openSUSE-SU-2015:0677

http://www.mozilla.org/security/announce/2015/mfsa2015-44.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

1032030

USN-2557-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1148328

GLSA-201512-10

The remote host is affected by the vulnerability described in GLSA-201512-10 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox and       Mozilla Thunderbird. Please review the CVE identifiers referenced below       for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Versions of Mozilla Firefox earlier than 37.0.2 are affected by a use-after-free error, related to the AsyncPaintWaitEvent() method, due to a race condition caused when plugin initialization fails. A remote attacker, using a specially crafted web page, can exploit this flaw to execute arbitrary code or cause a denial of service.

Versions of Mozilla Firefox earlier than 37.0.1 are affected by an error related to the HTTP/2 'Alt-Svc' header and SSL certificate verification, which allows man-in-the-middle (MitM) attacks. Specifically, this affects the script 'modules/libpref/init/all.js' as certificates are not properly validated when handling an Alt-Svc header in an HTTP/2 response. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.

Mozilla Firefox and Thunderbird were updated to fix several important vulnerabilities.

Mozilla Firefox was updated to 37.0.1. Mozilla Thunderbird was updated to 31.6.0. mozilla-nspr was updated to 4.10.8 as a dependency.

The following vulnerabilities were fixed in Mozilla Firefox :

  - Miscellaneous memory safety hazards (MFSA     2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)

  - Use-after-free when using the Fluendo MP3 GStreamer     plugin (MFSA 2015-31/CVE-2015-0813 bmo#1106596     boo#925393)

  - Add-on lightweight theme installation approval bypassed     through MITM attack (MFSA 2015-32/CVE-2015-0812     bmo#1128126 boo#925394)

  - resource:// documents can load privileged pages (MFSA     2015-33/CVE-2015-0816 bmo#1144991 boo#925395)

  - Out of bounds read in QCMS library     (MFSA-2015-34/CVE-2015-0811 bmo#1132468 boo#925396)

  - Incorrect memory management for simple-type arrays in     WebRTC (MFSA-2015-36/CVE-2015-0808 bmo#1109552     boo#925397)

  - CORS requests should not follow 30x redirections after     preflight (MFSA-2015-37/CVE-2015-0807 bmo#1111834     boo#925398)

  - Memory corruption crashes in Off Main Thread Compositing     (MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 bmo#1135511     bmo#1099437 boo#925399)

  - Use-after-free due to type confusion flaws     (MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (mo#1134560     boo#925400)

  - Same-origin bypass through anchor navigation     (MFSA-2015-40/CVE-2015-0801 bmo#1146339 boo#925401)

  - Windows can retain access to privileged content on     navigation to unprivileged pages     (MFSA-2015-42/CVE-2015-0802 bmo#1124898 boo#925402)

The following vulnerability was fixed in functionality that was not released as an update to openSUSE :

  - Certificate verification could be bypassed through the     HTTP/2 Alt-Svc header (MFSA 2015-44/CVE-2015-0799     bmo#1148328 bnc#926166)

The functionality added in 37.0 and thus removed in 37.0.1 was :

  - Opportunistically encrypt HTTP traffic where the server     supports HTTP/2 AltSvc

The following functionality was added or updated in Mozilla Firefox :

  - Heartbeat user rating system

  - Yandex set as default search provider for the Turkish     locale

  - Bing search now uses HTTPS for secure searching

  - Improved protection against site impersonation via     OneCRL centralized certificate revocation

  - some more behaviour changes for TLS

The following vulnerabilities were fixed in Mozilla Thunderbird :

  - Miscellaneous memory safety hazards (MFSA     2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)

  - Use-after-free when using the Fluendo MP3 GStreamer     plugin (MFSA 2015-31/CVE-2015-0813 bmo#1106596     boo#925393)

  - resource:// documents can load privileged pages (MFSA     2015-33/CVE-2015-0816 bmo#1144991 boo#925395)

  - CORS requests should not follow 30x redirections after     preflight (MFSA-2015-37/CVE-2015-0807 bmo#1111834     boo#925398)

  - Same-origin bypass through anchor navigation     (MFSA-2015-40/CVE-2015-0801 bmo#1146339 boo#925401)

mozilla-nspr was updated to 4.10.8 as a dependency and received the following changes :

  - bmo#573192: remove the stack-based PRFileDesc cache.

  - bmo#756047: check for _POSIX_THREAD_PRIORITY_SCHEDULING     > 0 instead of only checking if the identifier is     defined.

  - bmo#1089908: Fix variable shadowing in _PR_MD_LOCKFILE.
    Use PR_ARRAY_SIZE to get the array size of
    _PR_RUNQ(t->cpu).

  - bmo#1106600: Replace PR_ASSERT(!'foo') with     PR_NOT_REACHED('foo') to fix clang -Wstring-conversion     warnings.

Muneaki Nishimura discovered a flaw in Mozilla's HTTP Alternative Services implementation which meant SSL certificate verification could be bypassed in some circumstances. A remote attacker could potentially exploit this to conduct a man in the middle attack. (CVE-2015-0799).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Firefox installed on the remote Windows host is prior to 37.0.1. It is, therefore, affected by an error related to the HTTP/2 'Alt-Svc' header and SSL certificate verification, which allows man-in-the-middle (MitM) attacks.

The version of Firefox installed on the remote Mac OS X host is prior to 37.0.1. It is, therefore, affected by an error related to the HTTP/2 'Alt-Svc' header and SSL certificate verification, which allows man-in-the-middle (MitM) attacks.

The Mozilla Project reports :

MFSA 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header

MFSA 2015-43 Loading privileged content through Reader mode

ID	Name	Product	Family	Severity
87710	GLSA-201512-10 : Mozilla Products: Multiple vulnerabilities (Bar Mitzvah) (Logjam)	Nessus	Gentoo Local Security Checks	critical
8744	Mozilla Firefox < 37.0.2 Failed Plugin Memory Corruption	Nessus Network Monitor	Web Clients	high
8743	Mozilla Firefox < 37.0.1 HTTP/2 Alt-Svc Header SSL MitM	Nessus Network Monitor	Web Clients	low
82651	openSUSE Security Update : MozillaFirefox / MozillaThunderbird / mozilla-nspr (openSUSE-2015-290)	Nessus	SuSE Local Security Checks	high
82643	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : firefox vulnerability (USN-2557-1)	Nessus	Ubuntu Local Security Checks	medium
82583	Firefox < 37.0.1 HTTP/2 Alt-Svc Header Certificate Verification Bypass	Nessus	Windows	medium
82582	Firefox < 37.0.1 HTTP/2 Alt-Svc Header Certificate Verification Bypass (Mac OS X)	Nessus	MacOS X Local Security Checks	medium
82579	FreeBSD : mozilla -- multiple vulnerabilities (b8321d76-24e7-4b72-a01d-d12c4445d826)	Nessus	FreeBSD Local Security Checks	medium

CVE-2015-0799

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

critical

high

low

high

medium

medium

medium

medium