Detections
Analytics
openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2016-541)
high Nessus Plugin ID 90932
Language:
Synopsis
The remote openSUSE host is missing a security update.Description
This update to Mozilla Firefox 46.0 fixes several security issues and bugs (boo#977333).The following vulnerabilities were fixed :
- CVE-2016-2804: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977373)
- CVE-2016-2806: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977375)
- CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977376)
- CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch() - MFSA 2016-47 (boo#977386)
- CVE-2016-2811: Use-after-free in Service Worker - MFSA 2016-42 (boo#977379)
- CVE-2016-2812: Buffer overflow in Service Worker - MFSA 2016-42 (boo#977379)
- CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (boo#977381)
- CVE-2016-2816: CSP not applied to pages sent with multipart/x-mixed-replace - MFSA 2016-45 (boo#977382)
- CVE-2016-2817: Elevation of privilege with chrome.tabs.update API in web extensions - MFSA 2016-46 (boo#977384)
- CVE-2016-2820: Firefox Health Reports could accept events from untrusted domains - MFSA 2016-48 (boo#977388)
The following miscellaneous changes are included :
- Improved security of the JavaScript Just In Time (JIT) Compiler
- WebRTC fixes to improve performance and stability
- Added support for document.elementsFromPoint
- Added HKDF support for Web Crypto API
The following changes from Mozilla Firefox 45.0.2 are included :
- Fix an issue impacting the cookie header when third-party cookies are blocked
- Fix a web compatibility regression impacting the srcset attribute of the image tag
- Fix a crash impacting the video playback with Media Source Extension
- Fix a regression impacting some specific uploads
- Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird
The following changes from Mozilla Firefox 45.0.2 are included :
- Fix a regression causing search engine settings to be lost in some context
- Bring back non-standard jar: URIs to fix a regression in IBM iNotes
- XSLTProcessor.importStylesheet was failing when import was used
- Fix an issue which could cause the list of search provider to be empty
- Fix a regression when using the location bar (bmo#1254503)
- Fix some loading issues when Accept third-party cookies:
was set to Never
- Disabled Graphite font shaping library
The minimum requirements increased to NSPR 4.12 and NSS 3.22.3.
Mozilla NSS was updated to 3.22.3 as a dependency for Mozilla Firefox 46.0, with the following changes :
- Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake (bmo#1243641)
- RSA-PSS signatures are now supported
- Pseudorandom functions based on hashes other than SHA-1 are now supported
- Enforce an External Policy on NSS from a config file
Solution
Update the affected MozillaFirefox / mozilla-nss packages.See Also
https://bugzilla.opensuse.org/show_bug.cgi?id=977333
https://bugzilla.opensuse.org/show_bug.cgi?id=977373
https://bugzilla.opensuse.org/show_bug.cgi?id=977375
https://bugzilla.opensuse.org/show_bug.cgi?id=977376
https://bugzilla.opensuse.org/show_bug.cgi?id=977379
https://bugzilla.opensuse.org/show_bug.cgi?id=977381
https://bugzilla.opensuse.org/show_bug.cgi?id=977382
https://bugzilla.opensuse.org/show_bug.cgi?id=977384
Plugin Details
Severity: High
ID: 90932
File Name: openSUSE-2016-541.nasl
Version: 1.6
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 5/6/2016
Updated: 1/19/2021
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: High
Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, cpe:/o:novell:opensuse:42.1, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, cpe:/o:novell:opensuse:13.2, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozilla-nss-32bit
Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu
Patch Publication Date: 5/4/2016
Reference Information
CVE: CVE-2016-2804, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2811, CVE-2016-2812, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2820