openSUSE Security Update : MozillaFirefox (openSUSE-2017-187)

High Nessus Plugin ID 96940

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 8.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for MozillaFirefox to version 51.0.1 fixes security issues and bugs.

These security issues were fixed :

- CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814)

- CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826)

- CVE-2017-5378: Pointer and frame data leakage of JavaScript objects (bmo#1312001, bmo#1330769, boo#1021818)

- CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827)

- CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819)

- CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820)

- CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828)

- CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821)

- CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830)

- CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831)

- CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822)

- CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832)

- CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833)

- CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823)

- CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835)

- CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837)

- CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839)

- CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840)

- CVE-2017-5374: Memory safety bugs (boo#1021841)

- CVE-2017-5373: Memory safety bugs (boo#1021824)

These non-security issues in MozillaFirefox were fixed :

- Added support for FLAC (Free Lossless Audio Codec) playback

- Added support for WebGL 2

- Added Georgian (ka) and Kabyle (kab) locales

- Support saving passwords for forms without 'submit' events

- Improved video performance for users without GPU acceleration

- Zoom indicator is shown in the URL bar if the zoom level is not at default level

- View passwords from the prompt before saving them

- Remove Belarusian (be) locale

- Use Skia for content rendering (Linux)

- Improve recognition of LANGUAGE env variable (boo#1017174)

- Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423)

Solution

Update the affected MozillaFirefox packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1017174

https://bugzilla.opensuse.org/show_bug.cgi?id=1021814

https://bugzilla.opensuse.org/show_bug.cgi?id=1021817

https://bugzilla.opensuse.org/show_bug.cgi?id=1021818

https://bugzilla.opensuse.org/show_bug.cgi?id=1021819

https://bugzilla.opensuse.org/show_bug.cgi?id=1021820

https://bugzilla.opensuse.org/show_bug.cgi?id=1021821

https://bugzilla.opensuse.org/show_bug.cgi?id=1021822

https://bugzilla.opensuse.org/show_bug.cgi?id=1021823

https://bugzilla.opensuse.org/show_bug.cgi?id=1021824

https://bugzilla.opensuse.org/show_bug.cgi?id=1021826

https://bugzilla.opensuse.org/show_bug.cgi?id=1021827

https://bugzilla.opensuse.org/show_bug.cgi?id=1021828

https://bugzilla.opensuse.org/show_bug.cgi?id=1021830

https://bugzilla.opensuse.org/show_bug.cgi?id=1021831

https://bugzilla.opensuse.org/show_bug.cgi?id=1021832

https://bugzilla.opensuse.org/show_bug.cgi?id=1021833

https://bugzilla.opensuse.org/show_bug.cgi?id=1021835

https://bugzilla.opensuse.org/show_bug.cgi?id=1021837

https://bugzilla.opensuse.org/show_bug.cgi?id=1021839

https://bugzilla.opensuse.org/show_bug.cgi?id=1021840

https://bugzilla.opensuse.org/show_bug.cgi?id=1021841

Plugin Details

Severity: High

ID: 96940

File Name: openSUSE-2017-187.nasl

Version: 3.8

Type: local

Agent: unix

Published: 2017/02/02

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 8.9

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, cpe:/o:novell:opensuse:42.1, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/02/01

Vulnerability Publication Date: 2018/06/11

Reference Information

CVE: CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5392, CVE-2017-5393, CVE-2017-5394, CVE-2017-5395, CVE-2017-5396