openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-960)

critical Nessus Plugin ID 92853
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote openSUSE host is missing a security update.


Mozilla Firefox was updated to 48.0 to fix security issues, bugs, and deliver various improvements.

The following major changes are included :

- Process separation (e10s) is enabled for some users

- Add-ons that have not been verified and signed by Mozilla will not load

- WebRTC enhancements

- The media parser has been redeveloped using the Rust programming language

- better Canvas performance with speedy Skia support

- Now requires NSS 3.24

The following security issues were fixed: (boo#991809)

- CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards

- CVE-2016-2830: Favicon network connection can persist when page is closed

- CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content

- CVE-2016-2839: Cairo rendering crash due to memory allocation issue with FFmpeg 0.10

- CVE-2016-5251: Location bar spoofing via data URLs with malformed/invalid mediatypes

- CVE-2016-5252: Stack underflow during 2D graphics rendering

- CVE-2016-0718: Out-of-bounds read during XML parsing in Expat library

- CVE-2016-5254: Use-after-free when using alt key and toplevel menus

- CVE-2016-5255: Crash in incremental garbage collection in JavaScript

- CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown

- CVE-2016-5259: Use-after-free in service workers with nested sync events

- CVE-2016-5260: Form input type change from password to text can store plain text password in session restore file

- CVE-2016-5261: Integer overflow in WebSockets during data buffering

- CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes

- CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback

- CVE-2016-5263: Type confusion in display transformation

- CVE-2016-5264: Use-after-free when applying SVG effects

- CVE-2016-5265: Same-origin policy violation using local HTML file and saved shortcut file

- CVE-2016-5266: Information disclosure and local file manipulation through drag and drop

- CVE-2016-5268: Spoofing attack through text injection into internal error pages

- CVE-2016-5250: Information disclosure through Resource Timing API during page navigation

The following non-security changes are included :

- The AppData description and screenshots were updated.

- Fix Firefox crash on startup on i586 (boo#986541)

- The Selenium WebDriver may have caused Firefox to crash at startup

- fix build issues with gcc/binutils combination used in Leap 42.2 (boo#984637)

- Fix running on 48bit va aarch64 (boo#984126)

- fix XUL dialog button order under KDE session (boo#984403)

Mozilla NSS was updated to 3.24 as a dependency.

Changes in mozilla-nss :

- NSS softoken updated with latest NIST guidance

- NSS softoken updated to allow NSS to run in FIPS Level 1 (no password)

- Various added and deprecated functions

- Remove most code related to SSL v2, including the ability to actively send a SSLv2-compatible client hello.

- Protect against the Cachebleed attack.

- Disable support for DTLS compression.

- Improve support for TLS 1.3. This includes support for DTLS 1.3. (experimental)


Update the affected MozillaFirefox / mozilla-nss packages.

See Also

Plugin Details

Severity: Critical

ID: 92853

File Name: openSUSE-2016-960.nasl

Version: 2.8

Type: local

Agent: unix

Published: 8/11/2016

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P


Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozilla-nss-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 8/10/2016

Reference Information

CVE: CVE-2016-0718, CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5268