openSUSE Security Update : Mozilla Suite (openSUSE-SU-2013:1633-1)

critical Nessus Plugin ID 75186
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

MozillaFirefox was updated to Firefox 25.0. MozillaThunderbird was updated to Thunderbird 24.1.0. Mozilla XULRunner was updated to 17.0.10esr. Mozilla NSPR was updated to 4.10.1.

Changes in MozillaFirefox :

- requires NSS 3.15.2 or above

- MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards

- MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element

- MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data

- MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions

- MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding

- MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache

- MFSA 2013-99/CVE-2013-5598 (bmo#920515) Security bypass of PDF.js checks using iframes

- MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing

- MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers

- MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates

Changes in MozillaThunderbird :

- requires NSS 3.15.2 or above

- MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards

- MFSA 2013-94/CVE-2013-5593 (bmo#868327) Spoofing addressbar through SELECT element

- MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data

- MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions

- MFSA 2013-97/CVE-2013-5596 (bmo#910881) Writing to cycle collected object during image decoding

- MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache

- MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing

- MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers

- MFSA 2013-102/CVE-2013-5603 (bmo#916404) Use-after-free in HTML document templates

- update to Thunderbird 24.0.1

- fqdn for smtp server name was not accepted (bmo#913785)

- fixed crash in PL_strncasecmp (bmo#917955)

- update Enigmail to 1.6

- The passphrase timeout configuration in Enigmail is now read and written from/to gpg-agent.

- New dialog to change the expiry date of keys

- New function to search for the OpenPGP keys of all Address Book entries on a keyserver

- removed obsolete enigmail-build.patch

Changes in xulrunner :

- update to 17.0.10esr (bnc#847708)

- require NSS 3.14.4 or above

- MFSA 2013-93/CVE-2013-5590/CVE-2013-5591/CVE-2013-5592 Miscellaneous memory safety hazards

- MFSA 2013-95/CVE-2013-5604 (bmo#914017) Access violation with XSLT and uninitialized data

- MFSA 2013-96/CVE-2013-5595 (bmo#916580) Improperly initialized memory and overflows in some JavaScript functions

- MFSA 2013-98/CVE-2013-5597 (bmo#918864) Use-after-free when updating offline cache

- MFSA 2013-100/CVE-2013-5599/CVE-2013-5600/CVE-2013-5601 (bmo#915210, bmo#915576, bmo#916685) Miscellaneous use-after-free issues found through ASAN fuzzing

- MFSA 2013-101/CVE-2013-5602 (bmo#897678) Memory corruption in workers

- update to 17.0.9esr (bnc#840485)

- MFSA 2013-65/CVE-2013-1705 (bmo#882865) Buffer underflow when generating CRMF requests

- MFSA 2013-76/CVE-2013-1718 Miscellaneous memory safety hazards

- MFSA 2013-79/CVE-2013-1722 (bmo#893308) Use-after-free in Animation Manager during stylesheet cloning

- MFSA 2013-82/CVE-2013-1725 (bmo#876762) Calling scope for new JavaScript objects can lead to memory corruption

- MFSA 2013-88/CVE-2013-1730 (bmo#851353) Compartment mismatch re-attaching XBL-backed nodes

- MFSA 2013-89/CVE-2013-1732 (bmo#883514) Buffer overflow with multi-column, lists, and floats

- MFSA 2013-90/CVE-2013-1735/CVE-2013-1736 (bmo#898871, bmo#906301) Memory corruption involving scrolling

- MFSA 2013-91/CVE-2013-1737 (bmo#907727) User-defined properties on DOM proxies get the wrong 'this' object

Changes in mozilla-nspr :

- update to version 4.10.1

- bmo#888273: RWIN Scaling (RFC1323) limited to 2 on Windows 7 and 8 (Windows only)

- bmo#907512: Unix platforms shouldn't mask errors specific to Unix domain sockets

Solution

Update the affected Mozilla Suite packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=840485

https://bugzilla.novell.com/show_bug.cgi?id=847708

https://lists.opensuse.org/opensuse-updates/2013-11/msg00006.html

Plugin Details

Severity: Critical

ID: 75186

File Name: openSUSE-2013-819.nasl

Version: 1.5

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:MozillaThunderbird, p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols, p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo, p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource, p-cpe:/a:novell:opensuse:MozillaThunderbird-devel, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common, p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other, p-cpe:/a:novell:opensuse:enigmail, p-cpe:/a:novell:opensuse:enigmail-debuginfo, p-cpe:/a:novell:opensuse:mozilla-js, p-cpe:/a:novell:opensuse:mozilla-js-32bit, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo, p-cpe:/a:novell:opensuse:mozilla-js-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr, p-cpe:/a:novell:opensuse:mozilla-nspr-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debugsource, p-cpe:/a:novell:opensuse:mozilla-nspr-devel, p-cpe:/a:novell:opensuse:xulrunner, p-cpe:/a:novell:opensuse:xulrunner-32bit, p-cpe:/a:novell:opensuse:xulrunner-buildsymbols, p-cpe:/a:novell:opensuse:xulrunner-debuginfo, p-cpe:/a:novell:opensuse:xulrunner-debuginfo-32bit, p-cpe:/a:novell:opensuse:xulrunner-debugsource, p-cpe:/a:novell:opensuse:xulrunner-devel, p-cpe:/a:novell:opensuse:xulrunner-devel-debuginfo, cpe:/o:novell:opensuse:12.2, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/4/2013

Reference Information

CVE: CVE-2013-1705, CVE-2013-1718, CVE-2013-1722, CVE-2013-1725, CVE-2013-1730, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736, CVE-2013-1737, CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-5593, CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5598, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603, CVE-2013-5604

BID: 61871, 62460, 62463, 62467, 62469, 62473, 62475, 62478, 62479, 63415, 63416, 63417, 63418, 63419, 63420, 63421, 63422, 63423, 63424, 63427, 63428, 63429, 63430