openSUSE Security Update : the MozillaFirefox / mozilla-nss and mozilla-nspr (openSUSE-2016-128)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to MozillaFirefox fixes several security issues and bugs.

Mozilla Firefox was updated to 44.0. Mozilla NSS was updated to 3.21
Mozilla NSPR was updated to 4.11.

The following vulnerabilities were fixed :

- CVE-2016-1930/CVE-2016-1931: Miscellaneous memory safety
hazards (boo#963633)

- CVE-2016-1933: Out of Memory crash when parsing GIF
format images (boo#963634)

- CVE-2016-1935: Buffer overflow in WebGL after out of
memory allocation (boo#963635)

- CVE-2015-7208/CVE-2016-1939: Firefox allows for control
characters to be set in cookie names (boo#963637)

- CVE-2016-1937: Missing delay following user click events
in protocol handler dialog (boo#963641)

- CVE-2016-1938: Errors in mp_div and mp_exptmod
cryptographic functions in NSS (boo#963731)

- CVE-2016-1942/CVE-2016-1943: Addressbar spoofing attacks
(boo#963643)

- CVE-2016-1944/CVE-2016-1945/CVE-2016-1946: Unsafe memory
manipulation found through code inspection (boo#963644)

- CVE-2016-1947: Application Reputation service disabled
in Firefox 43 (boo#963645)

The following change from Mozilla Firefox 43.0.4 is included :

- Re-enable SHA-1 certificates to prevent outdated
man-in-the-middle security devices from interfering with
properly secured SSL/TLS connections

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=963633
https://bugzilla.opensuse.org/show_bug.cgi?id=963634
https://bugzilla.opensuse.org/show_bug.cgi?id=963635
https://bugzilla.opensuse.org/show_bug.cgi?id=963637
https://bugzilla.opensuse.org/show_bug.cgi?id=963641
https://bugzilla.opensuse.org/show_bug.cgi?id=963643
https://bugzilla.opensuse.org/show_bug.cgi?id=963644
https://bugzilla.opensuse.org/show_bug.cgi?id=963645
https://bugzilla.opensuse.org/show_bug.cgi?id=963731

Solution :

Update the affected the MozillaFirefox / mozilla-nss and mozilla-nspr packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now