openSUSE Security Update : firefox / mozilla-nspr / mozilla-nss and seamonkey (openSUSE-SU-2014:1345-1)

critical Nessus Plugin ID 78817

Synopsis

The remote openSUSE host is missing a security update.

Description

- update to Firefox 33.0 (bnc#900941) New features :

- OpenH264 support (sandboxed)

- Enhanced Tiles

- Improved search experience through the location bar

- Slimmer and faster JavaScript strings

- New CSP (Content Security Policy) backend

- Support for connecting to HTTP proxy over HTTPS

- Improved reliability of the session restoration

- Proprietary window.crypto properties/functions removed Security :

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video

- MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality

- MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps)

- requires NSPR 4.10.7

- requires NSS 3.17.1

- removed obsolete patches :

- mozilla-ppc.patch

- mozilla-libproxy-compat.patch

- added basic appdata information

- update to SeaMonkey 2.30 (bnc#900941)

- venkman debugger removed from application and therefore obsolete package seamonkey-venkman

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video

- MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality

- MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps)

- requires NSPR 4.10.7

- requires NSS 3.17.1

- removed obsolete patches :

- mozilla-ppc.patch

- mozilla-libproxy-compat.patch

Changes in mozilla-nspr :

- update to version 4.10.7

- bmo#836658: VC11+ defaults to SSE2 builds by default.

- bmo#979278: TSan: data race nsprpub/pr/src/threads/prtpd.c:103 PR_NewThreadPrivateIndex.

- bmo#1026129: Replace some manual declarations of MSVC intrinsics with #include <intrin.h>.

- bmo#1026469: Use AC_CHECK_LIB instead of MOZ_CHECK_PTHREADS. Skip compiler checks when using MSVC, even when $CC is not literally 'cl'.

- bmo#1034415: NSPR hardcodes the C compiler to cl on Windows.

- bmo#1042408: Compilation fix for Android > API level 19.

- bmo#1043082: NSPR's build system hardcodes -MD.

Changes in mozilla-nss :

- update to 3.17.1 (bnc#897890)

- Change library's signature algorithm default to SHA256

- Add support for draft-ietf-tls-downgrade-scsv

- Add clang-cl support to the NSS build system

- Implement TLS 1.3 :

- Part 1. Negotiate TLS 1.3

- Part 2. Remove deprecated cipher suites andcompression.

- Add support for little-endian powerpc64

- update to 3.17

- required for Firefox 33 New functionality :

- When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros

- SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

- The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2.

- On Windows, the new build variable USE_STATIC_RTL can be used to specify the static C runtime library should be used. By default the dynamic C runtime library is used.

Solution

Update the affected firefox / mozilla-nspr / mozilla-nss and seamonkey packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=1012609

https://bugzilla.mozilla.org/show_bug.cgi?id=1015540

https://bugzilla.mozilla.org/show_bug.cgi?id=1026129

https://bugzilla.mozilla.org/show_bug.cgi?id=1026469

https://bugzilla.mozilla.org/show_bug.cgi?id=1034415

https://bugzilla.mozilla.org/show_bug.cgi?id=1041512

https://bugzilla.mozilla.org/show_bug.cgi?id=1042408

https://bugzilla.mozilla.org/show_bug.cgi?id=1043082

https://bugzilla.mozilla.org/show_bug.cgi?id=1049095

https://bugzilla.mozilla.org/show_bug.cgi?id=1062876

https://bugzilla.mozilla.org/show_bug.cgi?id=1062981

https://bugzilla.mozilla.org/show_bug.cgi?id=1063327

https://bugzilla.mozilla.org/show_bug.cgi?id=1063733

https://bugzilla.mozilla.org/show_bug.cgi?id=1063971

https://bugzilla.mozilla.org/show_bug.cgi?id=1066190

https://bugzilla.mozilla.org/show_bug.cgi?id=1068218

https://bugzilla.mozilla.org/show_bug.cgi?id=836658

https://bugzilla.mozilla.org/show_bug.cgi?id=979278

https://bugzilla.opensuse.org/show_bug.cgi?id=894370

https://bugzilla.opensuse.org/show_bug.cgi?id=896624

https://bugzilla.opensuse.org/show_bug.cgi?id=897890

https://bugzilla.opensuse.org/show_bug.cgi?id=900941

https://bugzilla.opensuse.org/show_bug.cgi?id=901213

https://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html

Plugin Details

Severity: Critical

ID: 78817

File Name: openSUSE-2014-611.nasl

Version: 1.7

Type: local

Agent: unix

Published: 11/3/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr, p-cpe:/a:novell:opensuse:mozilla-nspr-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debugsource, p-cpe:/a:novell:opensuse:mozilla-nspr-devel, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:seamonkey, p-cpe:/a:novell:opensuse:seamonkey-debuginfo, p-cpe:/a:novell:opensuse:seamonkey-debugsource, p-cpe:/a:novell:opensuse:seamonkey-dom-inspector, p-cpe:/a:novell:opensuse:seamonkey-irc, p-cpe:/a:novell:opensuse:seamonkey-translations-common, p-cpe:/a:novell:opensuse:seamonkey-translations-other, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 10/24/2014

Reference Information

CVE: CVE-2014-1554, CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1583, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586