openSUSE-SU-2015:1942

http://www.mozilla.org/security/announce/2015/mfsa2015-119.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

1034069

https://bugzilla.mozilla.org/show_bug.cgi?id=1149000

Versions of Mozilla Firefox for Android earlier than 42.0 are affected by multiple vulnerabilities.  These include : 

 - A flaw exists in 'mobile/android/chrome/content/browser.js' that is triggered when the device exits fullscreen mode. This allows a context-dependent attacker to spoof the address bar. (CVE-2015-7185)
 - A flaw exists in 'mobile/android/components/HelperAppDialog.js' that is triggered when handling the 'file://' URI scheme. This may allow a context-dependent attacker to download arbitrary files or open cached profile data without the user knowing. (CVE-2015-7186)
 - A flaw exists in 'mobile/android/search/java/org/mozilla/search/PostSearchFragment.java' related to the crash reporter. The issue is triggered when a registered search engine uses an Android intent to launch the program. This may allow a malicious app to gain access to local log files that may contain sensitive information or local HTML files through file: URIs. (CVE-2015-7190)
 - A flaw exists in the 'IntentHelper::openNoHandler()' function in 'mobile/android/base/IntentHelper.java.' The issue is triggered when handling 'intent://' URLs during Fallback navigation. This may allow a context-dependent attacker to execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server (i.e. conduct UXSS attacks). (CVE-2015-7191) 

The Mozilla Project reports :

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

Mozilla Firefox was updated to version 42.0, fixing bugs and security issues. Mozilla xulrunner was updated to xulrunner 38.4.0. SeaMonkey was updated to 2.39.

New features in Mozilla Firefox :

  - Private Browsing with Tracking Protection blocks certain     Web elements that could be used to record your behavior     across sites

  - Control Center that contains site security and privacy     controls

  - Login Manager improvements

  - WebRTC improvements

  - Indicator added to tabs that play audio with one-click     muting

  - Media Source Extension for HTML5 video available for all     sites

Security fixes :

  - MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous     memory safety hazards

  - MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information     disclosure through NTLM authentication

  - MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)     CSP bypass due to permissive Reader mode whitelist

  - MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)     Firefox for Android addressbar can be removed after     fullscreen mode

  - MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)     Reading sensitive profile files through local HTML file     on Android

  - MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling     scripts in Add-on SDK panels has no effect

  - MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing     whitespace in IP address hostnames can bypass     same-origin policy

  - MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer     overflow during image interactions in canvas

  - MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)     Android intents can be used on Firefox for Android to     open privileged files

  - MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)     XSS attack through intents on Firefox for Android

  - MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)     Crash when accessing HTML tables with accessibility     tools on OS X

  - MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight     is bypassed when non-standard Content-Type headers are     received

  - MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory     corruption in libjar through zip files

  - MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain     escaped characters in host of Location-header are being     treated as non-escaped

  - MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript     garbage collection crash with Java applet

  - MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200     (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities     found through code inspection

  - MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content     WebSocket policy bypass through workers

  - MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183     (bmo#1202868, bmo#1205157) NSS and NSPR memory     corruption issues (fixed in mozilla-nspr and mozilla-nss     packages)

mozilla-nspr was updated to 4.10.10 :

  - MFSA 2015-133/CVE-2015-7183 (bmo#1205157) memory     corruption issues

This update includes the update to version 4.10.9

  - bmo#1021167: Leak of |poll_list| on failure in
    _MW_PollInternal

  - bmo#1030692: Make compiling nspr on windows possible     again.

  - bmo#1088790: dosprint() doesn't support %zu and other     size formats

  - bmo#1130787: prtime.h does not compile with MSVC's /Za     (ISO C/C++ conformance) option

  - bmo#1153610: MIPS64: Add support for n64 ABI

  - bmo#1156029: Teach clang-analyzer about PR_ASSERT

  - bmo#1160125: MSVC version detection is broken CC is set     to a wrapper (like sccache)

  - bmo#1163346: Add NSPR support for FreeBSD mips/mips64

  - bmo#1169185: Add support for OpenRISC (or1k)

  - bmo:1174749: Remove configure block for iOS that uses     MACOS_SDK_DIR

  - bmo#1174781: PR_GetInheritedFD can use uninitialized     variables

mozilla-nss was updated to 3.20.1 :

  - requires NSPR 4.10.10

  - MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028,     bmo#1202868) memory corruption issues

  - Install the static libfreebl.a that is needed in order     to link Sun elliptical curves provider in Java 7.

This includes the update of Mozilla NSS to NSS 3.20 New functionality :

  - The TLS library has been extended to support DHE     ciphersuites in server applications. New Functions :

  - SSL_DHEGroupPrefSet - Configure the set of     allowed/enabled DHE group parameters that can be used by     NSS for a server socket.

  - SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE     group parameters that are smaller than the library     default's minimum size. New Types :

  - SSLDHEGroupType - Enumerates the set of DHE parameters     embedded in NSS that can be used with function     SSL_DHEGroupPrefSet. New Macros :

  - SSL_ENABLE_SERVER_DHE - A socket option user to enable     or disable DHE ciphersuites for a server socket. Notable     Changes :

  - For backwards compatibility reasons, the server side     implementation of the TLS library keeps all DHE     ciphersuites disabled by default. They can be enabled     with the new socket option SSL_ENABLE_SERVER_DHE and the     SSL_OptionSet or the SSL_OptionSetDefault API.

  - The server side implementation of the TLS implementation     does not support session tickets when using a DHE     ciphersuite (see bmo#1174677).

  - Support for the following ciphersuites has been added :

  - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

  - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

  - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

  - By default, the server side TLS implementation will use     DHE parameters with a size of 2048 bits when using DHE     ciphersuites.

  - NSS embeds fixed DHE parameters sized 2048, 3072, 4096,     6144 and 8192 bits, which were copied from version 08 of     the Internet-Draft 'Negotiated Finite Field     Diffie-Hellman Ephemeral Parameters for TLS', Appendix     A.

  - A new API SSL_DHEGroupPrefSet has been added to NSS,     which allows a server application to select one or     multiple of the embedded DHE parameters as the preferred     parameters. The current implementation of NSS will     always use the first entry in the array that is passed     as a parameter to the SSL_DHEGroupPrefSet API. In future     versions of the TLS implementation, a TLS client might     signal a preference for certain DHE parameters, and the     NSS TLS server side implementation might select a     matching entry from the set of parameters that have been     configured as preferred on the server side.

  - NSS optionally supports the use of weak DHE parameters     with DHE ciphersuites to support legacy clients. In     order to enable this support, the new API     SSL_EnableWeakDHEPrimeGroup must be used. Each time this     API is called for the first time in a process, a fresh     set of weak DHE parameters will be randomly created,     which may take a long amount of time. Please refer to     the comments in the header file that declares the     SSL_EnableWeakDHEPrimeGroup API for additional details.

  - The size of the default PQG parameters used by certutil     when creating DSA keys has been increased to use 2048     bit parameters.

  - The selfserv utility has been enhanced to support the     new DHE features.

  - NSS no longer supports C compilers that predate the ANSI     C standard (C89).

It also includes the update to NSS 3.19.3; certstore updates only

  - The following CA certificates were removed

  - Buypass Class 3 CA 1

  - T&Uuml;RKTRUST Elektronik Sertifika Hizmet     Sa&#x11F;lay&#x131;c&#x131;s&#x131;

  - SG TRUST SERVICES RACINE

  - TC TrustCenter Universal CA I

  - TC TrustCenter Class 2 CA II

  - The following CA certificate had the Websites trust bit     turned off

  - ComSign Secured CA

  - The following CA certificates were added

  - T&Uuml;RKTRUST Elektronik Sertifika Hizmet     Sa&#x11F;lay&#x131;c&#x131;s&#x131; H5

  - T&Uuml;RKTRUST Elektronik Sertifika Hizmet     Sa&#x11F;lay&#x131;c&#x131;s&#x131; H6

  - Certinomis - Root CA

  - The version number of the updated root CA list has been     set to 2.5

  - Install blapi.h and algmac.h that are needed in order to     build Sun elliptical curves provider in Java 7

ID	Name	Product	Family	Severity
9019	Mozilla Firefox for Android < 42.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	medium
9019	Mozilla Firefox for Android < 42.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	medium
86955	FreeBSD : mozilla -- multiple vulnerabilities (9d04936c-75f1-4a2c-9ade-4c1708be5df9)	Nessus	FreeBSD Local Security Checks	critical
86807	openSUSE Security Update : MozillaFirefox / mozilla-nspr / mozilla-nss / etc (openSUSE-2015-718)	Nessus	SuSE Local Security Checks	critical

CVE-2015-7185

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

critical

critical