openSUSE Security Update : Mozilla Firefox and others (openSUSE-SU-2013:0630-1)

critical Nessus Plugin ID 74965

Synopsis

The remote openSUSE host is missing a security update.

Description

The Mozilla suite received security and bugfix updates :

Mozilla Firefox was updated to version 20.0. Mozilla Thunderbird was updated to version 17.0.5. Mozilla SeaMonkey was updated to version 17.0.5. Mozilla XULRunner was updated to version 17.0.5. mozilla-nss was updated to version 3.14.3. mozilla-nspr was updated to version 4.9.6.

mozilla-nspr was updated to version 4.9.6 :

- aarch64 support

- added PL_SizeOfArenaPoolExcludingPool function (bmo#807883)

- Auto detect android api version for x86 (bmo#782214)

- Initialize Windows CRITICAL_SECTIONs without debug info and with nonzero spin count (bmo#812085) Previous update to version 4.9.5

- bmo#634793: define NSPR's exact-width integer types PRInt(N) and PRUint(N) types to match the <stdint.h> exact-width integer types int(N)_t and uint(N)_t.

- bmo#782815: passing 'int *' to parameter of type 'unsigned int *' in setsockopt().

- bmo#822932: Port bmo#802527 (NDK r8b support for x86) to NSPR.

- bmo#824742: NSPR shouldn't require librt on Android.

- bmo#831793: data race on lib->refCount in PR_UnloadLibrary.

mozilla-nss was updated to version 3.14.3 :

- disable tests with expired certificates

- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements

- No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365)

- 'certutil -a' was not correctly producing ASCII output as requested. (bmo#840714)

- NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch

- add arm aarch64 support

- added system-sqlite.patch (bmo#837799)

- do not depend on latest sqlite just for a #define

- enable system sqlite usage again

- update to 3.14.2

- required for Firefox >= 20

- removed obsolete nssckbi update patch

- MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage

- disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution

- add nss-sqlitename.patch to avoid any name clash

Changes in MozillaFirefox :

- update to Firefox 20.0 (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

- MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images

- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)

- build fixes for armv7hl :

- disable debug build as armv7hl does not have enough memory

- disable webrtc on armv7hl as it is non-compiling

Changes in MozillaThunderbird :

- update to Thunderbird 17.0.5 (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

Changes in seamonkey :

- update to SeaMonkey 2.17 (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

- MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images

- use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch)

Changes in xulrunner :

- update to 17.0.5esr (bnc#813026)

- requires NSPR 4.9.5 and NSS 3.14.3

- MFSA 2013-30/CVE-2013-0788 Miscellaneous memory safety hazards

- MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library

- MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux

- MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes

- MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure

- MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations

Solution

Update the affected Mozilla Firefox and others packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=813026

https://lists.opensuse.org/opensuse-updates/2013-04/msg00047.html

Plugin Details

Severity: Critical

ID: 74965

File Name: openSUSE-2013-309.nasl

Version: 1.8

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, p-cpe:/a:novell:opensuse:mozillathunderbird, p-cpe:/a:novell:opensuse:mozillathunderbird-buildsymbols, p-cpe:/a:novell:opensuse:mozillathunderbird-debuginfo, p-cpe:/a:novell:opensuse:mozillathunderbird-debugsource, p-cpe:/a:novell:opensuse:mozillathunderbird-devel, p-cpe:/a:novell:opensuse:mozillathunderbird-devel-debuginfo, p-cpe:/a:novell:opensuse:mozillathunderbird-translations-common, p-cpe:/a:novell:opensuse:mozillathunderbird-translations-other, p-cpe:/a:novell:opensuse:enigmail, p-cpe:/a:novell:opensuse:enigmail-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-js, p-cpe:/a:novell:opensuse:mozilla-js-32bit, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr, p-cpe:/a:novell:opensuse:mozilla-nspr-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debugsource, p-cpe:/a:novell:opensuse:mozilla-nspr-devel, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:seamonkey, p-cpe:/a:novell:opensuse:seamonkey-debuginfo, p-cpe:/a:novell:opensuse:seamonkey-debugsource, p-cpe:/a:novell:opensuse:seamonkey-dom-inspector, p-cpe:/a:novell:opensuse:seamonkey-irc, p-cpe:/a:novell:opensuse:seamonkey-translations-common, p-cpe:/a:novell:opensuse:seamonkey-translations-other, p-cpe:/a:novell:opensuse:seamonkey-venkman, p-cpe:/a:novell:opensuse:xulrunner, p-cpe:/a:novell:opensuse:xulrunner-32bit, p-cpe:/a:novell:opensuse:xulrunner-buildsymbols, p-cpe:/a:novell:opensuse:xulrunner-debuginfo, p-cpe:/a:novell:opensuse:xulrunner-debuginfo-32bit, p-cpe:/a:novell:opensuse:xulrunner-debugsource, p-cpe:/a:novell:opensuse:xulrunner-devel, p-cpe:/a:novell:opensuse:xulrunner-devel-debuginfo, cpe:/o:novell:opensuse:12.1, cpe:/o:novell:opensuse:12.2, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/4/2013

Vulnerability Publication Date: 2/8/2013

Reference Information

CVE: CVE-2013-0788, CVE-2013-0789, CVE-2013-0791, CVE-2013-0792, CVE-2013-0793, CVE-2013-0794, CVE-2013-0795, CVE-2013-0796, CVE-2013-0800, CVE-2013-1620