openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-541)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to Mozilla Firefox 46.0 fixes several security issues and
bugs (boo#977333).

The following vulnerabilities were fixed :

- CVE-2016-2804: Miscellaneous memory safety hazards -
MFSA 2016-39 (boo#977373)

- CVE-2016-2806: Miscellaneous memory safety hazards -
MFSA 2016-39 (boo#977375)

- CVE-2016-2807: Miscellaneous memory safety hazards -
MFSA 2016-39 (boo#977376)

- CVE-2016-2808: Write to invalid HashMap entry through
JavaScript.watch() - MFSA 2016-47 (boo#977386)

- CVE-2016-2811: Use-after-free in Service Worker - MFSA
2016-42 (boo#977379)

- CVE-2016-2812: Buffer overflow in Service Worker - MFSA
2016-42 (boo#977379)

- CVE-2016-2814: Buffer overflow in libstagefright with
CENC offsets - MFSA 2016-44 (boo#977381)

- CVE-2016-2816: CSP not applied to pages sent with
multipart/x-mixed-replace - MFSA 2016-45 (boo#977382)

- CVE-2016-2817: Elevation of privilege with
chrome.tabs.update API in web extensions - MFSA 2016-46
(boo#977384)

- CVE-2016-2820: Firefox Health Reports could accept
events from untrusted domains - MFSA 2016-48
(boo#977388)

The following miscellaneous changes are included :

- Improved security of the JavaScript Just In Time (JIT)
Compiler

- WebRTC fixes to improve performance and stability

- Added support for document.elementsFromPoint

- Added HKDF support for Web Crypto API

The following changes from Mozilla Firefox 45.0.2 are included :

- Fix an issue impacting the cookie header when
third-party cookies are blocked

- Fix a web compatibility regression impacting the srcset
attribute of the image tag

- Fix a crash impacting the video playback with Media
Source Extension

- Fix a regression impacting some specific uploads

- Fix a regression with the copy and paste with some old
versions of some Gecko applications like Thunderbird

The following changes from Mozilla Firefox 45.0.2 are included :

- Fix a regression causing search engine settings to be
lost in some context

- Bring back non-standard jar: URIs to fix a regression in
IBM iNotes

- XSLTProcessor.importStylesheet was failing when import
was used

- Fix an issue which could cause the list of search
provider to be empty

- Fix a regression when using the location bar
(bmo#1254503)

- Fix some loading issues when Accept third-party cookies:
was set to Never

- Disabled Graphite font shaping library

The minimum requirements increased to NSPR 4.12 and NSS 3.22.3.

Mozilla NSS was updated to 3.22.3 as a dependency for Mozilla Firefox
46.0, with the following changes :

- Increase compatibility of TLS extended master secret,
don't send an empty TLS extension last in the handshake
(bmo#1243641)

- RSA-PSS signatures are now supported

- Pseudorandom functions based on hashes other than SHA-1
are now supported

- Enforce an External Policy on NSS from a config file

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=977333
https://bugzilla.opensuse.org/show_bug.cgi?id=977373
https://bugzilla.opensuse.org/show_bug.cgi?id=977375
https://bugzilla.opensuse.org/show_bug.cgi?id=977376
https://bugzilla.opensuse.org/show_bug.cgi?id=977379
https://bugzilla.opensuse.org/show_bug.cgi?id=977381
https://bugzilla.opensuse.org/show_bug.cgi?id=977382
https://bugzilla.opensuse.org/show_bug.cgi?id=977384
https://bugzilla.opensuse.org/show_bug.cgi?id=977386
https://bugzilla.opensuse.org/show_bug.cgi?id=977388

Solution :

Update the affected MozillaFirefox / mozilla-nss packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now