openSUSE Security Update : MozillaFirefox (openSUSE-2015-263)

High Nessus Plugin ID 82247

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

MozillaFirefox was updated to Firefox 36.0.4 to fix two critical security issues found during Pwn2Own :

- MFSA 2015-28/CVE-2015-0818 (bmo#1144988) Privilege escalation through SVG navigation

- MFSA 2015-29/CVE-2015-0817 (bmo#1145255) Code execution through incorrect JavaScript bounds checking elimination

Als fixed were the following bugs :

- Copy the icons to /usr/share/icons instead of symlinking them: in preparation for containerized apps (e.g.
xdg-app) as well as AppStream metadata extraction, there are a couple locations that need to be real files for system integration (.desktop files, icons, mime-type info).

- update to Firefox 36.0.1 Bugfixes :

- Disable the usage of the ANY DNS query type (bmo#1093983)

- Hello may become inactive until restart (bmo#1137469)

- Print preferences may not be preserved (bmo#1136855)

- Hello contact tabs may not be visible (bmo#1137141)

- Accept hostnames that include an underscore character ('_') (bmo#1136616)

- WebGL may use significant memory with Canvas2d (bmo#1137251)

- Option -remote has been restored (bmo#1080319)

Solution

Update the affected MozillaFirefox packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=923534

Plugin Details

Severity: High

ID: 82247

File Name: openSUSE-2015-263.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2015/03/26

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, cpe:/o:novell:opensuse:13.1, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2015/03/22

Reference Information

CVE: CVE-2015-0817, CVE-2015-0818