0760,CVE-2013-0761,CVE-2013-0762,CVE-2013-0763,CVE-2013-0764,CVE-2013-0766,CVE-2013-0767,CVE-2013-0768,CVE-2013-0769,CVE-2013-0770,CVE-2013-0771,CVE-2013-0773,CVE-2013-0774,CVE-2013-0775,CVE-2013-0776,CVE-2013-0780,CVE-2013-0782,CVE-2013-0783,CVE-2013-0787,CVE-2013-0788,CVE-2013-0789,CVE-2013-0793,CVE-2013-0795,CVE-2013-0796,CVE-2013-0800,CVE-2013-0801,CVE-2013-1669,CVE-2013-1670,CVE-2013-1674,CVE-2013-1675,CVE-2013-1676,CVE-2013-1677,CVE-2013-1678,CVE-2013-1679,CVE-2013-1680,CVE-2013-1681,CVE-2013-1682,CVE-2013-1684,CVE-2013-1685,CVE-2013-1686,CVE-2013-1687,CVE-2013-1690,CVE-2013-1692,CVE-2013-1693,CVE-2013-1694,CVE-2013-1697,CVE-2013-1701,CVE-2013-1709,CVE-2013-1710,CVE-2013-1713,CVE-2013-1714,CVE-2013-1717,CVE-2013-1718,CVE-2013-1719,CVE-2013-1720,CVE-2013-1722,CVE-2013-1723,CVE-2013-1724,CVE-2013-1725,CVE-2013-1728,CVE-2013-1730,CVE-2013-1732,CVE-2013-1735,CVE-2013-1736,CVE-2013-1737,CVE-2013-1738,CVE-2013-5590,CVE-2013-5591,CVE-2013-5592,CVE-2013-5593,CVE-2013-5595,CVE-2013-5596,CVE-2013-5597,CVE-2013-5599,CVE-2013-5600,CVE-2013-5601,CVE-2013-5602,CVE-2013-5603,CVE-2013-5604,CVE-2013-5609,CVE-2013-5610,CVE-2013-5611,CVE-2013-5612,CVE-2013-5613,CVE-2013-5614,CVE-2013-5615,CVE-2013-5616,CVE-2013-5618,CVE-2013-5619,CVE-2013-6629,CVE-2013-6630,CVE-2013-6671,CVE-2013-6672,CVE-2013-6673,CVE-2014-1477,CVE-2014-1478,CVE-2014-1479,CVE-2014-1480,CVE-2014-1481,CVE-2014-1482,CVE-2014-1483,CVE-2014-1484,CVE-2014-1485,CVE-2014-1486,CVE-2014-1487,CVE-2014-1488,CVE-2014-1489,CVE-2014-1490,CVE-2014-1491,CVE-2014-1492,CVE-2014-1493,CVE-2014-1494,CVE-2014-1497,CVE-2014-1498,CVE-2014-1499,CVE-2014-1500,CVE-2014-1502,CVE-2014-1504,CVE-2014-1505,CVE-2014-1508,CVE-2014-1509,CVE-2014-1510,CVE-2014-1511,CVE-2014-1512,CVE-2014-1513,CVE-2014-1514,CVE-2014-1518,CVE-2014-1519,CVE-2014-1522,CVE-2014-1523,CVE-2014-1524,CVE-2014-1525,CVE-2014-1526,CVE-2014-1528,CVE-2014-1529,CVE-2014-1530,CVE-2014-1531,CVE-2014-1532,CVE-2014-1533,CVE-2014-1534,CVE-2014-1536,CVE-2014-1537,CVE-2014-1538,CVE-2014-1539,CVE-2014-1540,CVE-2014-1541,CVE-2014-1542,CVE-2014-1543,CVE-2014-1544,CVE-2014-1545,CVE-2014-1547,CVE-2014-1548,CVE-2014-1549,CVE-2014-1550,CVE-2014-1552,CVE-2014-1553,CVE-2014-1555,CVE-2014-1556,CVE-2014-1557,CVE-2014-1558,CVE-2014-1559,CVE-2014-1560,CVE-2014-1561,CVE-2014-1562,CVE-2014-1563,CVE-2014-1564,CVE-2014-1565,CVE-2014-1567
Sources used:
openSUSE 11.4 (src):    MozillaFirefox-24.8.0-127.1, mozilla-nss-3.16.4-94.1