SUSE SLES11 Security Update : MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nspr / mozilla-nss (SUSE-SU-2016:2061-1)

critical Nessus Plugin ID 93288
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote SUSE host is missing one or more security updates.


MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr and mozilla-nss were updated to fix nine security issues. Mozilla Firefox was updated to version 45.3.0 ESR. mozilla-nss was updated to version 3.21.1, mozilla-nspr to version 4.12. These security issues were fixed in 45.3.0ESR :

- CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards (rv:48.0 / rv:45.3) (MFSA 2016-62)

- CVE-2016-2830: Favicon network connection can persist when page is closed (MFSA 2016-63)

- CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content (MFSA 2016-64)

- CVE-2016-2839: Cairo rendering crash due to memory allocation issue with FFmpeg 0.10 (MFSA 2016-65)

- CVE-2016-5252: Stack underflow during 2D graphics rendering (MFSA 2016-67)

- CVE-2016-5254: Use-after-free when using alt key and toplevel menus (MFSA 2016-70)

- CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown (MFSA 2016-72)

- CVE-2016-5259: Use-after-free in service workers with nested sync events (MFSA 2016-73)

- CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes (MFSA 2016-76)

- CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback (MFSA 2016-77)

- CVE-2016-5263: Type confusion in display transformation (MFSA 2016-78)

- CVE-2016-5264: Use-after-free when applying SVG effects (MFSA 2016-79)

- CVE-2016-5265: Same-origin policy violation using local HTML file and saved shortcut file (MFSA 2016-80)

- CVE-2016-6354: Fix for possible buffer overrun (bsc#990856) Security issues fixed in 45.2.0.ESR :

- CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639).

- CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53) (bsc#983651).

- CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA 2016-52) (bsc#983652).

- CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51) (bsc#983653).

- CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50) (bsc#983655).

- CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56) (bsc#983646).

- CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (MFSA 2016-58) (bsc#983643).

- CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA 2016-49) (bsc#983638)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP2-LTSS:zypper in -t patch slessp2-MozillaFirefox-12690=1

SUSE Linux Enterprise Debuginfo 11-SP2:zypper in -t patch dbgsp2-MozillaFirefox-12690=1

To bring your system up-to-date, use 'zypper patch'.

See Also

Plugin Details

Severity: Critical

ID: 93288

File Name: suse_SU-2016-2061-1.nasl

Version: 2.12

Type: local

Agent: unix

Published: 9/2/2016

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Critical

Score: 9.2


Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:MozillaFirefox, p-cpe:/a:novell:suse_linux:MozillaFirefox-branding-SLED, p-cpe:/a:novell:suse_linux:MozillaFirefox-translations, p-cpe:/a:novell:suse_linux:firefox-fontconfig, p-cpe:/a:novell:suse_linux:libfreebl3, p-cpe:/a:novell:suse_linux:mozilla-nspr, p-cpe:/a:novell:suse_linux:mozilla-nspr-devel, p-cpe:/a:novell:suse_linux:mozilla-nss, p-cpe:/a:novell:suse_linux:mozilla-nss-devel, p-cpe:/a:novell:suse_linux:mozilla-nss-tools, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/12/2016

Vulnerability Publication Date: 6/13/2016

Reference Information

CVE: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2824, CVE-2016-2828, CVE-2016-2830, CVE-2016-2831, CVE-2016-2834, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5252, CVE-2016-5254, CVE-2016-5258, CVE-2016-5259, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-6354