SUSE SLES10 Security Update : MozillaFirefox (SUSE-SU-2016:0820-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

Mozilla Firefox was updated to 38.7.0 ESR, fixing the following
security issues :

MFSA 2016-16/CVE-2016-1952/CVE-2016-1953: Miscellaneous memory safety
hazards (rv:45.0 / rv:38.7)

MFSA 2016-17/CVE-2016-1954: Local file overwriting and potential
privilege escalation through CSP reports

MFSA 2016-20/CVE-2016-1957: Memory leak in libstagefright when
deleting an array during MP4 processing

MFSA 2016-21/CVE-2016-1958: Displayed page address can be overridden

MFSA 2016-23/CVE-2016-1960: Use-after-free in HTML5 string parser

MFSA 2016-24/CVE-2016-1961: Use-after-free in SetBody

MFSA 2016-25/CVE-2016-1962: Use-after-free when using multiple WebRTC
data channels

MFSA 2016-27/CVE-2016-1964: Use-after-free during XML transformations

MFSA 2016-28/CVE-2016-1965: Addressbar spoofing though history
navigation and Location protocol property

MFSA 2016-31/CVE-2016-1966: Memory corruption with malicious NPAPI
plugin

MFSA 2016-34/CVE-2016-1974: Out-of-bounds read in HTML parser
following a failed allocation

MFSA 2016-35/CVE-2016-1950: Buffer overflow during ASN.1 decoding in
NSS

MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
CVE-2016-2800/CVE-2016-2801/CVE-2016-2802: Font vulnerabilities in the
Graphite 2 library.

Mozilla NSPR was updated to version 4.12, fixing following bugs :

Added a PR_GetEnvSecure function, which attempts to detect if the
program is being executed with elevated privileges, and returns NULL
if detected. It is recommended to use this function in general purpose
library code.

Fixed a memory allocation bug related to the PR_*printf functions

Exported API PR_DuplicateEnvironment, which had already been added in
NSPR 4.10.9

Several minor correctness and compatibility fixes.

Mozilla NSS was updated to fix security issues :

MFSA 2016-15/CVE-2016-1978: Use-after-free in NSS during SSL
connections in low memory

MFSA 2016-35/CVE-2016-1950: Buffer overflow during ASN.1 decoding in
NSS

MFSA 2016-36/CVE-2016-1979: Use-after-free during processing of DER
encoded keys in NSS.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/969894
http://www.nessus.org/u?f3ce2a68
http://www.nessus.org/u?8d36f7a4

Solution :

Update the affected MozillaFirefox packages

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false