openSUSE-SU-2016:0489

openSUSE-SU-2016:0553

http://www.mozilla.org/security/announce/2016/mfsa2016-13.html

1035007

USN-2893-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1245724

GLSA-201605-06

The remote host is affected by the vulnerability described in GLSA-201605-06 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, NSS, NSPR, and       Thunderbird. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

This update for MozillaFirefox fixes the following issues :

  - update to Firefox 44.0.2

  - MFSA 2016-13/CVE-2016-1949 (bmo#1245724, boo#966438)     Same-origin-policy violation using Service Workers with     plugins

  - Fix issue which could lead to the removal of stored     passwords under certain circumstances (bmo#1242176)

  - Allows spaces in cookie names (bmo#1244505)

  - Disable opus/vorbis audio with H.264 (bmo#1245696)

  - Fix for graphics startup crash (GNU/Linux) (bmo#1222171)

  - Fix a crash in cache networking (bmo#1244076)

  - Fix using WebSockets in service worker controlled pages     (bmo#1243942)

The version of Firefox installed is prior to 44.0.2 and is affected by a security bypass vulnerability due to improper restriction of interaction between service workers and plugins. An unauthenticated, remote attacker can exploit this using a crafted web site that triggers spoofed responses to requests that use NPAPI to bypass the same-origin policy. (CVE-2016-1949)

The version of Mozilla Firefox installed on the remote Windows host is prior to 44.0.2. It is, therefore, affected by a security bypass vulnerability due to improper restriction of interaction between service workers and plugins. An unauthenticated, remote attacker can exploit this, via a crafted web site that triggers spoofed responses to requests that use NPAPI, to bypass the same-origin policy.

The version of Mozilla Firefox installed on the remote Mac OS X host is prior to 44.0.2. It is, therefore, affected by a security bypass vulnerability due to improper restriction of interaction between service workers and plugins. An unauthenticated, remote attacker can exploit this, via a crafted web site that triggers spoofed responses to requests that use NPAPI, to bypass the same-origin policy.

The Mozilla Foundation reports :

MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept responses to plugin network requests made through the browser. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests. For example, a forged crossdomain.xml could allow a malicious site to violate the same-origin policy using the Flash plugin.

Jason Pang discovered that service workers intercept responses to plugin network requests made through the browser. An attacker could potentially exploit this to bypass same origin restrictions using the Flash plugin. (CVE-2016-1949).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
91379	GLSA-201605-06 : Mozilla Products: Multiple vulnerabilities (Logjam) (SLOTH)	Nessus	Gentoo Local Security Checks	critical
88946	openSUSE Security Update : Mozilla Firefox (openSUSE-2016-259)	Nessus	SuSE Local Security Checks	high
9077	Mozilla Firefox < 44.0.2 Security Bypass Vulnerability	Nessus Network Monitor	Web Clients	low
88828	openSUSE Security Update : MozillaFirefox (openSUSE-2016-223)	Nessus	SuSE Local Security Checks	high
88754	Firefox < 44.0.2 Service Workers Security Bypass	Nessus	Windows	high
88752	Firefox < 44.0.2 Service Workers Security Bypass (Mac OS X)	Nessus	MacOS X Local Security Checks	high
88743	FreeBSD : firefox -- Same-origin-policy violation using Service Workers with plugins (172b22cb-d3f6-11e5-ac9e-485d605f4717)	Nessus	FreeBSD Local Security Checks	high
88711	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : firefox vulnerability (USN-2893-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2016-1949

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

low

high

high

high

high

high