Detections
Analytics

openSUSE Security Update : MozillaFirefox (openSUSE-SU-2015:0077-2)

high Nessus Plugin ID 80843

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

MozillaFirefox was updated to version 35.0 (bnc#910669)

Notable features :

 - Firefox Hello with new rooms-based conversations model

 - Implemented HTTP Public Key Pinning Extension (for enhanced authentication of encrypted connections)

Security fixes :

 - MFSA 2015-01/CVE-2014-8634/CVE-2014-8635 Miscellaneous memory safety hazards

 - MFSA 2015-02/CVE-2014-8637 (bmo#1094536) Uninitialized memory use during bitmap rendering

 - MFSA 2015-03/CVE-2014-8638 (bmo#1080987) sendBeacon requests lack an Origin header

 - MFSA 2015-04/CVE-2014-8639 (bmo#1095859) Cookie injection through Proxy Authenticate responses

 - MFSA 2015-05/CVE-2014-8640 (bmo#1100409) Read of uninitialized memory in Web Audio

 - MFSA 2015-06/CVE-2014-8641 (bmo#1108455) Read-after-free in WebRTC

 - MFSA 2015-07/CVE-2014-8643 (bmo#1114170) (Windows-only) Gecko Media Plugin sandbox escape

 - MFSA 2015-08/CVE-2014-8642 (bmo#1079658) Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension

 - MFSA 2015-09/CVE-2014-8636 (bmo#987794) XrayWrapper bypass through DOM objects

 - obsolete tracker-miner-firefox < 0.15 because it leads to startup crashes (bnc#908892)

Solution

Update the affected MozillaFirefox packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=908892

https://bugzilla.opensuse.org/show_bug.cgi?id=910669

https://lists.opensuse.org/opensuse-updates/2015-01/msg00039.html

https://lists.opensuse.org/opensuse-updates/2015-01/msg00042.html

Plugin Details

Severity: High

ID: 80843

File Name: openSUSE-2015-40.nasl

Version: 1.10

Type: local

Agent: unix

Published: 1/20/2015

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:13.1, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/16/2015

Exploitable With

Metasploit (Firefox Proxy Prototype Privileged Javascript Injection)

Reference Information

CVE: CVE-2014-8634, CVE-2014-8635, CVE-2014-8636, CVE-2014-8637, CVE-2014-8638, CVE-2014-8639, CVE-2014-8640, CVE-2014-8641, CVE-2014-8642, CVE-2014-8643