openSUSE Security Update : MozillaFirefox / MozillaThunderbird (openSUSE-SU-2012:0417-1)

high Nessus Plugin ID 74574
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

Changes in MozillaThunderbird :

- update to Thunderbird 11.0 (bnc#750044)

- MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL

- MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer

- MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers

- MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page

- MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification

- MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content

- MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards

Changes in mozilla-xulrunner192 :

- security update to 1.9.2.28 (bnc#750044)

- MFSA 2011-55/CVE-2011-3658 (bmo#708186) nsSVGValue out-of-bounds access

- MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL

- MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer

- MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page

- MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards

Changes in MozillaFirefox :

- update to Firefox 11.0 (bnc#750044)

- MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL

- MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer

- MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers

- MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page

- MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification

- MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content

- MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards

Changes in seamonkey :

- update to SeaMonkey 2.8 (bnc#750044)

- MFSA 2012-13/CVE-2012-0455 (bmo#704354) XSS with Drag and Drop and Javascript: URL

- MFSA 2012-14/CVE-2012-0456/CVE-2012-0457 (bmo#711653, #720103) SVG issues found with Address Sanitizer

- MFSA 2012-15/CVE-2012-0451 (bmo#717511) XSS with multiple Content Security Policy headers

- MFSA 2012-16/CVE-2012-0458 Escalation of privilege with Javascript: URL as home page

- MFSA 2012-17/CVE-2012-0459 (bmo#723446) Crash when accessing keyframe cssText after dynamic modification

- MFSA 2012-18/CVE-2012-0460 (bmo#727303) window.fullScreen writeable by untrusted content

- MFSA 2012-19/CVE-2012-0461/CVE-2012-0462/CVE-2012-0464/ CVE-2012-0463 Miscellaneous memory safety hazards

Changes in chmsee :

- Update to version 1.99.08

Changes in mozilla-nss :

- update to 3.13.3 RTM

- distrust Trustwave's MITM certificates (bmo#724929)

- fix generic blacklisting mechanism (bmo#727204)

Changes in mozilla-nspr :

- update to version 4.9 RTM

Solution

Update the affected MozillaFirefox / MozillaThunderbird packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=745303

https://bugzilla.novell.com/show_bug.cgi?id=746591

https://bugzilla.novell.com/show_bug.cgi?id=747320

https://bugzilla.novell.com/show_bug.cgi?id=749440

https://bugzilla.novell.com/show_bug.cgi?id=750044

https://bugzilla.novell.com/show_bug.cgi?id=750673

https://lists.opensuse.org/opensuse-updates/2012-03/msg00042.html

Plugin Details

Severity: High

ID: 74574

File Name: openSUSE-2012-175.nasl

Version: 1.10

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: High

Score: 8.5

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, p-cpe:/a:novell:opensuse:chmsee, p-cpe:/a:novell:opensuse:chmsee-debuginfo, p-cpe:/a:novell:opensuse:chmsee-debugsource, p-cpe:/a:novell:opensuse:enigmail, p-cpe:/a:novell:opensuse:enigmail-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-js, p-cpe:/a:novell:opensuse:mozilla-js-32bit, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-js192, p-cpe:/a:novell:opensuse:mozilla-js192-32bit, p-cpe:/a:novell:opensuse:mozilla-js192-debuginfo, p-cpe:/a:novell:opensuse:mozilla-js192-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr, p-cpe:/a:novell:opensuse:mozilla-nspr-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debugsource, p-cpe:/a:novell:opensuse:mozilla-nspr-devel, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:mozilla-xulrunner192, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-32bit, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-buildsymbols, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-debuginfo, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-debugsource, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-devel, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-devel-debuginfo, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-gnome, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-gnome-32bit, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-gnome-debuginfo, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-gnome-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-translations-common, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-translations-common-32bit, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-translations-other, p-cpe:/a:novell:opensuse:mozilla-xulrunner192-translations-other-32bit, p-cpe:/a:novell:opensuse:seamonkey, p-cpe:/a:novell:opensuse:seamonkey-debuginfo, p-cpe:/a:novell:opensuse:seamonkey-debugsource, p-cpe:/a:novell:opensuse:seamonkey-dom-inspector, p-cpe:/a:novell:opensuse:seamonkey-irc, p-cpe:/a:novell:opensuse:seamonkey-translations-common, p-cpe:/a:novell:opensuse:seamonkey-translations-other, p-cpe:/a:novell:opensuse:seamonkey-venkman, p-cpe:/a:novell:opensuse:xulrunner, p-cpe:/a:novell:opensuse:xulrunner-32bit, p-cpe:/a:novell:opensuse:xulrunner-buildsymbols, p-cpe:/a:novell:opensuse:xulrunner-debuginfo, p-cpe:/a:novell:opensuse:xulrunner-debuginfo-32bit, p-cpe:/a:novell:opensuse:xulrunner-debugsource, p-cpe:/a:novell:opensuse:xulrunner-devel, p-cpe:/a:novell:opensuse:xulrunner-devel-debuginfo, cpe:/o:novell:opensuse:12.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/17/2012

Vulnerability Publication Date: 12/20/2011

Exploitable With

CANVAS (CANVAS)

Metasploit (Firefox nsSVGValue Out-of-Bounds Access Vulnerability)

Reference Information

CVE: CVE-2011-3658, CVE-2012-0451, CVE-2012-0455, CVE-2012-0456, CVE-2012-0457, CVE-2012-0458, CVE-2012-0459, CVE-2012-0460, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464