MiracleLinux 4 : thunderbird-38.7.0-1.AXS4 (AXSA:2016-141:03)

🗓️ 16 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 4 updates fix multiple Firefox vulnerabilities per AXSA:2016-141:03.

Reporter	Title	Published	Views	Family All 475
0day.today	Mozilla Firefox < 45.0 - nsHtml5TreeBuilder Use-After-Free (EMET 5.52 Bypass) Exploit	18 Aug 201700:00	–	zdt
0day.today	Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution Exploit	17 Mar 201800:00	–	zdt
FreeBSD	mozilla -- multiple vulnerabilities	8 Mar 201600:00	–	freebsd
FreeBSD	graphite2 -- multiple vulnerabilities	8 Mar 201600:00	–	freebsd
Tenable Nessus	Firefox < 45 Multiple Vulnerabilities	7 Sep 201600:00	–	nessus
Tenable Nessus	Mozilla Firefox < 45.0 Multiple Vulnerabilities	8 Apr 201600:00	–	nessus
Tenable Nessus	CentOS 5 / 6 / 7 : firefox (CESA-2016:0373)	9 Mar 201600:00	–	nessus
Tenable Nessus	CentOS 5 / 6 / 7 : thunderbird (CESA-2016:0460)	17 Mar 201600:00	–	nessus
Tenable Nessus	Debian DSA-3510-1 : iceweasel - security update	10 Mar 201600:00	–	nessus
Tenable Nessus	Debian DSA-3515-1 : graphite2 - security update	14 Mar 201600:00	–	nessus

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/6527
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2016-141:03.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289978);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/09");

  script_cve_id(
    "CVE-2016-1952",
    "CVE-2016-1954",
    "CVE-2016-1957",
    "CVE-2016-1960",
    "CVE-2016-1961",
    "CVE-2016-1964",
    "CVE-2016-1966",
    "CVE-2016-1974",
    "CVE-2016-1977",
    "CVE-2016-2790",
    "CVE-2016-2791",
    "CVE-2016-2792",
    "CVE-2016-2793",
    "CVE-2016-2794",
    "CVE-2016-2795",
    "CVE-2016-2796",
    "CVE-2016-2797",
    "CVE-2016-2798",
    "CVE-2016-2799",
    "CVE-2016-2800",
    "CVE-2016-2801",
    "CVE-2016-2802"
  );

  script_name(english:"MiracleLinux 4 : thunderbird-38.7.0-1.AXS4 (AXSA:2016-141:03)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the
AXSA:2016-141:03 advisory.

    Mozilla Thunderbird is a standalone mail and newsgroup client.
    Security issues fixed with this release:
    CVE-2016-1952
    Multiple unspecified vulnerabilities in the browser engine in Mozilla
    Firefox before 45.0 and Firefox ESR 38.x before 38.7 allow remote
    attackers to cause a denial of service (memory corruption and
    application crash) or possibly execute arbitrary code via unknown
    vectors.
    CVE-2016-1954
    The nsCSPContext::SendReports function in
    dom/security/nsCSPContext.cpp in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7 does not prevent use of a non-HTTP
    report-uri for a Content Security Policy (CSP) violation report, which
    allows remote attackers to cause a denial of service (data overwrite)
    or possibly gain privileges by specifying a URL of a local file.
    CVE-2016-1957
    Memory leak in libstagefright in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial
    of service (memory consumption) via an MPEG-4 file that triggers a
    delete operation on an array.
    CVE-2016-1960
    Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string
    parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7
    allows remote attackers to execute arbitrary code or cause a denial of
    service (use-after-free) by leveraging mishandling of end tags, as
    demonstrated by incorrect SVG processing, aka ZDI-CAN-3545.
    CVE-2016-1961
    Use-after-free vulnerability in the nsHTMLDocument::SetBody function
    in dom/html/nsHTMLDocument.cpp in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7 allows remote attackers to execute
    arbitrary code by leveraging mishandling of a root element, aka
    ZDI-CAN-3574.
    CVE-2016-1964
    Use-after-free vulnerability in the AtomicBaseIncDec function in
    Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows
    remote attackers to execute arbitrary code or cause a denial of
    service (heap memory corruption) by leveraging mishandling of XML
    transformations.
    CVE-2016-1966
    The nsNPObjWrapper::GetNewOrUsed function in
    dom/plugins/base/nsJSNPRuntime.cpp in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7 allows remote attackers to execute
    arbitrary code or cause a denial of service (invalid pointer
    dereference and memory corruption) via a crafted NPAPI plugin.
    CVE-2016-1974
    The nsScannerString::AppendUnicodeTo fynction in Mozilla Firefox
    before 45.0 and Firefox ESR 38.x before 38.7 does not verify that
    memory allocation succeeds, which allows remote attackers to execute
    arbitrary code or cause a denial of service (out-of-bounds read) via
    crafted Unicode data in an HTML, XML, or SVG document.
    CVE-2016-1977
    The Machine::Code::decoder::analysis::set_ref function in Graphite 2
    before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR
    38.x before 38.7, allows remote attackers to execute arbitrary code or
    cause a denial of service (stack memory corruption) via a crafted
    Graphite smart font.
    CVE-2016-2790
    The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before
    1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x
    before 38.7, does not initialize memory for an unspecified data
    structure, which allows remote attackers to cause a denial of service
    or possibly have unknown other impact via a crafted Graphite smart
    font.
    CVE-2016-2791
    The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6,
    as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before
    38.7, allows remote attackers to cause a denial of service (buffer
    over-read) or possibly have unspecified other impact via a crafted
    Graphite smart font.
    CVE-2016-2792
    The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before
    1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x
    before 38.7, allows remote attackers to cause a denial of service
    (buffer over-read) or possibly have unspecified other impact via a
    crafted Graphite smart font, a different vulnerability than
    CVE-2016-2800.
    CVE-2016-2793
    CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox
    before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers
    to cause a denial of service (buffer over-read) or possibly have
    unspecified other impact via a crafted Graphite smart font.
    CVE-2016-2794
    The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in
    Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7, allows remote attackers to cause a
    denial of service (buffer over-read) or possibly have unspecified
    other impact via a crafted Graphite smart font.
    CVE-2016-2795
    The graphite2::FileFace::get_table_fn function in Graphite 2 before
    1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x
    before 38.7, does not initialize memory for an unspecified data
    structure, which allows remote attackers to cause a denial of service
    or possibly have unknown other impact via a crafted Graphite smart
    font.
    CVE-2016-2796
    Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code
    function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before
    45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to
    cause a denial of service or possibly have unspecified other impact
    via a crafted Graphite smart font.
    CVE-2016-2797
    The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2
    before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR
    38.x before 38.7, allows remote attackers to cause a denial of service
    (buffer over-read) or possibly have unspecified other impact via a
    crafted Graphite smart font, a different vulnerability than
    CVE-2016-2801.
    CVE-2016-2798
    The graphite2::GlyphCache::Loader::Loader function in Graphite 2
    before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR
    38.x before 38.7, allows remote attackers to cause a denial of service
    (buffer over-read) or possibly have unspecified other impact via a
    crafted Graphite smart font.
    CVE-2016-2799
    Heap-based buffer overflow in the graphite2::Slot::setAttr function in
    Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7, allows remote attackers to cause a
    denial of service or possibly have unspecified other impact via a
    crafted Graphite smart font.
    CVE-2016-2800
    The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before
    1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x
    before 38.7, allows remote attackers to cause a denial of service
    (buffer over-read) or possibly have unspecified other impact via a
    crafted Graphite smart font, a different vulnerability than
    CVE-2016-2792.
    CVE-2016-2801
    The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp
    in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7, allows remote attackers to cause a
    denial of service (buffer over-read) or possibly have unspecified
    other impact via a crafted Graphite smart font, a different
    vulnerability than CVE-2016-2797.
    CVE-2016-2802
    The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in
    Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and
    Firefox ESR 38.x before 38.7, allows remote attackers to cause a
    denial of service (buffer over-read) or possibly have unspecified
    other impact via a crafted Graphite smart font.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/6527");
  script_set_attribute(attribute:"solution", value:
"Update the affected thunderbird package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2799");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2016-2802");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:thunderbird");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 4.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'thunderbird-38.7.0-1.AXS4', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0', 'allowmaj':TRUE},
      {'reference':'thunderbird-38.7.0-1.AXS4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0', 'allowmaj':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'thunderbird');
}

09 Feb 2026 00:00Current

8.5High risk

Vulners AI Score8.5

CVSS 29.3

CVSS 38.8

EPSS0.86455