openSUSE Security Update : firefox / mozilla-nspr / mozilla-nss (openSUSE-SU-2014:1344-1)

Critical Nessus Plugin ID 78818

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

- update to Firefox 33.0 (bnc#900941) New features :

- OpenH264 support (sandboxed)

- Enhanced Tiles

- Improved search experience through the location bar

- Slimmer and faster JavaScript strings

- New CSP (Content Security Policy) backend

- Support for connecting to HTTP proxy over HTTPS

- Improved reliability of the session restoration

- Proprietary window.crypto properties/functions removed Security :

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video

- MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality

- MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps)

- requires NSPR 4.10.7

- requires NSS 3.17.1

- removed obsolete patches :

- mozilla-ppc.patch

- mozilla-libproxy-compat.patch

- added basic appdata information

- update to SeaMonkey 2.30 (bnc#900941)

- venkman debugger removed from application and therefore obsolete package seamonkey-venkman

- MFSA 2014-74/CVE-2014-1574/CVE-2014-1575 Miscellaneous memory safety hazards

- MFSA 2014-75/CVE-2014-1576 (bmo#1041512) Buffer overflow during CSS manipulation

- MFSA 2014-76/CVE-2014-1577 (bmo#1012609) Web Audio memory corruption issues with custom waveforms

- MFSA 2014-77/CVE-2014-1578 (bmo#1063327) Out-of-bounds write with WebM video

- MFSA 2014-78/CVE-2014-1580 (bmo#1063733) Further uninitialized memory use during GIF rendering

- MFSA 2014-79/CVE-2014-1581 (bmo#1068218) Use-after-free interacting with text directionality

- MFSA 2014-80/CVE-2014-1582/CVE-2014-1584 (bmo#1049095, bmo#1066190) Key pinning bypasses

- MFSA 2014-81/CVE-2014-1585/CVE-2014-1586 (bmo#1062876, bmo#1062981) Inconsistent video sharing within iframe

- MFSA 2014-82/CVE-2014-1583 (bmo#1015540) Accessing cross-origin objects via the Alarms API (only relevant for installed web apps)

- requires NSPR 4.10.7

- requires NSS 3.17.1

- removed obsolete patches :

- mozilla-ppc.patch

- mozilla-libproxy-compat.patch

Changes in mozilla-nss :

- update to 3.17.1 (bnc#897890)

- Change library's signature algorithm default to SHA256

- Add support for draft-ietf-tls-downgrade-scsv

- Add clang-cl support to the NSS build system

- Implement TLS 1.3 :

- Part 1. Negotiate TLS 1.3

- Part 2. Remove deprecated cipher suites andcompression.

- Add support for little-endian powerpc64

- update to 3.17

- required for Firefox 33 New functionality :

- When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH key is reused for multiple handshakes. This option does not affect the TLS client code, which always generates a fresh ephemeral ECDH key for each handshake. New Macros

- SSL_REUSE_SERVER_ECDHE_KEY Notable Changes :

- The manual pages for the certutil and pp tools have been updated to document the new parameters that had been added in NSS 3.16.2.

- On Windows, the new build variable USE_STATIC_RTL can be used to specify the static C runtime library should be used. By default the dynamic C runtime library is used.
Changes in mozilla-nspr :

- update to version 4.10.7

- bmo#836658: VC11+ defaults to SSE2 builds by default.

- bmo#979278: TSan: data race nsprpub/pr/src/threads/prtpd.c:103 PR_NewThreadPrivateIndex.

- bmo#1026129: Replace some manual declarations of MSVC intrinsics with #include <intrin.h>.

- bmo#1026469: Use AC_CHECK_LIB instead of MOZ_CHECK_PTHREADS. Skip compiler checks when using MSVC, even when $CC is not literally 'cl'.

- bmo#1034415: NSPR hardcodes the C compiler to cl on Windows.

- bmo#1042408: Compilation fix for Android > API level 19.

- bmo#1043082: NSPR's build system hardcodes -MD.

Solution

Update the affected firefox / mozilla-nspr / mozilla-nss packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=1012609

https://bugzilla.mozilla.org/show_bug.cgi?id=1015540

https://bugzilla.mozilla.org/show_bug.cgi?id=1026129

https://bugzilla.mozilla.org/show_bug.cgi?id=1026469

https://bugzilla.mozilla.org/show_bug.cgi?id=1034415

https://bugzilla.mozilla.org/show_bug.cgi?id=1041512

https://bugzilla.mozilla.org/show_bug.cgi?id=1042408

https://bugzilla.mozilla.org/show_bug.cgi?id=1043082

https://bugzilla.mozilla.org/show_bug.cgi?id=1049095

https://bugzilla.mozilla.org/show_bug.cgi?id=1062876

https://bugzilla.mozilla.org/show_bug.cgi?id=1062981

https://bugzilla.mozilla.org/show_bug.cgi?id=1063327

https://bugzilla.mozilla.org/show_bug.cgi?id=1063733

https://bugzilla.mozilla.org/show_bug.cgi?id=1063971

https://bugzilla.mozilla.org/show_bug.cgi?id=1066190

https://bugzilla.mozilla.org/show_bug.cgi?id=1068218

https://bugzilla.mozilla.org/show_bug.cgi?id=836658

https://bugzilla.mozilla.org/show_bug.cgi?id=979278

https://bugzilla.opensuse.org/show_bug.cgi?id=894370

https://bugzilla.opensuse.org/show_bug.cgi?id=896624

https://bugzilla.opensuse.org/show_bug.cgi?id=897890

https://bugzilla.opensuse.org/show_bug.cgi?id=900941

https://bugzilla.opensuse.org/show_bug.cgi?id=901213

https://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html

Plugin Details

Severity: Critical

ID: 78818

File Name: openSUSE-2014-612.nasl

Version: 1.6

Type: local

Agent: unix

Published: 2014/11/03

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 5.9

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr, p-cpe:/a:novell:opensuse:mozilla-nspr-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nspr-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nspr-debugsource, p-cpe:/a:novell:opensuse:mozilla-nspr-devel, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:seamonkey, p-cpe:/a:novell:opensuse:seamonkey-debuginfo, p-cpe:/a:novell:opensuse:seamonkey-debugsource, p-cpe:/a:novell:opensuse:seamonkey-dom-inspector, p-cpe:/a:novell:opensuse:seamonkey-irc, p-cpe:/a:novell:opensuse:seamonkey-translations-common, p-cpe:/a:novell:opensuse:seamonkey-translations-other, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2014/10/23

Reference Information

CVE: CVE-2014-1554, CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1580, CVE-2014-1581, CVE-2014-1582, CVE-2014-1583, CVE-2014-1584, CVE-2014-1585, CVE-2014-1586