openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-704)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to Mozilla Firefox 47 fixes the following issues
(boo#983549) :

Security fixes :

- CVE-2016-2815/CVE-2016-2818: Miscellaneous memory safety
hazards (boo#983638 MFSA 2016-49)

- CVE-2016-2819: Buffer overflow parsing HTML5 fragments
(boo#983655 MFSA 2016-50)

- CVE-2016-2821: Use-after-free deleting tables from a
contenteditable document (boo#983653 MFSA 2016-51)

- CVE-2016-2822: Addressbar spoofing though the SELECT
element (boo#983652 MFSA 2016-52)

- CVE-2016-2824: Out-of-bounds write with WebGL shader
(boo#983651 MFSA 2016-53)

- CVE-2016-2825: Partial same-origin-policy through
setting location.host through data URI (boo#983649 MFSA
2016-54)

- CVE-2016-2828: Use-after-free when textures are used in
WebGL operations after recycle pool destruction
(boo#983646 MFSA 2016-56)

- CVE-2016-2829: Incorrect icon displayed on permissions
notifications (boo#983644 MFSA 2016-57)

- CVE-2016-2831: Entering fullscreen and persistent
pointerlock without user permission (boo#983643 MFSA
2016-58)

- CVE-2016-2832: Information disclosure of disabled
plugins through CSS pseudo-classes (boo#983632 MFSA
2016-59)

- CVE-2016-2833: Java applets bypass CSP protections
(boo#983640 MFSA 2016-60)

Mozilla NSS was updated to 3.23 to address the following
vulnerabilities :

- CVE-2016-2834: Memory safety bugs (boo#983639
MFSA-2016-61) The following non-security changes are
included :

- Enable VP9 video codec for users with fast machines

- Embedded YouTube videos now play with HTML5 video if
Flash is not installed

- View and search open tabs from your smartphone or
another computer in a sidebar

- Allow no-cache on back/forward navigations for https
resources

The following packaging changes are included :

- boo#981695: cleanup configure options, notably removing
GStreamer support which is gone from FF

- boo#980384: enable build with PIE and full relro on
x86_64

The following new functionality is provided :

- ChaCha20/Poly1305 cipher and TLS cipher suites now
supported

- The list of TLS extensions sent in the TLS handshake has
been reordered to increase compatibility of the Extended
Master Secret with with servers

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=980384
https://bugzilla.opensuse.org/show_bug.cgi?id=981695
https://bugzilla.opensuse.org/show_bug.cgi?id=983549
https://bugzilla.opensuse.org/show_bug.cgi?id=983632
https://bugzilla.opensuse.org/show_bug.cgi?id=983638
https://bugzilla.opensuse.org/show_bug.cgi?id=983639
https://bugzilla.opensuse.org/show_bug.cgi?id=983640
https://bugzilla.opensuse.org/show_bug.cgi?id=983643
https://bugzilla.opensuse.org/show_bug.cgi?id=983644
https://bugzilla.opensuse.org/show_bug.cgi?id=983646
https://bugzilla.opensuse.org/show_bug.cgi?id=983649
https://bugzilla.opensuse.org/show_bug.cgi?id=983651
https://bugzilla.opensuse.org/show_bug.cgi?id=983652
https://bugzilla.opensuse.org/show_bug.cgi?id=983653
https://bugzilla.opensuse.org/show_bug.cgi?id=983655

Solution :

Update the affected MozillaFirefox / mozilla-nss packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now