openSUSE Security Update : Mozilla based packages (openSUSE-2017-712)

High Nessus Plugin ID 100885

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues :

Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16 :

- CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees

- CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading

- CVE-2017-7750 (bmo#1356558) Use-after-free with track elements

- CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners

- CVE-2017-7752 (bmo#1359547) Use-after-free with IME input

- CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object

- CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only)

- CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors

- CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB

- CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library

- CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder

- CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only)

- CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only)

- CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks

- CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only)

- CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only)

- CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only)

- CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only)

- CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

- remove -fno-inline-small-functions and explicitely optimize with

-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

Mozilla NSS was updated to NSS 3.28.5

- Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. (bmo#1350859)

- March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA certificates removed: O = Japanese Government, OU = ApplicationCA CN = WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added: CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency.

Solution

Update the affected Mozilla based packages packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1040105

https://bugzilla.opensuse.org/show_bug.cgi?id=1043960

Plugin Details

Severity: High

ID: 100885

File Name: openSUSE-2017-712.nasl

Version: 3.5

Type: local

Agent: unix

Published: 2017/06/20

Updated: 2018/09/04

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2017/06/19

Reference Information

CVE: CVE-2017-5470, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7755, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7760, CVE-2017-7761, CVE-2017-7764, CVE-2017-7765, CVE-2017-7766, CVE-2017-7767, CVE-2017-7768, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778