SUSE SLED12 / SLES12 Security Update : MozillaFirefox / mozilla-nss (SUSE-SU-2014:1510-1)

high Nessus Plugin ID 83849

Synopsis

The remote SUSE host is missing one or more security updates.

Description

- update to Firefox 31.2.0 ESR (bnc#900941)

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994, bmo#1011354, bmo#1018916, bmo#1020034, bmo#1023035, bmo#1032208, bmo#1033020, bmo#1034230, bmo#1061214, bmo#1061600, bmo#1064346, bmo#1072044, bmo#1072174) Miscellaneous memory safety hazards (rv:33.0/rv:31.2)

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API

- SSLv3 is disabled by default. See README.POODLE for more detailed information.

- disable call home features

- update to 3.17.2 (bnc#900941) Bugfix release

- bmo#1049435 - Importing an RSA private key fails if p < q

- bmo#1057161 - NSS hangs with 100% CPU on invalid EC key

- bmo#1078669 - certutil crashes when using the
--certVersion parameter

- changes from earlier version of the 3.17 branch: update to 3.17.1 (bnc#897890)

- MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) RSA Signature Forgery in NSS

- Change library's signature algorithm default to SHA256

- Add support for draft-ietf-tls-downgrade-scsv

- Add clang-cl support to the NSS build system

- Implement TLS 1.3 :

- Part 1. Negotiate TLS 1.3

- Part 2. Remove deprecated cipher suites andcompression.

- Add support for little-endian powerpc64 update to 3.17

- required for Firefox 33 New functionality :

- When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros

- SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

- The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2014-81

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2014-81

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2014-81

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=897890

https://bugzilla.suse.com/show_bug.cgi?id=900941

https://www.suse.com/security/cve/CVE-2014-1568/

https://www.suse.com/security/cve/CVE-2014-1574/

https://www.suse.com/security/cve/CVE-2014-1575/

https://www.suse.com/security/cve/CVE-2014-1576/

https://www.suse.com/security/cve/CVE-2014-1577/

https://www.suse.com/security/cve/CVE-2014-1578/

https://www.suse.com/security/cve/CVE-2014-1581/

https://www.suse.com/security/cve/CVE-2014-1583/

https://www.suse.com/security/cve/CVE-2014-1585/

https://www.suse.com/security/cve/CVE-2014-1586/

http://www.nessus.org/u?789145a1

Plugin Details

Severity: High

ID: 83849

File Name: suse_SU-2014-1510-1.nasl

Version: 2.11

Type: local

Agent: unix

Published: 5/27/2015

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:mozillafirefox, p-cpe:/a:novell:suse_linux:mozillafirefox-branding-sle, p-cpe:/a:novell:suse_linux:mozillafirefox-debuginfo, p-cpe:/a:novell:suse_linux:mozillafirefox-debugsource, p-cpe:/a:novell:suse_linux:mozillafirefox-translations, p-cpe:/a:novell:suse_linux:libfreebl3, p-cpe:/a:novell:suse_linux:libfreebl3-debuginfo, p-cpe:/a:novell:suse_linux:libfreebl3-hmac, p-cpe:/a:novell:suse_linux:libsoftokn3, p-cpe:/a:novell:suse_linux:libsoftokn3-debuginfo, p-cpe:/a:novell:suse_linux:libsoftokn3-hmac, p-cpe:/a:novell:suse_linux:mozilla-nss, p-cpe:/a:novell:suse_linux:mozilla-nss-certs, p-cpe:/a:novell:suse_linux:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:suse_linux:mozilla-nss-debuginfo, p-cpe:/a:novell:suse_linux:mozilla-nss-debugsource, p-cpe:/a:novell:suse_linux:mozilla-nss-tools, p-cpe:/a:novell:suse_linux:mozilla-nss-tools-debuginfo, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/27/2014

Vulnerability Publication Date: 9/25/2014

Reference Information

CVE: CVE-2014-1568, CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586

BID: 70116, 70424, 70425, 70426, 70427, 70428, 70430, 70436, 70439, 70440, 72178