Bug 963520 - VUL-0: MozillaFirefox 44 / 38.6.0 security release
VUL-0: MozillaFirefox 44 / 38.6.0 security release
Status: RESOLVED MOVED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All All
: P5 - None : Critical
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp3:62467
:
Depends on:
Blocks: CVE-2016-1930 CVE-2016-1931 CVE-2016-1933 CVE-2016-1935 CVE-2015-7208 CVE-2016-1940 CVE-2016-1937 CVE-2016-1941 CVE-2016-1942 CVE-2016-1944 CVE-2016-1947 CVE-2016-1948 CVE-2016-1938
  Show dependency treegraph
 
Reported: 2016-01-25 23:56 UTC by Petr Cerny
Modified: 2019-02-19 07:18 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Cerny 2016-01-25 23:56:23 UTC
Planned release date is 2016-01-26

Firefox/Thunderbird/XULRunner 44
Firefox/Thunderbird/XULRunner 38.6.0 ESR

Possibly also Seamonkey 2.40 (based on Gecko 43).
Seamonkey 2.41 (based on Gecko 44) might follow soon.
Comment 1 Wolfgang Rosenauer 2016-01-26 06:25:03 UTC
Mozilla software version on branch mozilla-release: 44.0
NSPR (portable runtime) version: NSPR_4_11_RTM
NSS (security library) version: NSS_3_21_RTM
CKBI (builtin trust) version: 2.6

NSPR and NSS need updates.
Comment 2 Wolfgang Rosenauer 2016-01-26 06:28:19 UTC
Not sure what to do with Seamonkey 2.40. It has been tagged upstream but not released yet. I have a package ready (unpublished) but held it back so far.
Comment 3 Petr Cerny 2016-01-26 15:10:37 UTC
(In reply to Wolfgang Rosenauer from comment #2)
> Not sure what to do with Seamonkey 2.40. It has been tagged upstream but not
> released yet. I have a package ready (unpublished) but held it back so far.

I'd say let's release it if it builds. AFAIU it is held back because of build problems (haven't queried about that any further so I'm not even sure whether it is on Linux or Windows).
Comment 4 Andreas Stieger 2016-01-26 17:59:42 UTC
Public at https://www.mozilla.org/en-US/security/advisories/
making sub-issues now.
Comment 5 Andreas Stieger 2016-01-26 18:30:25 UTC
Split into separate bugs.

Items affecting ESR in SLE:

bug 963632 CVE-2016-1930: MozillaFirefox: Memory safety bugs fixed in Firefox ESR 38.6 and Firefox 44
bug 963635 CVE-2016-1935: MozillaFirefox: Buffer overflow in WebGL after out of memory allocation
Comment 6 Bernhard Wiedemann 2016-01-26 23:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (963520) was mentioned in
https://build.opensuse.org/request/show/356135 Factory / MozillaFirefox
https://build.opensuse.org/request/show/356136 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/356137 13.2 / MozillaFirefox
https://build.opensuse.org/request/show/356138 13.1 / MozillaFirefox
Comment 7 Bernhard Wiedemann 2016-01-27 07:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (963520) was mentioned in
https://build.opensuse.org/request/show/356181 Factory / xulrunner
https://build.opensuse.org/request/show/356182 42.1 / xulrunner
Comment 12 Swamp Workflow Management 2016-02-04 18:12:25 UTC
SUSE-SU-2016:0334-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 954447,963520,963632,963635,963731
CVE References: CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Server 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, MozillaFirefox-branding-SLED-38-18.24, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-38.6.0esr-31.3, mozilla-nss-3.20.2-25.2
Comment 13 Swamp Workflow Management 2016-02-04 18:16:29 UTC
SUSE-SU-2016:0338-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 954447,963520,963632,963635,963731,964332
CVE References: CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-38.6.0esr-57.3, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-38.6.0esr-57.3, MozillaFirefox-branding-SLE-31.0-20.1, mozilla-nss-3.20.2-37.1
Comment 14 Bernhard Wiedemann 2016-02-15 09:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (963520) was mentioned in
https://build.opensuse.org/request/show/359408 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/359409 42.1 / MozillaThunderbird
https://build.opensuse.org/request/show/359410 13.2 / MozillaThunderbird
https://build.opensuse.org/request/show/359411 13.1 / MozillaThunderbird
Comment 15 Swamp Workflow Management 2016-02-17 11:11:28 UTC
openSUSE-SU-2016:0488-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 963520
CVE References: CVE-2015-7575,CVE-2016-1930,CVE-2016-1935
Sources used:
openSUSE 13.1 (src):    MozillaThunderbird-38.6.0-70.74.1
Comment 16 Swamp Workflow Management 2016-02-17 11:14:42 UTC
openSUSE-SU-2016:0492-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 963520,963632,963635
CVE References: CVE-2016-1930,CVE-2016-1935
Sources used:
openSUSE Leap 42.1 (src):    MozillaThunderbird-38.6.0-10.1
openSUSE 13.2 (src):    MozillaThunderbird-38.6.0-37.1
Comment 17 Swamp Workflow Management 2016-02-25 19:13:41 UTC
SUSE-SU-2016:0584-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 954447,959888,963520,963632,963635,963731,967087
CVE References: CVE-2015-7575,CVE-2016-1523,CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    MozillaFirefox-38.6.1esr-33.1, MozillaFirefox-branding-SLED-38-15.58, mozilla-nss-3.20.2-17.5
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    MozillaFirefox-38.6.1esr-33.1, mozilla-nss-3.20.2-17.5