openSUSE-SU-2015:0677

http://www.mozilla.org/security/announce/2015/mfsa2015-38.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

1031996

USN-2550-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1135511

GLSA-201512-10

Versions of Mozilla Firefox ESR prior to 31.6 are unpatched for the following vulnerabilities : 

 - A privilege escalation vulnerability exists which relates to anchor navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context. Note that this is a variant of CVE-2015-0818 that was fixed in Firefox 36.0.4. (CVE-2015-0801)
 - Access to certain privileged internal methods is retained when navigating from windows created to contain privileged UI content to unprivileged pages. An attacker can exploit this to execute arbitrary JavaScript with elevated privileges. (CVE-2015-0802)
 - Multiple type confusion issues exist that can lead to use-after-free errors, which a remote attacker can exploit to execute arbitrary code or cause a denial of service. (CVE-2015-0803, CVE-2015-0804)
 - Multiple memory corruption issues exist related to off-main-thread compositing when rendering 2D graphics, which a remote attacker can exploit to execute arbitrary code or cause a denial of service. (CVE-2015-0805, CVE-2015-0806)
 - A cross-site request forgery (XSRF) vulnerability exists in the sendBeacon() function due to cross-origin resource sharing (CORS) requests following 30x redirections. (CVE-2015-0807)
 - An issue exists in WebRTC related to memory management for simple-style arrays, which may be used by a remote attacker to cause a denial of service. (CVE-2015-0808)
 - An issue exists that allows a remote attacker to make the user's cursor invisible, possibly resulting in a successful clickjacking attack. Only OS X installations of Firefox are affected. (CVE-2015-0810)
 - An out-of-bounds read issue exists in the QCMS color management library that could lead to an information disclosure. (CVE-2015-0811)
 - An issue exists that can allow a man-in-the-middle attacker to bypass user-confirmation and install a Firefox lightweight theme by spoofing a Mozilla sub-domain. (CVE-2015-0812)
 - A use-after-free vulnerability affects the AppendElements() function when the Fluendo MP3 plugin for GStreamer is used. A remote attacker could exploit this to execute arbitrary code or cause a denial of service (heap memory corruption) via a specially crafted MP3 file. (CVE-2015-0813)
 - Multiple memory safety issues exist within the browser engine. A remote attacker can exploit these to corrupt memory and possibly execute arbitrary code. (CVE-2015-0814, CVE-2015-0815)
 - A privilege escalation vulnerability exists related to documents loaded through a 'resource:' URL. An attacker can exploit this to load pages and execute JavaScript with elevated privileges. (CVE-2015-0816)

The remote host is affected by the vulnerability described in GLSA-201512-10 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox and       Mozilla Thunderbird. Please review the CVE identifiers referenced below       for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Versions of Mozilla Firefox earlier than 37.0 are unpatched for the following vulnerabilities : 

 - A privilege escalation vulnerability exists which relates to anchor navigation. A remote attacker can exploit this to bypass same-origin policy protections, allowing a possible execution of arbitrary scripts in a privileged context. Note that this is a variant of CVE-2015-0818 that was fixed in Firefox 36.0.4. (CVE-2015-0801)
 - Access to certain privileged internal methods is retained when navigating from windows created to contain privileged UI content to unprivileged pages. An attacker can exploit this to execute arbitrary JavaScript with elevated privileges. (CVE-2015-0802)
 - Multiple type confusion issues exist that can lead to use-after-free errors, which a remote attacker can exploit to execute arbitrary code or cause a denial of service. (CVE-2015-0803, CVE-2015-0804)
 - Multiple memory corruption issues exist related to off-main-thread compositing when rendering 2D graphics, which a remote attacker can exploit to execute arbitrary code or cause a denial of service. (CVE-2015-0805, CVE-2015-0806)
 - A cross-site request forgery (XSRF) vulnerability exists in the sendBeacon() function due to cross-origin resource sharing (CORS) requests following 30x redirections. (CVE-2015-0807)
 - An issue exists in WebRTC related to memory management for simple-style arrays, which may be used by a remote attacker to cause a denial of service. (CVE-2015-0808)
 - An issue exists that allows a remote attacker to make the user's cursor invisible, possibly resulting in a successful clickjacking attack. Only OS X installations of Firefox are affected. (CVE-2015-0810)
 - An out-of-bounds read issue exists in the QCMS color management library that could lead to an information disclosure. (CVE-2015-0811)
 - An issue exists that can allow a man-in-the-middle attacker to bypass user-confirmation and install a Firefox lightweight theme by spoofing a Mozilla sub-domain. (CVE-2015-0812)
 - A use-after-free vulnerability affects the AppendElements() function when the Fluendo MP3 plugin for GStreamer is used. A remote attacker could exploit this to execute arbitrary code or cause a denial of service (heap memory corruption) via a specially crafted MP3 file. (CVE-2015-0813)
 - Multiple memory safety issues exist within the browser engine. A remote attacker can exploit these to corrupt memory and possibly execute arbitrary code. (CVE-2015-0814, CVE-2015-0815)
 - A privilege escalation vulnerability exists related to documents loaded through a 'resource:' URL. An attacker can exploit this to load pages and execute JavaScript with elevated privileges. (CVE-2015-0816)

Mozilla Firefox and Thunderbird were updated to fix several important vulnerabilities.

Mozilla Firefox was updated to 37.0.1. Mozilla Thunderbird was updated to 31.6.0. mozilla-nspr was updated to 4.10.8 as a dependency.

The following vulnerabilities were fixed in Mozilla Firefox :

  - Miscellaneous memory safety hazards (MFSA     2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)

  - Use-after-free when using the Fluendo MP3 GStreamer     plugin (MFSA 2015-31/CVE-2015-0813 bmo#1106596     boo#925393)

  - Add-on lightweight theme installation approval bypassed     through MITM attack (MFSA 2015-32/CVE-2015-0812     bmo#1128126 boo#925394)

  - resource:// documents can load privileged pages (MFSA     2015-33/CVE-2015-0816 bmo#1144991 boo#925395)

  - Out of bounds read in QCMS library     (MFSA-2015-34/CVE-2015-0811 bmo#1132468 boo#925396)

  - Incorrect memory management for simple-type arrays in     WebRTC (MFSA-2015-36/CVE-2015-0808 bmo#1109552     boo#925397)

  - CORS requests should not follow 30x redirections after     preflight (MFSA-2015-37/CVE-2015-0807 bmo#1111834     boo#925398)

  - Memory corruption crashes in Off Main Thread Compositing     (MFSA-2015-38/CVE-2015-0805/CVE-2015-0806 bmo#1135511     bmo#1099437 boo#925399)

  - Use-after-free due to type confusion flaws     (MFSA-2015-39/CVE-2015-0803/CVE-2015-0804 (mo#1134560     boo#925400)

  - Same-origin bypass through anchor navigation     (MFSA-2015-40/CVE-2015-0801 bmo#1146339 boo#925401)

  - Windows can retain access to privileged content on     navigation to unprivileged pages     (MFSA-2015-42/CVE-2015-0802 bmo#1124898 boo#925402)

The following vulnerability was fixed in functionality that was not released as an update to openSUSE :

  - Certificate verification could be bypassed through the     HTTP/2 Alt-Svc header (MFSA 2015-44/CVE-2015-0799     bmo#1148328 bnc#926166)

The functionality added in 37.0 and thus removed in 37.0.1 was :

  - Opportunistically encrypt HTTP traffic where the server     supports HTTP/2 AltSvc

The following functionality was added or updated in Mozilla Firefox :

  - Heartbeat user rating system

  - Yandex set as default search provider for the Turkish     locale

  - Bing search now uses HTTPS for secure searching

  - Improved protection against site impersonation via     OneCRL centralized certificate revocation

  - some more behaviour changes for TLS

The following vulnerabilities were fixed in Mozilla Thunderbird :

  - Miscellaneous memory safety hazards (MFSA     2015-30/CVE-2015-0814/CVE-2015-0815 boo#925392)

  - Use-after-free when using the Fluendo MP3 GStreamer     plugin (MFSA 2015-31/CVE-2015-0813 bmo#1106596     boo#925393)

  - resource:// documents can load privileged pages (MFSA     2015-33/CVE-2015-0816 bmo#1144991 boo#925395)

  - CORS requests should not follow 30x redirections after     preflight (MFSA-2015-37/CVE-2015-0807 bmo#1111834     boo#925398)

  - Same-origin bypass through anchor navigation     (MFSA-2015-40/CVE-2015-0801 bmo#1146339 boo#925401)

mozilla-nspr was updated to 4.10.8 as a dependency and received the following changes :

  - bmo#573192: remove the stack-based PRFileDesc cache.

  - bmo#756047: check for _POSIX_THREAD_PRIORITY_SCHEDULING     > 0 instead of only checking if the identifier is     defined.

  - bmo#1089908: Fix variable shadowing in _PR_MD_LOCKFILE.
    Use PR_ARRAY_SIZE to get the array size of
    _PR_RUNQ(t->cpu).

  - bmo#1106600: Replace PR_ASSERT(!'foo') with     PR_NOT_REACHED('foo') to fix clang -Wstring-conversion     warnings.

Olli Pettay and Boris Zbarsky discovered an issue during anchor navigations in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin policy restrictions.
(CVE-2015-0801)

Bobby Holley discovered that windows created to hold privileged UI content retained access to privileged internal methods if navigated to unprivileged content. An attacker could potentially exploit this in combination with another flaw, in order to execute arbitrary script in a privileged context. (CVE-2015-0802)

Several type confusion issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0803, CVE-2015-0804)

Abhishek Arya discovered memory corruption issues during 2D graphics rendering. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0805, CVE-2015-0806)

Christoph Kerschbaumer discovered that CORS requests from navigator.sendBeacon() followed 30x redirections after preflight. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct cross-site request forgery (XSRF) attacks. (CVE-2015-0807)

Mitchell Harper discovered an issue with memory management of simple-type arrays in WebRTC. An attacker could potentially exploit this to cause undefined behaviour. (CVE-2015-0808)

Felix Grobert discovered an out-of-bounds read in the QCMS colour management library. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-0811)

Armin Razmdjou discovered that lightweight themes could be installed in Firefox without a user approval message, from Mozilla subdomains over HTTP without SSL. A remote attacker could potentially exploit this by conducting a Man-In-The-Middle (MITM) attack to install themes without user approval. (CVE-2015-0812)

Aki Helin discovered a use-after-free when playing MP3 audio files using the Fluendo MP3 GStreamer plugin in certain circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0813)

Christian Holler, Andrew McCreight, Gary Kwong, Karl Tomlinson, Randell Jesup, Shu-yu Guo, Steve Fink, Tooru Fujisawa, and Byron Campen discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0814, CVE-2015-0815)

Mariusz Mlynski discovered that documents loaded via resource: URLs (such as PDF.js) could load privileged chrome pages. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this in combination with another flaw, in order to execute arbitrary script in a privileged context. (CVE-2015-0816).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Firefox installed on the remote Windows host is prior to 37.0. It is, therefore, affected by the following vulnerabilities :

  - A privilege escalation vulnerability exists which     relates to anchor navigation. A remote attacker can     exploit this to bypass same-origin policy protections,     allowing a possible execution of arbitrary scripts in a     privileged context. Note that this is a variant of     CVE-2015-0818 that was fixed in Firefox 36.0.4.
    (CVE-2015-0801)

  - Access to certain privileged internal methods is     retained when navigating from windows created to contain     privileged UI content to unprivileged pages. An attacker     can exploit this to execute arbitrary JavaScript with     elevated privileges. (CVE-2015-0802)

  - Multiple type confusion issues exist that can lead to     use-after-free errors, which a remote attacker can     exploit to execute arbitrary code or cause a denial of     service. (CVE-2015-0803, CVE-2015-0804)

  - Multiple memory corruption issues exist related to Off     Main Thread Compositing when rendering 2D graphics,     which a remote attacker can exploit to execute arbitrary     code or cause a denial of service. (CVE-2015-0805,     CVE-2015-0806)

  - A cross-site request forgery (XSRF) vulnerability exists     in the sendBeacon() function due to cross-origin     resource sharing (CORS) requests following 30x     redirections. (CVE-2015-0807)

  - An issue exists in WebRTC related to memory management     for simple-style arrays, which may be used by a remote     attacker to cause a denial of service. (CVE-2015-0808)

  - An out-of-bounds read issue exists in the QCMS color     management library that could lead to an information     disclosure. (CVE-2015-0811)

  - An issue exists that can allow a man-in-the-middle     attacker to bypass user-confirmation and install a     Firefox lightweight theme by spoofing a Mozilla     sub-domain. (CVE-2015-0812)   
  - Multiple memory safety issues exist within the browser     engine. A remote attacker can exploit these to corrupt     memory and possibly execute arbitrary code.
    (CVE-2015-0814, CVE-2015-0815)

  - A privilege escalation vulnerability exists related to     documents loaded through a 'resource:' URL. An attacker     can exploit this to load pages and execute JavaScript     with elevated privileges. (CVE-2015-0816)

The version of Firefox installed on the remote Mac OS X host is prior to 37.0. It is, therefore, affected by the following vulnerabilities :

  - A privilege escalation vulnerability exists which     relates to anchor navigation. A remote attacker can     exploit this to bypass same-origin policy protections,     allowing a possible execution of arbitrary scripts in a     privileged context. Note that this is a variant of     CVE-2015-0818 that was fixed in Firefox 36.0.4.
    (CVE-2015-0801)

  - Access to certain privileged internal methods is     retained when navigating from windows created to contain     privileged UI content to unprivileged pages. An attacker     can exploit this to execute arbitrary JavaScript with     elevated privileges. (CVE-2015-0802)

  - Multiple type confusion issues exist that can lead to     use-after-free errors, which a remote attacker can     exploit to execute arbitrary code or cause a denial of     service. (CVE-2015-0803, CVE-2015-0804)

  - Multiple memory corruption issues exist related to Off     Main Thread Compositing when rendering 2D graphics,     which a remote attacker can exploit to execute arbitrary     code or cause a denial of service. (CVE-2015-0805,     CVE-2015-0806)

  - A cross-site request forgery (XSRF) vulnerability exists     in the sendBeacon() function due to cross-origin     resource sharing (CORS) requests following 30x     redirections. (CVE-2015-0807)

  - An issue exists in WebRTC related to memory management     for simple-style arrays, which may be used by a remote     attacker to cause a denial of service. (CVE-2015-0808)

  - An issue exists that allows a remote attacker to make     the user's cursor invisible, possibly resulting in a     successful clickjacking attack. (CVE-2015-0810)

  - An out-of-bounds read issue exists in the QCMS color     management library that could lead to an information     disclosure. (CVE-2015-0811)

  - An issue exists that can allow a man-in-the-middle     attacker to bypass user-confirmation and install a     Firefox lightweight theme by spoofing a Mozilla     sub-domain. (CVE-2015-0812)

  - Multiple memory safety issues exist within the browser     engine. A remote attacker can exploit these to corrupt     memory and possibly execute arbitrary code.
    (CVE-2015-0814, CVE-2015-0815)

  - A privilege escalation vulnerability exists related to     documents loaded through a 'resource:' URL. An attacker     can exploit this to load pages and execute JavaScript     with elevated privileges. (CVE-2015-0816)

The Mozilla Project reports :

MFSA-2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

MFSA-2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin

MFSA-2015-32 Add-on lightweight theme installation approval bypassed through MITM attack

MFSA-2015-33 resource:// documents can load privileged pages

MFSA-2015-34 Out of bounds read in QCMS library

MFSA-2015-35 Cursor clickjacking with flash and images

MFSA-2015-36 Incorrect memory management for simple-type arrays in WebRTC

MFSA-2015-37 CORS requests should not follow 30x redirections after preflight

MFSA-2015-38 Memory corruption crashes in Off Main Thread Compositing

MFSA-2015-39 Use-after-free due to type confusion flaws

MFSA-2015-40 Same-origin bypass through anchor navigation

MFSA-2015-41 PRNG weakness allows for DNS poisoning on Android

MFSA-2015-42 Windows can retain access to privileged content on navigation to unprivileged pages

ID	Name	Product	Family	Severity
701254	Mozilla Firefox ESR < 31.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
87710	GLSA-201512-10 : Mozilla Products: Multiple vulnerabilities (Bar Mitzvah) (Logjam)	Nessus	Gentoo Local Security Checks	critical
8742	Mozilla Firefox < 37.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
82651	openSUSE Security Update : MozillaFirefox / MozillaThunderbird / mozilla-nspr (openSUSE-2015-290)	Nessus	SuSE Local Security Checks	high
82524	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : firefox vulnerabilities (USN-2550-1)	Nessus	Ubuntu Local Security Checks	high
82503	Firefox < 37.0 Multiple Vulnerabilities	Nessus	Windows	high
82500	Firefox < 37.0 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
82482	FreeBSD : mozilla -- multiple vulnerabilities (d0c97697-df2c-4b8b-bff2-cec24dc35af8)	Nessus	FreeBSD Local Security Checks	high

CVE-2015-0805

HIGH

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

critical

high

high

high

high

high

high