openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2015-185)

high Nessus Plugin ID 81589
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

MozillaFirefox, mozilla-nss were updated to fix 18 security issues.

MozillaFirefox was updated to version 36.0. These security issues were fixed :

- CVE-2015-0835, CVE-2015-0836: Miscellaneous memory safety hazards

- CVE-2015-0832: Appended period to hostnames can bypass HPKP and HSTS protections

- CVE-2015-0830: Malicious WebGL content crash when writing strings

- CVE-2015-0834: TLS TURN and STUN connections silently fail to simple TCP connections

- CVE-2015-0831: Use-after-free in IndexedDB

- CVE-2015-0829: Buffer overflow in libstagefright during MP4 video playback

- CVE-2015-0828: Double-free when using non-default memory allocators with a zero-length XHR

- CVE-2015-0827: Out-of-bounds read and write while rendering SVG content

- CVE-2015-0826: Buffer overflow during CSS restyling

- CVE-2015-0825: Buffer underflow during MP3 playback

- CVE-2015-0824: Crash using DrawTarget in Cairo graphics library

- CVE-2015-0823: Use-after-free in Developer Console date with OpenType Sanitiser

- CVE-2015-0822: Reading of local files through manipulation of form autocomplete

- CVE-2015-0821: Local files or privileged URLs in pages can be opened into new tabs

- CVE-2015-0819: UI Tour whitelisted sites in background tab can spoof foreground tabs

- CVE-2015-0820: Caja Compiler JavaScript sandbox bypass

mozilla-nss was updated to version 3.17.4 to fix the following issues :

- CVE-2014-1569: QuickDER decoder length issue (bnc#910647).

- bmo#1084986: If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP).

- bmo#1112461: libpkix was fixed to prefer the newest certificate, if multiple certificates match.

- bmo#1094492: fixed a memory corruption issue during failure of keypair generation.

- bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS mode.

- bmo#1119983: fixed interoperability of NSS server code with a LibreSSL client.

Solution

Update the affected MozillaFirefox / mozilla-nss packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=910647

https://bugzilla.opensuse.org/show_bug.cgi?id=917597

Plugin Details

Severity: High

ID: 81589

File Name: openSUSE-2015-185.nasl

Version: 1.8

Type: local

Agent: unix

Published: 3/2/2015

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, cpe:/o:novell:opensuse:13.1, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2/26/2015

Reference Information

CVE: CVE-2014-1569, CVE-2015-0819, CVE-2015-0820, CVE-2015-0821, CVE-2015-0822, CVE-2015-0823, CVE-2015-0824, CVE-2015-0825, CVE-2015-0826, CVE-2015-0827, CVE-2015-0828, CVE-2015-0829, CVE-2015-0830, CVE-2015-0831, CVE-2015-0832, CVE-2015-0834, CVE-2015-0835, CVE-2015-0836