openSUSE Security Update : MozillaFirefox (openSUSE-2015-375)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The Mozilla Firefox web browser was updated to version 38.0.1 to fix
several security and non-security issues. This update also includes a
Mozilla Network Security Services (NSS) update to version 3.18.1.

The following vulnerabilities and issues were fixed :

Changes in Mozilla Firefox :

- update to Firefox 38.0.1 stability and regression fixes

- Systems with first generation NVidia Optimus graphics
cards may crash on start-up

- Users who import cookies from Google Chrome can end up
with broken websites

- Large animated images may fail to play and may stop
other images from loading

- update to Firefox 38.0 (bnc#930622)

- New tab-based preferences

- Ruby annotation support

- more info:
https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
security fixes :

- MFSA 2015-46/CVE-2015-2708/CVE-2015-2709 Miscellaneous
memory safety hazards

- MFSA 2015-47/VE-2015-0797 (bmo#1080995) Buffer overflow
parsing H.264 video with Linux Gstreamer

- MFSA 2015-48/CVE-2015-2710 (bmo#1149542) Buffer overflow
with SVG content and CSS

- MFSA 2015-49/CVE-2015-2711 (bmo#1113431) Referrer policy
ignored when links opened by middle-click and context
menu

- MFSA 2015-50/CVE-2015-2712 (bmo#1152280) Out-of-bounds
read and write in asm.js validation

- MFSA 2015-51/CVE-2015-2713 (bmo#1153478) Use-after-free
during text processing with vertical text enabled

- MFSA 2015-53/CVE-2015-2715 (bmo#988698) Use-after-free
due to Media Decoder Thread creation during shutdown

- MFSA 2015-54/CVE-2015-2716 (bmo#1140537) Buffer overflow
when parsing compressed XML

- MFSA 2015-55/CVE-2015-2717 (bmo#1154683) Buffer overflow
and out-of-bounds read while parsing MP4 video metadata

- MFSA 2015-56/CVE-2015-2718 (bmo#1146724) Untrusted site
hosting trusted page can intercept webchannel responses

- MFSA 2015-57/CVE-2011-3079 (bmo#1087565) Privilege
escalation through IPC channel messages

Changes in Mozilla NSS :

- update to 3.18.1

- Firefox target release 38

- No new functionality is introduced in this release.
Notable Changes :

- The following CA certificate had the Websites and Code
Signing trust bits restored to their original state to
allow more time to develop a better transition strategy
for affected sites :

- OU = Equifax Secure Certificate Authority

- The following CA certificate was removed :

- CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi

- The following intermediate CA certificate has been added
as actively distrusted because it was mis-used to issue
certificates for domain names the holder did not own or
control :

- CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG

- The version number of the updated root CA list has been
set to 2.4

- update to 3.18

- Firefox target release 38 New functionality :

- When importing certificates and keys from a PKCS#12
source, it's now possible to override the nicknames,
prior to importing them into the NSS database, using new
API SEC_PKCS12DecoderRenameCertNicknames.

- The tstclnt test utility program has new command-line
options

-C, -D, -b and -R. Use -C one, two or three times to
print information about the certificates received from a
server, and information about the locally found and
trusted issuer certificates, to diagnose server side
configuration issues. It is possible to run tstclnt

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=930622
https://www.mozilla.org/en-US/firefox/38.0/releasenotes/

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now