SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2017:2302-1)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

Mozilla Firefox was updated to the ESR 52.3 release (bsc#1052829)
Following security issues were fixed :

- MFSA 2017-19/CVE-2017-7807: Domain hijacking through
AppCache fallback

- MFSA 2017-19/CVE-2017-7791: Spoofing following page
navigation with data: protocol and modal alerts

- MFSA 2017-19/CVE-2017-7792: Buffer overflow viewing
certificates with an extremely long OID

- MFSA 2017-19/CVE-2017-7782: WindowsDllDetourPatcher
allocates memory without DEP protections

- MFSA 2017-19/CVE-2017-7787: Same-origin policy bypass
with iframes through page reloads

- MFSA 2017-19/CVE-2017-7786: Buffer overflow while
painting non-displayable SVG

- MFSA 2017-19/CVE-2017-7785: Buffer overflow manipulating
ARIA attributes in DOM

- MFSA 2017-19/CVE-2017-7784: Use-after-free with image
observers

- MFSA 2017-19/CVE-2017-7753: Out-of-bounds read with
cached style data and pseudo-elements

- MFSA 2017-19/CVE-2017-7798: XUL injection in the style
editor in devtools

- MFSA 2017-19/CVE-2017-7804: Memory protection bypass
through WindowsDllDetourPatcher

- MFSA 2017-19/CVE-2017-7779: Memory safety bugs fixed in
Firefox 55 and Firefox ESR 52.3

- MFSA 2017-19/CVE-2017-7800: Use-after-free in WebSockets
during disconnection

- MFSA 2017-19/CVE-2017-7801: Use-after-free with marquee
during window resizing

- MFSA 2017-19/CVE-2017-7802: Use-after-free resizing
image elements

- MFSA 2017-19/CVE-2017-7803: CSP containing 'sandbox'
improperly applied This update also fixes :

- fixed firefox hangs after a while in FUTEX_WAIT_PRIVATE
if cgroups enabled and running on cpu >=1 (bsc#1031485)

- The Itanium ia64 build was fixed.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1031485
https://bugzilla.suse.com/1052829
https://www.suse.com/security/cve/CVE-2017-7753.html
https://www.suse.com/security/cve/CVE-2017-7779.html
https://www.suse.com/security/cve/CVE-2017-7782.html
https://www.suse.com/security/cve/CVE-2017-7784.html
https://www.suse.com/security/cve/CVE-2017-7785.html
https://www.suse.com/security/cve/CVE-2017-7786.html
https://www.suse.com/security/cve/CVE-2017-7787.html
https://www.suse.com/security/cve/CVE-2017-7791.html
https://www.suse.com/security/cve/CVE-2017-7792.html
https://www.suse.com/security/cve/CVE-2017-7798.html
https://www.suse.com/security/cve/CVE-2017-7800.html
https://www.suse.com/security/cve/CVE-2017-7801.html
https://www.suse.com/security/cve/CVE-2017-7802.html
https://www.suse.com/security/cve/CVE-2017-7803.html
https://www.suse.com/security/cve/CVE-2017-7804.html
https://www.suse.com/security/cve/CVE-2017-7807.html
http://www.nessus.org/u?c78a5b40

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
patch sdksp4-MozillaFirefox-13254=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
slessp4-MozillaFirefox-13254=1

SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
slessp3-MozillaFirefox-13254=1

SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
sleposp3-MozillaFirefox-13254=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
dbgsp4-MozillaFirefox-13254=1

SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
dbgsp3-MozillaFirefox-13254=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now