8996 – [Update Request] Update opera to 12.14 to fix several security problems

Bug 8996 - [Update Request] Update opera to 12.14 to fix several security problems

Summary: [Update Request] Update opera to 12.14 to fix several security problems

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:	mga2-64-ok mga2-32-ok
Keywords:	validated_update

Duplicates (1):	8993 (view as bug list)
Depends on:
Blocks:

Reported:	2013-02-08 09:22 CET by Funda Wang
Modified:	2013-02-08 16:04 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	opera-12.14-1.mga2
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Funda Wang 2013-02-08 09:22:43 CET

Several security and usage problems and have been found in recent Opera versions:

* DOM events manipulation might be used to execute arbitrary code
* Use of SVG clipPaths could allow execution of arbitrary code
* TLS response timings could indicate network contents
* CORS requests could omit the preflight request
* Re-occuring crash allowing users to update two or more extensions at one time

The opera package has been updated to latest 12.14 to fix above problems.

See here:
http://www.opera.com/docs/changelogs/unified/1213/
http://www.opera.com/docs/changelogs/unified/1214/

Comment 1 claire robinson 2013-02-08 10:14:37 CET

*** Bug 8993 has been marked as a duplicate of this bug. ***

CC: (none) => davidwhodgins

Comment 2 claire robinson 2013-02-08 10:19:10 CET

Could someone from the sysadmin team push the srpm
opera-12.14-1.mga2.nonfree.src.rpm
from Mageia 2 Nonfree Updates Testing to Nonfree Updates.

Better advisory:

===================
Opera 12.14 contains fixes to several security and stability issues found in
12.12 and earlier versions and contains other general fixes.

Fixed an issue where DOM events manipulation might be used to execute arbitrary
code, as reported by Arthur Gerkis. (kb 1042, high severity)

Fixed an issue where use of SVG clipPaths could allow execution of arbitrary
code, as reported by anonymous via the iSIGHT Partners GVP Program. (kb 1043,
high severity)

Fixed an issue where TLS response timings could indicate network contents, as
reported by Nadhem AlFardan and Kenny Paterson. (kb 1044, low severity)

Fixed an issue where CORS requests could omit the preflight request, as
reported by webpentest. (kb 1045, low severity)

For a complete list of changes including the non-security fixes, see the
referenced changelog pages.

http://www.opera.com/support/kb/view/1042/
http://www.opera.com/support/kb/view/1043/
http://www.opera.com/support/kb/view/1044/
http://www.opera.com/support/kb/view/1045/
http://www.opera.com/docs/changelogs/unified/1213/
http://www.opera.com/docs/changelogs/unified/1214/
====================

Keywords: (none) => validated_update
CC: (none) => anssi.hannula, sysadmin-bugs
Whiteboard: (none) => mga2-64-ok mga2-32-ok

Comment 3 Thomas Backlund 2013-02-08 16:04:18 CET

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0043

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.