openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2015-185)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

MozillaFirefox, mozilla-nss were updated to fix 18 security issues.

MozillaFirefox was updated to version 36.0. These security issues were
fixed :

- CVE-2015-0835, CVE-2015-0836: Miscellaneous memory
safety hazards

- CVE-2015-0832: Appended period to hostnames can bypass
HPKP and HSTS protections

- CVE-2015-0830: Malicious WebGL content crash when
writing strings

- CVE-2015-0834: TLS TURN and STUN connections silently
fail to simple TCP connections

- CVE-2015-0831: Use-after-free in IndexedDB

- CVE-2015-0829: Buffer overflow in libstagefright during
MP4 video playback

- CVE-2015-0828: Double-free when using non-default memory
allocators with a zero-length XHR

- CVE-2015-0827: Out-of-bounds read and write while
rendering SVG content

- CVE-2015-0826: Buffer overflow during CSS restyling

- CVE-2015-0825: Buffer underflow during MP3 playback

- CVE-2015-0824: Crash using DrawTarget in Cairo graphics
library

- CVE-2015-0823: Use-after-free in Developer Console date
with OpenType Sanitiser

- CVE-2015-0822: Reading of local files through
manipulation of form autocomplete

- CVE-2015-0821: Local files or privileged URLs in pages
can be opened into new tabs

- CVE-2015-0819: UI Tour whitelisted sites in background
tab can spoof foreground tabs

- CVE-2015-0820: Caja Compiler JavaScript sandbox bypass

mozilla-nss was updated to version 3.17.4 to fix the following
issues :

- CVE-2014-1569: QuickDER decoder length issue
(bnc#910647).

- bmo#1084986: If an SSL/TLS connection fails, because
client and server don't have any common protocol version
enabled, NSS has been changed to report error code
SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
SSL_ERROR_NO_CYPHER_OVERLAP).

- bmo#1112461: libpkix was fixed to prefer the newest
certificate, if multiple certificates match.

- bmo#1094492: fixed a memory corruption issue during
failure of keypair generation.

- bmo#1113632: fixed a failure to reload a PKCS#11 module
in FIPS mode.

- bmo#1119983: fixed interoperability of NSS server code
with a LibreSSL client.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=910647
https://bugzilla.opensuse.org/show_bug.cgi?id=917597

Solution :

Update the affected MozillaFirefox / mozilla-nss packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now