openSUSE Security Update : Mozilla Firefox and NSS (openSUSE-2017-1114)

critical Nessus Plugin ID 103621

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update to Mozilla Firefox 52.4esr, along with Mozilla NSS 3.28.6, fixes security issues and bugs. The following vulnerabilities advised upstream under MFSA 2017-22 (boo#1060445) were fixed :

- CVE-2017-7793: Use-after-free with Fetch API

- CVE-2017-7818: Use-after-free during ARIA array manipulation

- CVE-2017-7819: Use-after-free while resizing images in design mode

- CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE

- CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings

- CVE-2017-7823: CSP sandbox directive did not create a unique origin

- CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4 The following security issue was fixed in Mozilla NSS 3.28.6 :

- CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes (bsc#1061005)

The following bug was fixed :

- boo#1029917: language accept header use incorrect locale

For compatibility reasons, java-1_8_0-openjdk was rebuilt to the updated version of NSS.

Solution

Update the affected Mozilla Firefox and NSS packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1060445

https://bugzilla.opensuse.org/show_bug.cgi?id=1061005

Plugin Details

Severity: Critical

ID: 103621

File Name: openSUSE-2017-1114.nasl

Version: 3.7

Type: local

Agent: unix

Published: 10/3/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:o:novell:opensuse:42.2:*:*:*:*:*:*:*, cpe:2.3:o:novell:opensuse:42.3:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-branding-upstream:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-buildsymbols:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-debugsource:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-translations-common:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozillafirefox-translations-other:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libfreebl3:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libfreebl3-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libfreebl3-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libfreebl3-debuginfo-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libsoftokn3:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libsoftokn3-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libsoftokn3-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:libsoftokn3-debuginfo-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-certs:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-certs-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-certs-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-debuginfo-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-debugsource:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-sysinit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-sysinit-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-sysinit-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-tools:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:mozilla-nss-tools-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-accessibility:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-debugsource:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-demo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-devel:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-headless:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-javadoc:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-src:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 10/2/2017

Reference Information

CVE: CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7814, CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824