openSUSE Security Update : Mozilla Firefox and others (openSUSE-SU-2013:0630-1)

Critical Nessus Plugin ID 74965

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

The Mozilla suite received security and bugfix updates :

Mozilla Firefox was updated to version 20.0. Mozilla Thunderbird was updated to version 17.0.5. Mozilla SeaMonkey was updated to version 17.0.5. Mozilla XULRunner was updated to version 17.0.5. mozilla-nss was updated to version 3.14.3. mozilla-nspr was updated to version 4.9.6.

mozilla-nspr was updated to version 4.9.6 :

- aarch64 support

- added PL_SizeOfArenaPoolExcludingPool function (bmo#807883)

- Auto detect android api version for x86 (bmo#782214)

- Initialize Windows CRITICAL_SECTIONs without debug info and with nonzero spin count (bmo#812085) Previous update to version 4.9.5

- bmo#634793: define NSPR's exact-width integer types PRInt(N) and PRUint(N) types to match the <stdint.h> exact-width integer types int(N)_t and uint(N)_t.

- bmo#782815: passing 'int *' to parameter of type 'unsigned int *' in setsockopt().

- bmo#822932: Port bmo#802527 (NDK r8b support for x86) to NSPR.

- bmo#824742: NSPR shouldn't require librt on Android.

- bmo#831793: data race on lib->refCount in PR_UnloadLibrary.

mozilla-nss was updated to version 3.14.3 :

- disable tests with expired certificates

- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements

- No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365)

- 'certutil -a' was not correctly producing ASCII output as requested. (bmo#840714)

- NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch

- add arm aarch64 support

- added system-sqlite.patch (bmo#837799)

- do not depend on latest sqlite just for a #define

- enable system sqlite usage again

- update to 3.14.2

- required for Firefox >= 20

- removed obsolete nssckbi update patch

- MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage

- disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution

- add nss-sqlitename.patch to avoid any name clash

Changes in MozillaFirefox :

- update to Firefox 20.0 (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

- MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images

- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)

- build fixes for armv7hl :

- disable debug build as armv7hl does not have enough memory

- disable webrtc on armv7hl as it is non-compiling

Changes in MozillaThunderbird :

- update to Thunderbird 17.0.5 (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

Changes in seamonkey :

- update to SeaMonkey 2.17 (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

- MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images

- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)

Changes in xulrunner :

- update to 17.0.5esr (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

Solution

Update the affected Mozilla Firefox and others packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=813026

https://lists.opensuse.org/opensuse-updates/2013-04/msg00047.html

Plugin Details

Severity: Critical

ID: 74965

File Name: openSUSE-2013-309.nasl

Version: 1.7

Type: local

Agent: unix

Published: 2014/06/13

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 5.9

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, p-cpe:/a:novell:opensuse:enigmail, p-cpe:/a:novell:opensuse:enigmail-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-js, p-cpe:/a:novell:opensuse:mozilla-js-32bit, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr, p-cpe:/a:novell:opensuse:mozilla-nspr-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debugsource, p-cpe:/a:novell:opensuse:mozilla-nspr-devel, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:seamonkey, p-cpe:/a:novell:opensuse:seamonkey-debuginfo, p-cpe:/a:novell:opensuse:seamonkey-debugsource, p-cpe:/a:novell:opensuse:seamonkey-dom-inspector, p-cpe:/a:novell:opensuse:seamonkey-irc, p-cpe:/a:novell:opensuse:seamonkey-translations-common, p-cpe:/a:novell:opensuse:seamonkey-translations-other, p-cpe:/a:novell:opensuse:seamonkey-venkman, p-cpe:/a:novell:opensuse:xulrunner, p-cpe:/a:novell:opensuse:xulrunner-32bit, p-cpe:/a:novell:opensuse:xulrunner-buildsymbols, p-cpe:/a:novell:opensuse:xulrunner-debuginfo, p-cpe:/a:novell:opensuse:xulrunner-debuginfo-32bit, p-cpe:/a:novell:opensuse:xulrunner-debugsource, p-cpe:/a:novell:opensuse:xulrunner-devel, p-cpe:/a:novell:opensuse:xulrunner-devel-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/04/04

Vulnerability Publication Date: 2013/02/08

Reference Information

CVE: CVE-2013-0788, CVE-2013-0789, CVE-2013-0791, CVE-2013-0792, CVE-2013-0793, CVE-2013-0794, CVE-2013-0795, CVE-2013-0796, CVE-2013-0800, CVE-2013-1620