openSUSE Security Update : Firefox (openSUSE-2016-566) (SWEET32)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to Mozilla Firefox 46.0 fixes several security issues and
bugs (boo#977333).

The following vulnerabilities were fixed :

- CVE-2016-2804: Miscellaneous memory safety hazards -
MFSA 2016-39 (boo#977373)

- CVE-2016-2806: Miscellaneous memory safety hazards -
MFSA 2016-39 (boo#977375)

- CVE-2016-2807: Miscellaneous memory safety hazards -
MFSA 2016-39 (boo#977376)

- CVE-2016-2808: Write to invalid HashMap entry through

- MFSA 2016-47 (boo#977386)

- CVE-2016-2811: Use-after-free in Service Worker - MFSA
2016-42 (boo#977379)

- CVE-2016-2812: Buffer overflow in Service Worker - MFSA
2016-42 (boo#977379)

- CVE-2016-2814: Buffer overflow in libstagefright with
CENC offsets - MFSA 2016-44 (boo#977381)

- CVE-2016-2816: CSP not applied to pages sent with
multipart/x-mixed-replace - MFSA 2016-45 (boo#977382)

- CVE-2016-2817: Elevation of privilege with
chrome.tabs.update API in web extensions - MFSA 2016-46

- CVE-2016-2820: Firefox Health Reports could accept
events from untrusted domains - MFSA 2016-48

The following miscellaneous changes are included :

- Improved security of the JavaScript Just In Time (JIT)

- WebRTC fixes to improve performance and stability

- Added support for document.elementsFromPoint

- Added HKDF support for Web Crypto API

The minimum requirements increased to NSPR 4.12 and NSS 3.22.3.

Mozilla NSS was updated to 3.22.3 as a dependency for Mozilla Firefox
46.0, with the following changes :

- Increase compatibility of TLS extended master secret,
don't send an empty TLS extension last in the handshake

- RSA-PSS signatures are now supported

- Pseudorandom functions based on hashes other than SHA-1
are now supported

- Enforce an External Policy on NSS from a config file

See also :

Solution :

Update the affected Firefox packages.

Risk factor :

Critical / CVSS Base Score : 10.0

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now