openSUSE Security Update : Mozilla based packages (openSUSE-2017-712)

high Nessus Plugin ID 100885
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for Mozilla Firefox, Thunderbird, and NSS fixes the following issues :

Mozilla Firefox was updated to 52.2esr (boo#1043960) MFSA 2017-16 :

- CVE-2017-5472 (bmo#1365602) Use-after-free using destroyed node when regenerating trees

- CVE-2017-7749 (bmo#1355039) Use-after-free during docshell reloading

- CVE-2017-7750 (bmo#1356558) Use-after-free with track elements

- CVE-2017-7751 (bmo#1363396) Use-after-free with content viewer listeners

- CVE-2017-7752 (bmo#1359547) Use-after-free with IME input

- CVE-2017-7754 (bmo#1357090) Out-of-bounds read in WebGL with ImageInfo object

- CVE-2017-7755 (bmo#1361326) Privilege escalation through Firefox Installer with same directory DLL files (Windows only)

- CVE-2017-7756 (bmo#1366595) Use-after-free and use-after-scope logging XHR header errors

- CVE-2017-7757 (bmo#1356824) Use-after-free in IndexedDB

- CVE-2017-7778, CVE-2017-7778, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777 Vulnerabilities in the Graphite 2 library

- CVE-2017-7758 (bmo#1368490) Out-of-bounds read in Opus encoder

- CVE-2017-7760 (bmo#1348645) File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service (Windows only)

- CVE-2017-7761 (bmo#1215648) File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application (Windows only)

- CVE-2017-7764 (bmo#1364283) Domain spoofing with combination of Canadian Syllabics and other unicode blocks

- CVE-2017-7765 (bmo#1273265) Mark of the Web bypass when saving executable files (Windows only)

- CVE-2017-7766 (bmo#1342742) File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service (Windows only)

- CVE-2017-7767 (bmo#1336964) Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service (Windows only)

- CVE-2017-7768 (bmo#1336979) 32 byte arbitrary file read through Mozilla Maintenance Service (Windows only)

- CVE-2017-5470 Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

- remove -fno-inline-small-functions and explicitely optimize with

-O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105)

Mozilla NSS was updated to NSS 3.28.5

- Implemented domain name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. (bmo#1350859)

- March 2017 batch of root CA changes (bmo#1350859) (version 2.14) CA certificates removed: O = Japanese Government, OU = ApplicationCA CN = WellsSecure Public Root Certificate Authority CN = TURKTRUST Elektronik Sertifika Hizmet H6 CN = Microsec e-Szigno Root CA certificates added: CN = D-TRUST Root CA 3 2013 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 java-1_8_0-openjdk was rebuild against NSS 3.28.5 to satisfy a runtime dependency.

Solution

Update the affected Mozilla based packages packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1040105

https://bugzilla.opensuse.org/show_bug.cgi?id=1043960

Plugin Details

Severity: High

ID: 100885

File Name: openSUSE-2017-712.nasl

Version: 3.7

Type: local

Agent: unix

Published: 6/20/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 6/19/2017

Reference Information

CVE: CVE-2017-5470, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7755, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7760, CVE-2017-7761, CVE-2017-7764, CVE-2017-7765, CVE-2017-7766, CVE-2017-7767, CVE-2017-7768, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778