Bug 963520 – VUL-0: MozillaFirefox 44 / 38.6.0 security release

Bug 963520 - VUL-0: MozillaFirefox 44 / 38.6.0 security release


Summary:	VUL-0: MozillaFirefox 44 / 38.6.0 security release

Status:	RESOLVED MOVED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	All All

Priority:	P5 - None Severity: Critical
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:62467
Keywords:

Depends on:
Blocks:	CVE-2016-1930 CVE-2016-1931 CVE-2016-1933 CVE-2016-1935 CVE-2015-7208 CVE-2016-1940 CVE-2016-1937 CVE-2016-1941 CVE-2016-1942 CVE-2016-1944 CVE-2016-1947 CVE-2016-1948 CVE-2016-1938
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-01-25 23:56 UTC by Petr Cerny
Modified:	2019-02-19 07:18 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Cerny 2016-01-25 23:56:23 UTC

Planned release date is 2016-01-26

Firefox/Thunderbird/XULRunner 44
Firefox/Thunderbird/XULRunner 38.6.0 ESR

Possibly also Seamonkey 2.40 (based on Gecko 43).
Seamonkey 2.41 (based on Gecko 44) might follow soon.

Comment 1 Wolfgang Rosenauer 2016-01-26 06:25:03 UTC

Mozilla software version on branch mozilla-release: 44.0
NSPR (portable runtime) version: NSPR_4_11_RTM
NSS (security library) version: NSS_3_21_RTM
CKBI (builtin trust) version: 2.6

NSPR and NSS need updates.

Comment 2 Wolfgang Rosenauer 2016-01-26 06:28:19 UTC

Not sure what to do with Seamonkey 2.40. It has been tagged upstream but not released yet. I have a package ready (unpublished) but held it back so far.

Comment 3 Petr Cerny 2016-01-26 15:10:37 UTC

(In reply to Wolfgang Rosenauer from comment #2)
> Not sure what to do with Seamonkey 2.40. It has been tagged upstream but not
> released yet. I have a package ready (unpublished) but held it back so far.

I'd say let's release it if it builds. AFAIU it is held back because of build problems (haven't queried about that any further so I'm not even sure whether it is on Linux or Windows).

Comment 4 Andreas Stieger 2016-01-26 17:59:42 UTC

Public at https://www.mozilla.org/en-US/security/advisories/
making sub-issues now.

Comment 5 Andreas Stieger 2016-01-26 18:30:25 UTC

Split into separate bugs.

Items affecting ESR in SLE:

bug 963632 CVE-2016-1930: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 38.6 and Firefox 44
bug 963635 CVE-2016-1935: MozillaFirefox: Buffer overflow in WebGL after out of memory allocation

Comment 6 Bernhard Wiedemann 2016-01-26 23:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (963520) was mentioned in
https://build.opensuse.org/request/show/356135 Factory / MozillaFirefox
https://build.opensuse.org/request/show/356136 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/356137 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/356138 13.1 / MozillaFirefox

Comment 7 Bernhard Wiedemann 2016-01-27 07:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (963520) was mentioned in
https://build.opensuse.org/request/show/356181 Factory / xulrunner
https://build.opensuse.org/request/show/356182 42.1 / xulrunner

Comment 12 Swamp Workflow Management 2016-02-04 18:12:25 UTC

SUSE-SU-2016:0334-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 954447,963520,963632,963635,963731
CVE References: CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2

Comment 13 Swamp Workflow Management 2016-02-04 18:16:29 UTC

SUSE-SU-2016:0338-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 954447,963520,963632,963635,963731,964332
CVE References: CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-38.6.0esr-57.3, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1

Comment 14 Bernhard Wiedemann 2016-02-15 09:00:07 UTC

This is an autogenerated message for OBS integration:
This bug (963520) was mentioned in
https://build.opensuse.org/request/show/359408 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/359409 42.1 / MozillaThunderbird
https://build.opensuse.org/request/show/359410 13.2 / MozillaThunderbird
https://build.opensuse.org/request/show/359411 13.1 / MozillaThunderbird

Comment 15 Swamp Workflow Management 2016-02-17 11:11:28 UTC

openSUSE-SU-2016:0488-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 963520
CVE References: CVE-2015-7575,CVE-2016-1930,CVE-2016-1935
Sources used:
openSUSE 13.1 (src):    MozillaThunderbird-38.6.0-70.74.1

Comment 16 Swamp Workflow Management 2016-02-17 11:14:42 UTC

openSUSE-SU-2016:0492-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 963520,963632,963635
CVE References: CVE-2016-1930,CVE-2016-1935
Sources used:
openSUSE Leap 42.1 (src):    MozillaThunderbird-38.6.0-10.1
openSUSE 13.2 (src):    MozillaThunderbird-38.6.0-37.1

Comment 17 Swamp Workflow Management 2016-02-25 19:13:41 UTC

SUSE-SU-2016:0584-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 954447,959888,963520,963632,963635,963731,967087
CVE References: CVE-2015-7575,CVE-2016-1523,CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    MozillaFirefox-38.6.1esr-33.1, MozillaFirefox-branding-SLED-38-15.58, mozilla-nss-3.20.2-17.5
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    MozillaFirefox-38.6.1esr-33.1, mozilla-nss-3.20.2-17.5