openSUSE Security Update : Firefox 46.0 (openSUSE-2016-566) (SWEET32)

high Nessus Plugin ID 91069

Synopsis

The remote openSUSE host is missing a security update.

Description

This update to Mozilla Firefox 46.0 fixes several security issues and bugs (boo#977333).

The following vulnerabilities were fixed :

- CVE-2016-2804: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977373)

- CVE-2016-2806: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977375)

- CVE-2016-2807: Miscellaneous memory safety hazards - MFSA 2016-39 (boo#977376)

- CVE-2016-2808: Write to invalid HashMap entry through JavaScript.watch()

- MFSA 2016-47 (boo#977386)

- CVE-2016-2811: Use-after-free in Service Worker - MFSA 2016-42 (boo#977379)

- CVE-2016-2812: Buffer overflow in Service Worker - MFSA 2016-42 (boo#977379)

- CVE-2016-2814: Buffer overflow in libstagefright with CENC offsets - MFSA 2016-44 (boo#977381)

- CVE-2016-2816: CSP not applied to pages sent with multipart/x-mixed-replace - MFSA 2016-45 (boo#977382)

- CVE-2016-2817: Elevation of privilege with chrome.tabs.update API in web extensions - MFSA 2016-46 (boo#977384)

- CVE-2016-2820: Firefox Health Reports could accept events from untrusted domains - MFSA 2016-48 (boo#977388)

The following miscellaneous changes are included :

- Improved security of the JavaScript Just In Time (JIT) Compiler

- WebRTC fixes to improve performance and stability

- Added support for document.elementsFromPoint

- Added HKDF support for Web Crypto API

The minimum requirements increased to NSPR 4.12 and NSS 3.22.3.

Mozilla NSS was updated to 3.22.3 as a dependency for Mozilla Firefox 46.0, with the following changes :

- Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake (bmo#1243641)

- RSA-PSS signatures are now supported

- Pseudorandom functions based on hashes other than SHA-1 are now supported

- Enforce an External Policy on NSS from a config file

Solution

Update the affected Firefox 46.0 packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=1009429

https://bugzilla.mozilla.org/show_bug.cgi?id=1197901

https://bugzilla.mozilla.org/show_bug.cgi?id=1212939

https://bugzilla.mozilla.org/show_bug.cgi?id=1215295

https://bugzilla.mozilla.org/show_bug.cgi?id=1223743

https://bugzilla.mozilla.org/show_bug.cgi?id=1227462

https://bugzilla.mozilla.org/show_bug.cgi?id=1229681

https://bugzilla.mozilla.org/show_bug.cgi?id=1230955

https://bugzilla.mozilla.org/show_bug.cgi?id=1243641

https://bugzilla.mozilla.org/show_bug.cgi?id=1246061

https://bugzilla.mozilla.org/show_bug.cgi?id=1249572

https://bugzilla.mozilla.org/show_bug.cgi?id=1252330

https://bugzilla.mozilla.org/show_bug.cgi?id=1254503

https://bugzilla.mozilla.org/show_bug.cgi?id=1254694

https://bugzilla.mozilla.org/show_bug.cgi?id=1254721

https://bugzilla.mozilla.org/show_bug.cgi?id=1254856

https://bugzilla.mozilla.org/show_bug.cgi?id=1254980

https://bugzilla.mozilla.org/show_bug.cgi?id=1255139

https://bugzilla.mozilla.org/show_bug.cgi?id=1255605

https://bugzilla.mozilla.org/show_bug.cgi?id=1255735

https://bugzilla.mozilla.org/show_bug.cgi?id=1257861

https://bugzilla.mozilla.org/show_bug.cgi?id=1258562

https://bugzilla.mozilla.org/show_bug.cgi?id=1259482

https://bugzilla.mozilla.org/show_bug.cgi?id=1261776

https://bugzilla.mozilla.org/show_bug.cgi?id=2714650

https://bugzilla.mozilla.org/show_bug.cgi?id=870870

https://bugzilla.opensuse.org/show_bug.cgi?id=977333

https://bugzilla.opensuse.org/show_bug.cgi?id=977373

https://bugzilla.opensuse.org/show_bug.cgi?id=977375

https://bugzilla.opensuse.org/show_bug.cgi?id=977376

https://bugzilla.opensuse.org/show_bug.cgi?id=977377

https://bugzilla.opensuse.org/show_bug.cgi?id=977378

https://bugzilla.opensuse.org/show_bug.cgi?id=977379

https://bugzilla.opensuse.org/show_bug.cgi?id=977380

https://bugzilla.opensuse.org/show_bug.cgi?id=977381

https://bugzilla.opensuse.org/show_bug.cgi?id=977382

https://bugzilla.opensuse.org/show_bug.cgi?id=977384

https://bugzilla.opensuse.org/show_bug.cgi?id=977386

https://bugzilla.opensuse.org/show_bug.cgi?id=977388

Plugin Details

Severity: High

ID: 91069

File Name: openSUSE-2016-566.nasl

Version: 2.8

Type: local

Agent: unix

Published: 5/12/2016

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:mozillafirefox-translations-other, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo-32bit, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-certs-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-certs-debuginfo, p-cpe:/a:novell:opensuse:libfreebl3, p-cpe:/a:novell:opensuse:mozilla-nss-certs, p-cpe:/a:novell:opensuse:mozilla-nss-tools, p-cpe:/a:novell:opensuse:libsoftokn3, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozillafirefox, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo, p-cpe:/a:novell:opensuse:libsoftokn3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-debugsource, p-cpe:/a:novell:opensuse:mozilla-nss-devel, p-cpe:/a:novell:opensuse:mozillafirefox-debugsource, p-cpe:/a:novell:opensuse:libfreebl3-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo, p-cpe:/a:novell:opensuse:mozilla-nss-debuginfo, cpe:/o:novell:opensuse:13.1, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit-debuginfo-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-sysinit, p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols, p-cpe:/a:novell:opensuse:mozillafirefox-devel, p-cpe:/a:novell:opensuse:libsoftokn3-32bit, p-cpe:/a:novell:opensuse:mozilla-nss-tools-debuginfo, p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream, p-cpe:/a:novell:opensuse:libfreebl3-32bit, p-cpe:/a:novell:opensuse:mozilla-nss, p-cpe:/a:novell:opensuse:mozillafirefox-translations-common, p-cpe:/a:novell:opensuse:mozilla-nss-32bit

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 5/6/2016

Vulnerability Publication Date: 4/30/2016

Reference Information

CVE: CVE-2016-2804, CVE-2016-2806, CVE-2016-2807, CVE-2016-2808, CVE-2016-2809, CVE-2016-2810, CVE-2016-2811, CVE-2016-2812, CVE-2016-2813, CVE-2016-2814, CVE-2016-2816, CVE-2016-2817, CVE-2016-2820