Operating System:

[SUSE]

Published:

31 March 2016

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2016.0820 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0820
       SUSE Security Update: Security update for MozillaFirefox, mo
                          zilla-nspr, mozilla-nss
                               31 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          MozillaFirefox
                  mozilla-nspr
                  mozilla-nss
Publisher:        SUSE
Operating System: SUSE
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Overwrite Arbitrary Files       -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Provide Misleading Information  -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-2802 CVE-2016-2801 CVE-2016-2800
                  CVE-2016-2799 CVE-2016-2798 CVE-2016-2797
                  CVE-2016-2796 CVE-2016-2795 CVE-2016-2794
                  CVE-2016-2793 CVE-2016-2792 CVE-2016-2791
                  CVE-2016-2790 CVE-2016-1979 CVE-2016-1978
                  CVE-2016-1977 CVE-2016-1974 CVE-2016-1966
                  CVE-2016-1965 CVE-2016-1964 CVE-2016-1962
                  CVE-2016-1961 CVE-2016-1960 CVE-2016-1958
                  CVE-2016-1957 CVE-2016-1954 CVE-2016-1953
                  CVE-2016-1952 CVE-2016-1950 

Reference:        ASB-2016.0025

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:0909-1
Rating:             important
References:         #969894 
Cross-References:   CVE-2016-1950 CVE-2016-1952 CVE-2016-1953
                    CVE-2016-1954 CVE-2016-1957 CVE-2016-1958
                    CVE-2016-1960 CVE-2016-1961 CVE-2016-1962
                    CVE-2016-1964 CVE-2016-1965 CVE-2016-1966
                    CVE-2016-1974 CVE-2016-1977 CVE-2016-1978
                    CVE-2016-1979 CVE-2016-2790 CVE-2016-2791
                    CVE-2016-2792 CVE-2016-2793 CVE-2016-2794
                    CVE-2016-2795 CVE-2016-2796 CVE-2016-2797
                    CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
                    CVE-2016-2801 CVE-2016-2802
Affected Products:
                    SUSE Linux Enterprise Server 11-SP2-LTSS
                    SUSE Linux Enterprise Debuginfo 11-SP2
______________________________________________________________________________

   An update that fixes 29 vulnerabilities is now available.

Description:


   This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the
   following issues:

   Mozilla Firefox was updated to 38.7.0 ESR (bsc#969894), fixing following
   security issues:
   * MFSA 2016-16/CVE-2016-1952/CVE-2016-1953 Miscellaneous memory safety
     hazards (rv:45.0 / rv:38.7)
   * MFSA 2016-17/CVE-2016-1954 Local file overwriting and potential
     privilege escalation through CSP reports
   * MFSA 2016-20/CVE-2016-1957 Memory leak in libstagefright when deleting
     an array during MP4 processing
   * MFSA 2016-21/CVE-2016-1958 Displayed page address can be overridden
   * MFSA 2016-23/CVE-2016-1960 Use-after-free in HTML5 string parser
   * MFSA 2016-24/CVE-2016-1961 Use-after-free in SetBody
   * MFSA 2016-25/CVE-2016-1962 Use-after-free when using multiple WebRTC
     data channels
   * MFSA 2016-27/CVE-2016-1964 Use-after-free during XML transformations
   * MFSA 2016-28/CVE-2016-1965 Addressbar spoofing though history navigation
     and Location protocol property
   * MFSA 2016-31/CVE-2016-1966 Memory corruption with malicious NPAPI plugin
   * MFSA 2016-34/CVE-2016-1974 Out-of-bounds read in HTML parser following a
     failed allocation
   * MFSA 2016-35/CVE-2016-1950 Buffer overflow during ASN.1 decoding in NSS
   * MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
     CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
     CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
     CVE-2016-2800/CVE-2016-2801/CVE-2016-2802 Font vulnerabilities in the
     Graphite 2 library

   Mozilla NSPR was updated to version 4.12 (bsc#969894), fixing following
   bugs:
   * added a PR_GetEnvSecure function, which attempts to detect if the
     program is being executed with elevated privileges, and returns NULL if
     detected. It is recommended to use this function in general purpose
     library code.
   * fixed a memory allocation bug related to the PR_*printf functions
   * exported API PR_DuplicateEnvironment, which had already been added in
     NSPR 4.10.9
   * added support for FreeBSD aarch64
   * several minor correctness and compatibility fixes

   Mozilla NSS was updated to fix security issues (bsc#969894):
   * MFSA 2016-15/CVE-2016-1978 Use-after-free in NSS during SSL connections
     in low memory
   * MFSA 2016-35/CVE-2016-1950 Buffer overflow during ASN.1 decoding in NSS
   * MFSA 2016-36/CVE-2016-1979 Use-after-free during processing of DER
     encoded keys in NSS


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP2-LTSS:

      zypper in -t patch slessp2-firefox-20160310-12483=1

   - SUSE Linux Enterprise Debuginfo 11-SP2:

      zypper in -t patch dbgsp2-firefox-20160310-12483=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):

      MozillaFirefox-38.7.0esr-36.3
      MozillaFirefox-translations-38.7.0esr-36.3
      libfreebl3-3.20.2-20.1
      mozilla-nspr-4.12-19.1
      mozilla-nspr-devel-4.12-19.1
      mozilla-nss-3.20.2-20.1
      mozilla-nss-devel-3.20.2-20.1
      mozilla-nss-tools-3.20.2-20.1

   - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64):

      libfreebl3-32bit-3.20.2-20.1
      mozilla-nspr-32bit-4.12-19.1
      mozilla-nss-32bit-3.20.2-20.1

   - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):

      MozillaFirefox-debuginfo-38.7.0esr-36.3
      MozillaFirefox-debugsource-38.7.0esr-36.3
      mozilla-nspr-debuginfo-4.12-19.1
      mozilla-nspr-debugsource-4.12-19.1
      mozilla-nss-debuginfo-3.20.2-20.1
      mozilla-nss-debugsource-3.20.2-20.1

   - SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64):

      mozilla-nspr-debuginfo-32bit-4.12-19.1
      mozilla-nss-debuginfo-32bit-3.20.2-20.1


References:

   https://www.suse.com/security/cve/CVE-2016-1950.html
   https://www.suse.com/security/cve/CVE-2016-1952.html
   https://www.suse.com/security/cve/CVE-2016-1953.html
   https://www.suse.com/security/cve/CVE-2016-1954.html
   https://www.suse.com/security/cve/CVE-2016-1957.html
   https://www.suse.com/security/cve/CVE-2016-1958.html
   https://www.suse.com/security/cve/CVE-2016-1960.html
   https://www.suse.com/security/cve/CVE-2016-1961.html
   https://www.suse.com/security/cve/CVE-2016-1962.html
   https://www.suse.com/security/cve/CVE-2016-1964.html
   https://www.suse.com/security/cve/CVE-2016-1965.html
   https://www.suse.com/security/cve/CVE-2016-1966.html
   https://www.suse.com/security/cve/CVE-2016-1974.html
   https://www.suse.com/security/cve/CVE-2016-1977.html
   https://www.suse.com/security/cve/CVE-2016-1978.html
   https://www.suse.com/security/cve/CVE-2016-1979.html
   https://www.suse.com/security/cve/CVE-2016-2790.html
   https://www.suse.com/security/cve/CVE-2016-2791.html
   https://www.suse.com/security/cve/CVE-2016-2792.html
   https://www.suse.com/security/cve/CVE-2016-2793.html
   https://www.suse.com/security/cve/CVE-2016-2794.html
   https://www.suse.com/security/cve/CVE-2016-2795.html
   https://www.suse.com/security/cve/CVE-2016-2796.html
   https://www.suse.com/security/cve/CVE-2016-2797.html
   https://www.suse.com/security/cve/CVE-2016-2798.html
   https://www.suse.com/security/cve/CVE-2016-2799.html
   https://www.suse.com/security/cve/CVE-2016-2800.html
   https://www.suse.com/security/cve/CVE-2016-2801.html
   https://www.suse.com/security/cve/CVE-2016-2802.html
   https://bugzilla.suse.com/969894

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvyf9n6ZAP0PgtI9AQLJZRAAwnZ5E9UMrzLB8J548SXE7ptbTtAMGx7o
X8SxMkaKnZZdLSosN/iNdgCwNmPunm6F7VGFsslMtA8dIKv2/wMG6qvUn0vVSm2C
WiC0u7QQvSPF4v/M8znyAnOkRzO2eYxe88tdsfJqckxZMA51A+cXSWAgEx/7Q0uf
ccm7W8yH6Er4vMHnBEq5/+aYF1qxNAq4oTTdn0A8fZDaUyhEYZsBN1Nl1e/AESCi
xDfGUpxPez/52v2J+EPcw85i9naf4s9SDNuCOu1htWgD4Av2+0SPClm8mCalZQXQ
VN5M1gLQqn1zZhwDy45rvY+eQqy4ylH43+Tak5UQTALiwJ/leUdpTTJvgK5CC375
zBazGv7/aci8ANPuA0HwWe9jAOQ+arSIjrNyuseEDlWXzzBh9Rsrdbxutf8sDZSK
UhfmoOpiRHxdXLSd1UEtYXAuv54MJWGsy/dHPCGN5U3ERaHZxbZJHisKakUPYGp4
10H6owBqqKF/WTVE4AhT6pPOsgqArUKDJLDnb56TQlGGvOEJtN7VIfoyZNhLD81L
bBN5c6Vbjjx0zuGkELi73Lp7Pt2cQGG6la2jwmgVvgA1vRIC4MTvC+zsSQa4qQ2L
0OV6nSGyaClfsQQsdMybszlAv0JpJZ0X4fDzpvxQVw3pCbDWA5meMEH9WXP/vvCO
IVA8YvqcUwI=
=13I0
-----END PGP SIGNATURE-----