openSUSE Security Update : MozillaFirefox (openSUSE-2017-187)

critical Nessus Plugin ID 96940


New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote openSUSE host is missing a security update.


This update for MozillaFirefox to version 51.0.1 fixes security issues and bugs.

These security issues were fixed :

- CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (bmo#1325200, boo#1021814)

- CVE-2017-5376: Use-after-free in XSL (bmo#1311687, boo#1021817) CVE-2017-5377: Memory corruption with transforms to create gradients in Skia (bmo#1306883, boo#1021826)

- CVE-2017-5378: Pointer and frame data leakage of JavaScript objects (bmo#1312001, bmo#1330769, boo#1021818)

- CVE-2017-5379: Use-after-free in Web Animations (bmo#1309198,boo#1021827)

- CVE-2017-5380: Potential use-after-free during DOM manipulations (bmo#1322107, boo#1021819)

- CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (bmo#1297361, boo#1021820)

- CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests (bmo#1308688, boo#1021828)

- CVE-2017-5396: Use-after-free with Media Decoder (bmo#1329403, boo#1021821)

- CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations (bmo#1017616, boo#1021830)

- CVE-2017-5382: Feed preview can expose privileged content errors and exceptions (bmo#1295322, boo#1021831)

- CVE-2017-5383: Location bar spoofing with unicode characters (bmo#1323338, bmo#1324716, boo#1021822)

- CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) (bmo#1255474, boo#1021832)

- CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers (bmo#1295945, boo#1021833)

- CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions (bmo#1319070, boo#1021823)

- CVE-2017-5391: Content about: pages can load privileged about: pages (bmo#1309310, boo#1021835)

- CVE-2017-5393: Remove CDN from whitelist for mozAddonManager (bmo#1309282, boo#1021837)

- CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages (bmo#1295023, boo#1021839)

- CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks (bmo#1281482, boo#1021840)

- CVE-2017-5374: Memory safety bugs (boo#1021841)

- CVE-2017-5373: Memory safety bugs (boo#1021824)

These non-security issues in MozillaFirefox were fixed :

- Added support for FLAC (Free Lossless Audio Codec) playback

- Added support for WebGL 2

- Added Georgian (ka) and Kabyle (kab) locales

- Support saving passwords for forms without 'submit' events

- Improved video performance for users without GPU acceleration

- Zoom indicator is shown in the URL bar if the zoom level is not at default level

- View passwords from the prompt before saving them

- Remove Belarusian (be) locale

- Use Skia for content rendering (Linux)

- Improve recognition of LANGUAGE env variable (boo#1017174)

- Multiprocess incompatibility did not correctly register with some add-ons (bmo#1333423)


Update the affected MozillaFirefox packages.

See Also

Plugin Details

Severity: Critical

ID: 96940

File Name: openSUSE-2017-187.nasl

Version: 3.9

Type: local

Agent: unix

Published: 2/2/2017

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Critical

Score: 9.4


Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:MozillaFirefox, p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream, p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols, p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo, p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource, p-cpe:/a:novell:opensuse:MozillaFirefox-devel, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common, p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other, cpe:/o:novell:opensuse:42.1, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/1/2017

Vulnerability Publication Date: 6/11/2018

Reference Information

CVE: CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5392, CVE-2017-5393, CVE-2017-5394, CVE-2017-5395, CVE-2017-5396