openSUSE Security Update : MozillaFirefox (openSUSE-2015-548)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- update to Firefox 40.0 (bnc#940806)

- Added protection against unwanted software downloads

- Suggested Tiles show sites of interest, based on
categories from your recent browsing history

- Hello allows adding a link to conversations to provide
context on what the conversation will be about

- New style for add-on manager based on the in-content
preferences style

- Improved scrolling, graphics, and video playback
performance with off main thread compositing (GNU/Linux
only)

- Graphic blocklist mechanism improved: Firefox version
ranges can be specified, limiting the number of devices
blocked security fixes :

- MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous
memory safety hazards

- MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds
read with malformed MP3 file

- MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free
in MediaStream playback

- MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of
non-configurable JavaScript object properties

- MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493
Overflow issues in libstagefright

- MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file
overwriting through Mozilla Maintenance Service with
hard links (only affected Windows)

- MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds
write with Updater and malicious MAR file (does not
affect openSUSE RPM packages which do not ship the
updater)

- MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol
with POST bypasses mixed content protections

- MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when
using shared memory in JavaScript

- MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow
in gdk-pixbuf when scaling bitmap images

- MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948,
bmo#1178148) Buffer overflows on Libvpx when decoding
WebM video

- MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
Vulnerabilities found through code inspection

- MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content
Security Policy allows for asterisk wildcards in
violation of CSP specification

- MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free
in XMLHttpRequest with shared workers

- added mozilla-no-stdcxx-check.patch

- removed obsolete patches

- mozilla-add-glibcxx_use_cxx11_abi.patch

- firefox-multilocale-chrome.patch

- rebased patches

- requires version 40 of the branding package

- removed browser/searchplugins/ location as it's not
valid anymore

- includes security update to Firefox 39.0.3 (bnc#940918)

- MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058)
Same origin violation and local file stealing via PDF
reader

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=940806
https://bugzilla.opensuse.org/show_bug.cgi?id=940918

Solution :

Update the affected MozillaFirefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now