Detections
Analytics

openSUSE Security Update : MozillaFirefox (openSUSE-2015-547)

critical Nessus Plugin ID 85436

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

- update to Firefox 40.0 (bnc#940806)

 - Added protection against unwanted software downloads

 - Suggested Tiles show sites of interest, based on categories from your recent browsing history

 - Hello allows adding a link to conversations to provide context on what the conversation will be about

 - New style for add-on manager based on the in-content preferences style

 - Improved scrolling, graphics, and video playback performance with off main thread compositing (GNU/Linux only)

 - Graphic blocklist mechanism improved: Firefox version ranges can be specified, limiting the number of devices blocked security fixes :

 - MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards

 - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file

 - MFSA 2015-81/CVE-2015-4477 (bmo#1179484) Use-after-free in MediaStream playback

 - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties

 - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright

 - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows)

 - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater)

 - MFSA 2015-86/CVE-2015-4483 (bmo#1148732) Feed protocol with POST bypasses mixed content protections

 - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript

 - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images

 - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video

 - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection

 - MFSA 2015-91/CVE-2015-4490 (bmo#1086999) Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification

 - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers

 - added mozilla-no-stdcxx-check.patch

 - removed obsolete patches

 - mozilla-add-glibcxx_use_cxx11_abi.patch

 - firefox-multilocale-chrome.patch

 - rebased patches

 - requires version 40 of the branding package

 - removed browser/searchplugins/ location as it's not valid anymore

 - includes security update to Firefox 39.0.3 (bnc#940918)

 - MFSA 2015-78/CVE-2015-4495 (bmo#1179262, bmo#1178058) Same origin violation and local file stealing via PDF reader

Solution

Update the affected MozillaFirefox packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=940806

https://bugzilla.opensuse.org/show_bug.cgi?id=940918

Plugin Details

Severity: Critical

ID: 85436

File Name: openSUSE-2015-547.nasl

Version: 2.6

Type: local

Agent: unix

Published: 8/17/2015

Updated: 5/25/2022

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, cpe:/o:novell:opensuse:13.1, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozillafirefox-branding-opensuse, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/13/2015

CISA Known Exploited Vulnerability Due Dates: 6/15/2022

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4477, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482, CVE-2015-4483, CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4490, CVE-2015-4491, CVE-2015-4492, CVE-2015-4493, CVE-2015-4495