openSUSE-SU-2015:1942

http://www.mozilla.org/security/announce/2015/mfsa2015-129.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

1034069

USN-2785-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1211871

GLSA-201512-10

The remote host is affected by the vulnerability described in GLSA-201512-10 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox and       Mozilla Thunderbird. Please review the CVE identifiers referenced below       for details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The version of Mozilla Firefox is prior to 42.0 and is affected by multiple vulnerabilities : 

 - Multiple flaws in the browser engine allow remote attackers to corrupt memory and potentially execute arbitrary code. (CVE-2015-4513, CVE-2015-4514)
 - A flaw exists that is triggered when handling type 3 messages as part of the NTLM authentication exchange. This may allow an attacker to disclose system hostname and windows domain information. (CVE-2015-4515)
 - A flaw exists related to the whitelist used by Reader View to disable script for rendered pages being too permissive. This may allow an attacker to bypass CSP protections and in turn potentially conduct XSS attacks. (CVE-2015-4518)
 - An unspecified use-after-poison flaw exists in Mozilla Network Security Services (NSS) in the 'sec_asn1d_parse_leaf()' function that may allow an attacker to execute arbitrary code. (CVE-2015-7181)
 - An overflow condition exists in Mozilla Network Security Services (NSS) in the ASN.1 decoder. The issue is triggered as user-supplied input is not properly validated when handling an OCTET STRING. This may allow an attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2015-7182)
 - An integer overflow condition exists in Netscape Portable Runtime (NSPR) in the PL_ARENA_ALLOCATE macro that is triggered as user-supplied input is not properly validated during memory allocation. This may allow an attacker to corrupt memory, crashing an application linked against the library or potentially allowing the execution of arbitrary code. (CVE-2015-7183)
 - A flaw exists in the 'fetch()' API that is due it failing to properly implement the Cross-Origin Resource Sharing (CORS) feature. This may allow an attacker to potentially gain unauthorized access to cross-origin information. (CVE-2015-7184)- A flaw exists that is due to the program failing to enforce settings when disabling scripts in the Add-on SDK panel. By defining a panel with "script: false", all script execution is designed to be disabled. With a crafted web site, an attacker may be able to bypass this restriction, facilitating scripting attacks. (CVE-2015-7187)
 - A flaw exists in 'netwerk/base/nsStandardURL.cpp' that is triggered during the handling of trailing whitespaces in the IP address hostname. This may allow an attacker to bypass the same-origin policy. (CVE-2015-7188)
 - A race condition exists in the 'JPEGEncoder()' function. The issue is triggered as user-supplied input is not properly validated when handling canvas elements. This may allow an attacker to cause a heap-based buffer overflow and potentially execute arbitrary code. (CVE-2015-7189)
 - A flaw exists (Firefox for OS X only) in the 'ConvertToNSArray()' function in 'accessible/mac/mozAccessible.mm.' The issue is triggered when an accessibility tool requests the index of a table row via the 'NSAccessibilityIndexAttribute' value. This may allow an attacker to potentially execute arbitrary code. (CVE-2015-7192)
 - A flaw exists that is triggered during the handling of content-type headers for multiple media types returned from a server. This may allow an attacker to bypass cross-origin resource sharing (CORS) and perform simple request instead of a 'preflight' request. (CVE-2015-7193)
 - A flaw exists in the 'nsZipArchive::GetData()' function in 'modules/libjar/nsZipArchive.cpp' that is triggered as user-supplied input is not properly validated when handling ZIP archives. This may allow an attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-7194)
 - A flaw exists that is triggered during the parsing of escaped characters in the hostname of location headers. This may allow an attacker to gain access to arbitrary site-specific token information. (CVE-2015-7195)
 - A flaw exists in the '_releaseobject()' function in 'dom/plugins/base/nsNPAPIPlugin.cpp' that is triggered when JavaScript wrappers become deallocated during use. This may allow an attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-7196)
 - A flaw exists in the 'WebSocketImpl::Init()' function in 'dom/base/WebSocket.cpp' that is triggered when determining the origin of the entry settings object for workers. This may allow an attacker to bypass the mixed content WebSocket policy. (CVE-2015-7197)
 - An overflow condition exists in the 'WebGLTexture::EnsureInitializedImageData()' function in 'dom/canvas/WebGLTexture.cpp.' The issue is triggered as user-supplied input is not properly validated. This may allow an attacker to cause a buffer overflow and potentially execute arbitrary code. (CVE-2015-7198)
 - A flaw exists in 'dom/svg/SVGPathSegListSMILType.cpp' related to missing return value checks for the 'AddWeightedPathSegLists()' function during SVG rendering. This may allow an attacker to corrupt memory and execute arbitrary code. (CVE-2015-7199)
 - A flaw exists that is due to missing status checks in CryptoKey related to OOM (Out-of-Memory) conditions. This may allow an attacker to make changes to crpytographic keys and potentially execute arbitrary code. (CVE-2015-7200)

The Mozilla Project reports :

MFSA 2015-133 NSS and NSPR memory corruption issues

MFSA 2015-132 Mixed content WebSocket policy bypass through workers

MFSA 2015-131 Vulnerabilities found through code inspection

MFSA 2015-130 JavaScript garbage collection crash with Java applet

MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped

MFSA 2015-128 Memory corruption in libjar through zip files

MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received

MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X

MFSA 2015-125 XSS attack through intents on Firefox for Android

MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files

MFSA 2015-123 Buffer overflow during image interactions in canvas

MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy

MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect

MFSA 2015-120 Reading sensitive profile files through local HTML file on Android

MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode

MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist

MFSA 2015-117 Information disclosure through NTLM authentication

MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

Mozilla Firefox was updated to version 42.0, fixing bugs and security issues. Mozilla xulrunner was updated to xulrunner 38.4.0. SeaMonkey was updated to 2.39.

New features in Mozilla Firefox :

  - Private Browsing with Tracking Protection blocks certain     Web elements that could be used to record your behavior     across sites

  - Control Center that contains site security and privacy     controls

  - Login Manager improvements

  - WebRTC improvements

  - Indicator added to tabs that play audio with one-click     muting

  - Media Source Extension for HTML5 video available for all     sites

Security fixes :

  - MFSA 2015-116/CVE-2015-4513/CVE-2015-4514 Miscellaneous     memory safety hazards

  - MFSA 2015-117/CVE-2015-4515 (bmo#1046421) Information     disclosure through NTLM authentication

  - MFSA 2015-118/CVE-2015-4518 (bmo#1182778, bmo#1136692)     CSP bypass due to permissive Reader mode whitelist

  - MFSA 2015-119/CVE-2015-7185 (bmo#1149000) (Android only)     Firefox for Android addressbar can be removed after     fullscreen mode

  - MFSA 2015-120/CVE-2015-7186 (bmo#1193027) (Android only)     Reading sensitive profile files through local HTML file     on Android

  - MFSA 2015-121/CVE-2015-7187 (bmo#1195735) disabling     scripts in Add-on SDK panels has no effect

  - MFSA 2015-122/CVE-2015-7188 (bmo#1199430) Trailing     whitespace in IP address hostnames can bypass     same-origin policy

  - MFSA 2015-123/CVE-2015-7189 (bmo#1205900) Buffer     overflow during image interactions in canvas

  - MFSA 2015-124/CVE-2015-7190 (bmo#1208520) (Android only)     Android intents can be used on Firefox for Android to     open privileged files

  - MFSA 2015-125/CVE-2015-7191 (bmo#1208956) (Android only)     XSS attack through intents on Firefox for Android

  - MFSA 2015-126/CVE-2015-7192 (bmo#1210023) (OS X only)     Crash when accessing HTML tables with accessibility     tools on OS X

  - MFSA 2015-127/CVE-2015-7193 (bmo#1210302) CORS preflight     is bypassed when non-standard Content-Type headers are     received

  - MFSA 2015-128/CVE-2015-7194 (bmo#1211262) Memory     corruption in libjar through zip files

  - MFSA 2015-129/CVE-2015-7195 (bmo#1211871) Certain     escaped characters in host of Location-header are being     treated as non-escaped

  - MFSA 2015-130/CVE-2015-7196 (bmo#1140616) JavaScript     garbage collection crash with Java applet

  - MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200     (bmo#1188010, bmo#1204061, bmo#1204155) Vulnerabilities     found through code inspection

  - MFSA 2015-132/CVE-2015-7197 (bmo#1204269) Mixed content     WebSocket policy bypass through workers

  - MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183     (bmo#1202868, bmo#1205157) NSS and NSPR memory     corruption issues (fixed in mozilla-nspr and mozilla-nss     packages)

mozilla-nspr was updated to 4.10.10 :

  - MFSA 2015-133/CVE-2015-7183 (bmo#1205157) memory     corruption issues

This update includes the update to version 4.10.9

  - bmo#1021167: Leak of |poll_list| on failure in
    _MW_PollInternal

  - bmo#1030692: Make compiling nspr on windows possible     again.

  - bmo#1088790: dosprint() doesn't support %zu and other     size formats

  - bmo#1130787: prtime.h does not compile with MSVC's /Za     (ISO C/C++ conformance) option

  - bmo#1153610: MIPS64: Add support for n64 ABI

  - bmo#1156029: Teach clang-analyzer about PR_ASSERT

  - bmo#1160125: MSVC version detection is broken CC is set     to a wrapper (like sccache)

  - bmo#1163346: Add NSPR support for FreeBSD mips/mips64

  - bmo#1169185: Add support for OpenRISC (or1k)

  - bmo:1174749: Remove configure block for iOS that uses     MACOS_SDK_DIR

  - bmo#1174781: PR_GetInheritedFD can use uninitialized     variables

mozilla-nss was updated to 3.20.1 :

  - requires NSPR 4.10.10

  - MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028,     bmo#1202868) memory corruption issues

  - Install the static libfreebl.a that is needed in order     to link Sun elliptical curves provider in Java 7.

This includes the update of Mozilla NSS to NSS 3.20 New functionality :

  - The TLS library has been extended to support DHE     ciphersuites in server applications. New Functions :

  - SSL_DHEGroupPrefSet - Configure the set of     allowed/enabled DHE group parameters that can be used by     NSS for a server socket.

  - SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE     group parameters that are smaller than the library     default's minimum size. New Types :

  - SSLDHEGroupType - Enumerates the set of DHE parameters     embedded in NSS that can be used with function     SSL_DHEGroupPrefSet. New Macros :

  - SSL_ENABLE_SERVER_DHE - A socket option user to enable     or disable DHE ciphersuites for a server socket. Notable     Changes :

  - For backwards compatibility reasons, the server side     implementation of the TLS library keeps all DHE     ciphersuites disabled by default. They can be enabled     with the new socket option SSL_ENABLE_SERVER_DHE and the     SSL_OptionSet or the SSL_OptionSetDefault API.

  - The server side implementation of the TLS implementation     does not support session tickets when using a DHE     ciphersuite (see bmo#1174677).

  - Support for the following ciphersuites has been added :

  - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

  - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

  - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

  - By default, the server side TLS implementation will use     DHE parameters with a size of 2048 bits when using DHE     ciphersuites.

  - NSS embeds fixed DHE parameters sized 2048, 3072, 4096,     6144 and 8192 bits, which were copied from version 08 of     the Internet-Draft 'Negotiated Finite Field     Diffie-Hellman Ephemeral Parameters for TLS', Appendix     A.

  - A new API SSL_DHEGroupPrefSet has been added to NSS,     which allows a server application to select one or     multiple of the embedded DHE parameters as the preferred     parameters. The current implementation of NSS will     always use the first entry in the array that is passed     as a parameter to the SSL_DHEGroupPrefSet API. In future     versions of the TLS implementation, a TLS client might     signal a preference for certain DHE parameters, and the     NSS TLS server side implementation might select a     matching entry from the set of parameters that have been     configured as preferred on the server side.

  - NSS optionally supports the use of weak DHE parameters     with DHE ciphersuites to support legacy clients. In     order to enable this support, the new API     SSL_EnableWeakDHEPrimeGroup must be used. Each time this     API is called for the first time in a process, a fresh     set of weak DHE parameters will be randomly created,     which may take a long amount of time. Please refer to     the comments in the header file that declares the     SSL_EnableWeakDHEPrimeGroup API for additional details.

  - The size of the default PQG parameters used by certutil     when creating DSA keys has been increased to use 2048     bit parameters.

  - The selfserv utility has been enhanced to support the     new DHE features.

  - NSS no longer supports C compilers that predate the ANSI     C standard (C89).

It also includes the update to NSS 3.19.3; certstore updates only

  - The following CA certificates were removed

  - Buypass Class 3 CA 1

  - T&Uuml;RKTRUST Elektronik Sertifika Hizmet     Sa&#x11F;lay&#x131;c&#x131;s&#x131;

  - SG TRUST SERVICES RACINE

  - TC TrustCenter Universal CA I

  - TC TrustCenter Class 2 CA II

  - The following CA certificate had the Websites trust bit     turned off

  - ComSign Secured CA

  - The following CA certificates were added

  - T&Uuml;RKTRUST Elektronik Sertifika Hizmet     Sa&#x11F;lay&#x131;c&#x131;s&#x131; H5

  - T&Uuml;RKTRUST Elektronik Sertifika Hizmet     Sa&#x11F;lay&#x131;c&#x131;s&#x131; H6

  - Certinomis - Root CA

  - The version number of the updated root CA list has been     set to 2.5

  - Install blapi.h and algmac.h that are needed in order to     build Sun elliptical curves provider in Java 7

The version of Firefox installed on the remote Windows host is prior to 42. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit these issues, via a     specially crafted web page, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-4513, CVE-2015-4514)

  - An information disclosure vulnerability exists when     handling type 3 messages as part of the NTLM     authentication exchange. A remote attacker can exploit     this, via a specially crafted web page that sends an     NTLM request, to disclose system hostname and windows     domain information. (CVE-2015-4515)

  - A security bypass vulnerability exists due to the     whitelist used by Reader View to disable scripts for     rendered pages being too permissive. A remote attacker     can exploit this, via specially crafted web page, to     bypass Content Security Policy (CSP) protections.
    (CVE-2015-4518)

  - An unspecified use-after-poison flaw exists in the     sec_asn1d_parse_leaf() function in Mozilla Network     Security Services (NSS) due to improper restriction of     access to an unspecified data structure. A remote     attacker can exploit this, via crafted OCTET STRING     data, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-7181)   
  - A heap buffer overflow condition exists in the ASN.1     decoder in Mozilla Network Security Services (NSS) due     to improper validation of user-supplied input. A remote     attacker can exploit this, via crafted OCTET STRING     data, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-7182)

  - An integer overflow condition exists in the     PL_ARENA_ALLOCATE macro in the Netscape Portable Runtime     (NSPR) due to improper validation of user-supplied     input. A remote attacker can exploit this to corrupt     memory, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-7183)

  - A security bypass vulnerability exists due to a failure     to enforce settings when disabling scripts in the Add-on     SDK panel. A remote attacker can exploit this, via a     crafted web page, to bypass security restrictions and     conduct a cross-site scripting attack. (CVE-2015-7187)

  - A same-origin bypass vulnerability exists due to     improper handling of trailing whitespaces in the IP     address hostname. A remote attacker can exploit this, by     appending whitespace characters to an IP address string,     to bypass the same-origin policy and conduct a     cross-site scripting attack. (CVE-2015-7188)

  - A race condition exists in the JPEGEncoder() function     due to improper validation of user-supplied input when     handling canvas elements. A remote attacker can exploit     this to cause a heap-based buffer overflow, resulting in     a denial of service condition or the execution of     arbitrary code. (CVE-2015-7189)

  - A cross-origin resource sharing (CORS) request bypass     vulnerability exists due to improper implementation of     the CORS cross-origin request algorithm for the POST     method in situations involving an unspecified     Content-Type header manipulation. A remote attacker can     exploit this to perform a simple request instead of a     'preflight' request. (CVE-2015-7193)

  - A buffer underflow condition exists in libjar due to     improper validation of user-supplied input when handling     ZIP archives. A remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2015-7194)

  - An information disclosure vulnerability exists due to     improper parsing of escaped characters in the hostname     of location headers. A remote attacker can exploit this     to gain access to arbitrary site-specific token     information. (CVE-2015-7195)

  - A memory corruption issue exists in the _releaseobject()     function in dom/plugins/base/nsNPAPIPlugin.cpp due to     improper deallocation of JavaScript wrappers. A remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-7196)

  - A security bypass vulnerability exists due to improperly     controlling the ability of a web worker to create a     WebSocket object in the WebSocketImpl::Init() method.
    A remote attacker can exploit this to bypass intended     mixed-content restrictions. (CVE-2015-7197)

  - A buffer overflow condition exists in TextureStorage11     in ANGLE due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2015-7198)

  - A flaw exists in the AddWeightedPathSegLists() function     due to missing return value checks during SVG rendering.
    A remote attacker can exploit this, via a crafted SVG     document, to corrupt memory, resulting in a denial of     service condition or the execution of arbitrary code.
    (CVE-2015-7199)

  - A flaw exists in the CryptoKey interface implementation     due to missing status checks. A remote attacker can     exploit this to make changes to cryptographic keys and     execute arbitrary code. (CVE-2015-7200)

The version of Firefox installed on the remote Mac OS X host is prior to 42. It is, therefore, affected by the following vulnerabilities :

  - Multiple memory corruption issues exist due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit these issues, via a     specially crafted web page, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-4513, CVE-2015-4514)

  - An information disclosure vulnerability exists when     handling type 3 messages as part of the NTLM     authentication exchange. A remote attacker can exploit     this, via a specially crafted web page that sends an     NTLM request, to disclose system hostname and windows     domain information. (CVE-2015-4515)

  - A security bypass vulnerability exists due to the     whitelist used by Reader View to disable scripts for     rendered pages being too permissive. A remote attacker     can exploit this, via specially crafted web page, to     bypass Content Security Policy (CSP) protections.
    (CVE-2015-4518)

  - An unspecified use-after-poison flaw exists in the     sec_asn1d_parse_leaf() function in Mozilla Network     Security Services (NSS) due to improper restriction of     access to an unspecified data structure. A remote     attacker can exploit this, via crafted OCTET STRING     data, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-7181)   
  - A heap buffer overflow condition exists in the ASN.1     decoder in Mozilla Network Security Services (NSS) due     to improper validation of user-supplied input. A remote     attacker can exploit this, via crafted OCTET STRING     data, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-7182)

  - An integer overflow condition exists in the     PL_ARENA_ALLOCATE macro in the Netscape Portable Runtime     (NSPR) due to improper validation of user-supplied     input. A remote attacker can exploit this to corrupt     memory, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-7183)

  - A security bypass vulnerability exists due to a failure     to enforce settings when disabling scripts in the Add-on     SDK panel. A remote attacker can exploit this, via a     crafted web page, to bypass security restrictions and     conduct a cross-site scripting attack. (CVE-2015-7187)

  - A same-origin bypass vulnerability exists due to     improper handling of trailing whitespaces in the IP     address hostname. A remote attacker can exploit this, by     appending whitespace characters to an IP address string,     to bypass the same-origin policy and conduct a     cross-site scripting attack. (CVE-2015-7188)

  - A race condition exists in the JPEGEncoder() function     due to improper validation of user-supplied input when     handling canvas elements. A remote attacker can exploit     this to cause a heap-based buffer overflow, resulting in     a denial of service condition or the execution of     arbitrary code. (CVE-2015-7189)

  - An arbitrary code execution vulnerability exists in the     accessibility-tools feature due to improper interaction     with the implementation of the TABLE element. A remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-7192)

  - A cross-origin resource sharing (CORS) request bypass     vulnerability exists due to improper implementation of     the CORS cross-origin request algorithm for the POST     method in situations involving an unspecified     Content-Type header manipulation. A remote attacker can     exploit this to perform a simple request instead of a     'preflight' request. (CVE-2015-7193)

  - A buffer underflow condition exists in libjar due to     improper validation of user-supplied input when handling     ZIP archives. A remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2015-7194)

  - An information disclosure vulnerability exists due to     improper parsing of escaped characters in the hostname     of location headers. A remote attacker can exploit this     to gain access to arbitrary site-specific token     information. (CVE-2015-7195)

  - A memory corruption issue exists in the _releaseobject()     function in dom/plugins/base/nsNPAPIPlugin.cpp due to     improper deallocation of JavaScript wrappers. A remote     attacker can exploit this to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2015-7196)

  - A security bypass vulnerability exists due to improperly     controlling the ability of a web worker to create a     WebSocket object in the WebSocketImpl::Init() method.
    A remote attacker can exploit this to bypass intended     mixed-content restrictions. (CVE-2015-7197)

  - A buffer overflow condition exists in TextureStorage11     in ANGLE due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2015-7198)

  - A flaw exists in the AddWeightedPathSegLists() function     due to missing return value checks during SVG rendering.
    A remote attacker can exploit this, via a crafted SVG     document, to corrupt memory, resulting in a denial of     service condition or the execution of arbitrary code.
    (CVE-2015-7199)

  - A flaw exists in the CryptoKey interface implementation     due to missing status checks. A remote attacker can     exploit this to make changes to cryptographic keys and     execute arbitrary code. (CVE-2015-7200)

Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, Gary Kwong, Andrew McCreight, Georg Fritzsche, and Carsten Book discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4513, CVE-2015-4514)

Tim Brown discovered that Firefox discloses the hostname during NTLM authentication in some circumstances. If a user were tricked in to opening a specially crafted website with NTLM v1 enabled, an attacker could exploit this to obtain sensitive information. (CVE-2015-4515)

Mario Heiderich and Frederik Braun discovered that CSP could be bypassed in reader mode in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2015-4518)

Tyson Smith and David Keeler discovered a use-after-poison and buffer overflow in NSS. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-7181, CVE-2015-7182)

Ryan Sleevi discovered an integer overflow in NSPR. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-7183)

Jason Hamilton, Peter Arremann and Sylvain Giroux discovered that panels created via the Addon SDK with { script: false } could still execute inline script. If a user installed an addon that relied on this as a security mechanism, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks, depending on the source of the panel content. (CVE-2015-7187)

Michal Bentkowski discovered that adding white-space to hostnames that are IP address can bypass same-origin protections. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2015-7188)

Looben Yang discovered a buffer overflow during script interactions with the canvas element in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-7189)

Shinto K Anto discovered that CORS preflight is bypassed when receiving non-standard Content-Type headers in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2015-7193)

Gustavo Grieco discovered a buffer overflow in libjar in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-7194)

Frans Rosen discovered that certain escaped characters in the Location header are parsed incorrectly, resulting in a navigation to the previously parsed version of a URL. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain site specific tokens. (CVE-2015-7195)

Vytautas Staraitis discovered a garbage collection crash when interacting with Java applets in some circumstances. If a user were tricked in to opening a specially crafted website with the Java plugin installed, an attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-7196)

Ehsan Akhgari discovered a mechanism for a web worker to bypass secure requirements for web sockets. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to bypass the mixed content web socket policy. (CVE-2015-7197)

Ronald Crane discovered several vulnerabilities through code-inspection. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-7198, CVE-2015-7199, CVE-2015-7200).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
87710	GLSA-201512-10 : Mozilla Products: Multiple vulnerabilities (Bar Mitzvah) (Logjam)	Nessus	Gentoo Local Security Checks	critical
9018	Mozilla Firefox < 42.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
86955	FreeBSD : mozilla -- multiple vulnerabilities (9d04936c-75f1-4a2c-9ade-4c1708be5df9)	Nessus	FreeBSD Local Security Checks	high
86807	openSUSE Security Update : MozillaFirefox / mozilla-nspr / mozilla-nss / etc (openSUSE-2015-718)	Nessus	SuSE Local Security Checks	high
86764	Firefox < 42 Multiple Vulnerabilities	Nessus	Windows	high
86762	Firefox < 42 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
86758	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : firefox vulnerabilities (USN-2785-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2015-7195

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins