Bug 8996

Summary: [Update Request] Update opera to 12.14 to fix several security problems
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: anssi.hannula, davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga2-64-ok mga2-32-ok
Source RPM: opera-12.14-1.mga2 CVE:
Status comment:

Description Funda Wang 2013-02-08 09:22:43 CET 
Several security and usage problems and have been found in recent Opera versions:

* DOM events manipulation might be used to execute arbitrary code
* Use of SVG clipPaths could allow execution of arbitrary code
* TLS response timings could indicate network contents
* CORS requests could omit the preflight request
* Re-occuring crash allowing users to update two or more extensions at one time

The opera package has been updated to latest 12.14 to fix above problems.

See here:
http://www.opera.com/docs/changelogs/unified/1213/
http://www.opera.com/docs/changelogs/unified/1214/
Comment 1 claire robinson 2013-02-08 10:14:37 CET 
*** Bug 8993 has been marked as a duplicate of this bug. ***

CC: (none) => davidwhodgins

Comment 2 claire robinson 2013-02-08 10:19:10 CET 
Could someone from the sysadmin team push the srpm
opera-12.14-1.mga2.nonfree.src.rpm
from Mageia 2 Nonfree Updates Testing to Nonfree Updates.

Better advisory:

===================
Opera 12.14 contains fixes to several security and stability issues found in
12.12 and earlier versions and contains other general fixes.

Fixed an issue where DOM events manipulation might be used to execute arbitrary
code, as reported by Arthur Gerkis. (kb 1042, high severity)

Fixed an issue where use of SVG clipPaths could allow execution of arbitrary
code, as reported by anonymous via the iSIGHT Partners GVP Program. (kb 1043,
high severity)

Fixed an issue where TLS response timings could indicate network contents, as
reported by Nadhem AlFardan and Kenny Paterson. (kb 1044, low severity)

Fixed an issue where CORS requests could omit the preflight request, as
reported by webpentest. (kb 1045, low severity)

For a complete list of changes including the non-security fixes, see the
referenced changelog pages.

http://www.opera.com/support/kb/view/1042/
http://www.opera.com/support/kb/view/1043/
http://www.opera.com/support/kb/view/1044/
http://www.opera.com/support/kb/view/1045/
http://www.opera.com/docs/changelogs/unified/1213/
http://www.opera.com/docs/changelogs/unified/1214/
====================

Keywords: (none) => validated_update
CC: (none) => anssi.hannula, sysadmin-bugs
Whiteboard: (none) => mga2-64-ok mga2-32-ok

Comment 3 Thomas Backlund 2013-02-08 16:04:18 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0043

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED