SUSE SLED12 / SLES12 Security Update : MozillaFirefox / mozilla-nss (SUSE-SU-2014:1510-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

- update to Firefox 31.2.0 ESR (bnc#900941)

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 (bmo#1001994,
bmo#1011354, bmo#1018916, bmo#1020034, bmo#1023035,
bmo#1032208, bmo#1033020, bmo#1034230, bmo#1061214,
bmo#1061600, bmo#1064346, bmo#1072044, bmo#1072174)
Miscellaneous memory safety hazards (rv:33.0/rv:31.2)

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow
during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio
memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds
write with WebM video

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free
interacting with text directionality

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876,
bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing
cross-origin objects via the Alarms API

- SSLv3 is disabled by default. See README.POODLE for more
detailed information.

- disable call home features

- update to 3.17.2 (bnc#900941) Bugfix release

- bmo#1049435 - Importing an RSA private key fails if p <
q

- bmo#1057161 - NSS hangs with 100% CPU on invalid EC key

- bmo#1078669 - certutil crashes when using the
--certVersion parameter

- changes from earlier version of the 3.17 branch: update
to 3.17.1 (bnc#897890)

- MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405)
RSA Signature Forgery in NSS

- Change library's signature algorithm default to SHA256

- Add support for draft-ietf-tls-downgrade-scsv

- Add clang-cl support to the NSS build system

- Implement TLS 1.3 :

- Part 1. Negotiate TLS 1.3

- Part 2. Remove deprecated cipher suites andcompression.

- Add support for little-endian powerpc64 update to 3.17

- required for Firefox 33 New functionality :

- When using ECDHE, the TLS server code may be configured
to generate a fresh ephemeral ECDH key for each
handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY
socket option to PR_FALSE. The
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE,
which means the server's ephemeral ECDH key is reused
for multiple handshakes. This option does not affect the
TLS client code, which always generates a fresh
ephemeral ECDH key for each handshake. New Macros

- SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

- The manual pages for the certutil and pp tools have been
updated to document the new parameters that had been
added in NSS 3.16.2.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://support.novell.com/security/cve/CVE-2014-1568.html
http://support.novell.com/security/cve/CVE-2014-1574.html
http://support.novell.com/security/cve/CVE-2014-1575.html
http://support.novell.com/security/cve/CVE-2014-1576.html
http://support.novell.com/security/cve/CVE-2014-1577.html
http://support.novell.com/security/cve/CVE-2014-1578.html
http://support.novell.com/security/cve/CVE-2014-1581.html
http://support.novell.com/security/cve/CVE-2014-1583.html
http://support.novell.com/security/cve/CVE-2014-1585.html
http://support.novell.com/security/cve/CVE-2014-1586.html
https://bugzilla.suse.com/show_bug.cgi?id=897890
https://bugzilla.suse.com/show_bug.cgi?id=900941
http://www.nessus.org/u?789145a1

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2014-81

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2014-81

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2014-81

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now