openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-541)

high Nessus Plugin ID 90932

Synopsis

The remote openSUSE host is missing a security update.

Description

This update to Mozilla Firefox 46.0 fixes several security issues and bugs (boo#977333).

The following vulnerabilities were fixed :

- CVE-2016-2804: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977373)

- CVE-2016-2806: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977375)

- CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977376)

- CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() - MFSA 2016-47 (boo#977386)

- CVE-2016-2811: Use-after-free in Service Worker - MFSA 2016-42 (boo#977379)

- CVE-2016-2812: Buffer overflow in Service Worker - MFSA 2016-42 (boo#977379)

- CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (boo#977381)

- CVE-2016-2816: CSP not applied to pages sent with multipart/x-mixed-replace - MFSA 2016-45 (boo#977382)

- CVE-2016-2817: Elevation of privilege with chrome.tabs.update API in web extensions - MFSA 2016-46 (boo#977384)

- CVE-2016-2820: Firefox Health Reports could accept events from untrusted domains - MFSA 2016-48 (boo#977388)

The following miscellaneous changes are included :

- Improved security of the JavaScript Just In Time (JIT) Compiler

- WebRTC fixes to improve performance and stability

- Added support for document.elementsFromPoint

- Added HKDF support for Web Crypto API

The following changes from Mozilla Firefox 45.0.2 are included :

- Fix an issue impacting the cookie header when third-party cookies are blocked

- Fix a web compatibility regression impacting the srcset attribute of the image tag

- Fix a crash impacting the video playback with Media Source Extension

- Fix a regression impacting some specific uploads

- Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird

The following changes from Mozilla Firefox 45.0.2 are included :

- Fix a regression causing search engine settings to be lost in some context

- Bring back non-standard jar: URIs to fix a regression in IBM iNotes

- XSLTProcessor.importStylesheet was failing when import was used

- Fix an issue which could cause the list of search provider to be empty

- Fix a regression when using the location bar (bmo#1254503)

- Fix some loading issues when Accept third-party cookies:
was set to Never

- Disabled Graphite font shaping library

The minimum requirements increased to NSPR 4.12 and NSS 3.22.3.

Mozilla NSS was updated to 3.22.3 as a dependency for Mozilla Firefox 46.0, with the following changes :

- Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake (bmo#1243641)

- RSA-PSS signatures are now supported

- Pseudorandom functions based on hashes other than SHA-1 are now supported

- Enforce an External Policy on NSS from a config file

Solution

Update the affected MozillaFirefox / mozilla-nss packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=977333

https://bugzilla.opensuse.org/show_bug.cgi?id=977373

https://bugzilla.opensuse.org/show_bug.cgi?id=977375

https://bugzilla.opensuse.org/show_bug.cgi?id=977376

https://bugzilla.opensuse.org/show_bug.cgi?id=977379

https://bugzilla.opensuse.org/show_bug.cgi?id=977381

https://bugzilla.opensuse.org/show_bug.cgi?id=977382

https://bugzilla.opensuse.org/show_bug.cgi?id=977384

https://bugzilla.opensuse.org/show_bug.cgi?id=977386

https://bugzilla.opensuse.org/show_bug.cgi?id=977388

Plugin Details

Severity: High

ID: 90932

File Name: openSUSE-2016-541.nasl

Version: 1.6

Type: local

Agent: unix

Published: 5/6/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 5/4/2016

Reference Information

CVE: CVE-2016-2804, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2811, CVE-2016-2812, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2820