Lucene search
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2020-1017.NASLHistoryJul 21, 2020 - 12:00 a.m.
openSUSE Security Update : MozillaFirefox (openSUSE-2020-1017)
2020-07-2100:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
30
8.7 High
AI Score
Confidence
High
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues :
Security issues fixed :
-
CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
-
CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
-
CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
-
CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
-
CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
-
CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
-
CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
-
CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
-
CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
-
CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
-
CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
-
CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
-
CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
-
FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed :
- Fixed interaction with freetype6 (bsc#1173613).
This update was imported from the SUSE:SLE-15:Update update project.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-1017.
#
# The text description of this plugin is (C) SUSE LLC.
#
include('compat.inc');
if (description)
{
script_id(138786);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/29");
script_cve_id(
"CVE-2020-12402",
"CVE-2020-12415",
"CVE-2020-12416",
"CVE-2020-12417",
"CVE-2020-12418",
"CVE-2020-12419",
"CVE-2020-12420",
"CVE-2020-12421",
"CVE-2020-12422",
"CVE-2020-12423",
"CVE-2020-12424",
"CVE-2020-12425",
"CVE-2020-12426"
);
script_name(english:"openSUSE Security Update : MozillaFirefox (openSUSE-2020-1017)");
script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
script_set_attribute(attribute:"description", value:
"This update for MozillaFirefox to version 78.0.1 ESR fixes the
following issues :
Security issues fixed :
- CVE-2020-12415: AppCache manifest poisoning due to url
encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC
VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing
sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to
manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner
(bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to
a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to
side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same
certificate trust rules as software updates
(bsc#1173576).
- CVE-2020-12422: Integer overflow in
nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH%
for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been
bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse()
(bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78
(bsc#1173576).
- FIPS: MozillaFirefox: allow
/proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed :
- Fixed interaction with freetype6 (bsc#1173613).
This update was imported from the SUSE:SLE-15:Update update project.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1166238");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1173576");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1173613");
script_set_attribute(attribute:"solution", value:
"Update the affected MozillaFirefox packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12426");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/09");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/21");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-branding-upstream-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-buildsymbols-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-debuginfo-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-debugsource-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-devel-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-translations-common-78.0.1-lp151.2.53.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"MozillaFirefox-translations-other-78.0.1-lp151.2.53.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaFirefox / MozillaFirefox-branding-upstream / etc");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| novell | opensuse | mozillafirefox | p-cpe:/a:novell:opensuse:mozillafirefox |
| novell | opensuse | mozillafirefox-branding-upstream | p-cpe:/a:novell:opensuse:mozillafirefox-branding-upstream |
| novell | opensuse | mozillafirefox-buildsymbols | p-cpe:/a:novell:opensuse:mozillafirefox-buildsymbols |
| novell | opensuse | mozillafirefox-debuginfo | p-cpe:/a:novell:opensuse:mozillafirefox-debuginfo |
| novell | opensuse | mozillafirefox-debugsource | p-cpe:/a:novell:opensuse:mozillafirefox-debugsource |
| novell | opensuse | mozillafirefox-devel | p-cpe:/a:novell:opensuse:mozillafirefox-devel |
| novell | opensuse | mozillafirefox-translations-common | p-cpe:/a:novell:opensuse:mozillafirefox-translations-common |
| novell | opensuse | mozillafirefox-translations-other | p-cpe:/a:novell:opensuse:mozillafirefox-translations-other |
| novell | opensuse | 15.1 | cpe:/o:novell:opensuse:15.1 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12415
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12416
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12417
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12422
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12423
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12424
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12425
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12426
bugzilla.opensuse.org/show_bug.cgi?id=1166238
bugzilla.opensuse.org/show_bug.cgi?id=1173576
bugzilla.opensuse.org/show_bug.cgi?id=1173613
Related
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2020:1898-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:1899-1)
2021-04-19 00:00:00
openSUSE: Security Advisory for MozillaFirefox (openSUSE-SU-2020:0983-1)
2020-07-18 00:00:00
nessus
nessus
openSUSE Security Update : MozillaFirefox (openSUSE-2020-983)
2020-07-20 00:00:00
SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2020:14421-1)
2021-06-10 00:00:00
Mozilla Firefox < 78.0
2020-07-02 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package firefox-esr version 78.0.1-alt1
2020-07-04 00:00:00
Security fix for the ALT Linux 10 package thunderbird version 78.0-alt1
2020-07-21 00:00:00
Security fix for the ALT Linux 10 package thunderbird version 68.10.0-alt1
2020-07-13 00:00:00
kaspersky
kaspersky
KLA11824 Multiple vulnerabilities in Mozilla Firefox
2020-06-30 00:00:00
KLA11913 Multiple vulnerabilities in Mozilla Thunderbird
2020-07-16 00:00:00
KLA11825 Multiple vulnerabilities in Mozilla Firefox ESR
2020-06-30 00:00:00
mozilla
mozilla
Security Vulnerabilities fixed in Firefox 78 — Mozilla
2020-06-30 00:00:00
Security Vulnerabilities fixed in Thunderbird 78 — Mozilla
2020-07-16 00:00:00
Security Vulnerabilities fixed in Firefox ESR 68.10 — Mozilla
2020-06-30 00:00:00
suse
suse
Security update for MozillaFirefox (important)
2020-07-17 00:00:00
Security update for MozillaFirefox (important)
2020-07-20 00:00:00
Security update for MozillaThunderbird (important)
2020-07-17 00:00:00
gentoo
gentoo
Mozilla Firefox: Multiple vulnerabilities
2020-07-26 00:00:00
Mozilla Thunderbird: Multiple vulnerabilities
2020-07-26 00:00:00
ubuntu
ubuntu
Firefox vulnerabilities
2020-07-02 00:00:00
Thunderbird vulnerabilities
2020-07-08 00:00:00
oraclelinux
oraclelinux
firefox security update
2020-07-08 00:00:00
thunderbird security update
2020-07-14 00:00:00
thunderbird security update
2020-07-22 00:00:00
osv
osv
firefox-esr - security update
2020-07-01 00:00:00
thunderbird - security update
2020-07-05 00:00:00
amazon
amazon
Important: thunderbird
2023-02-17 00:11:00
Important: thunderbird
2020-07-21 16:34:00
debian
debian
[SECURITY] [DSA 4713-1] firefox-esr security update
2020-07-01 18:12:37
[SECURITY] [DSA 4718-1] thunderbird security update
2020-07-05 18:11:57
centos
centos
firefox security update
2020-07-08 17:23:13
firefox security update
2020-07-08 17:26:10
redhat
redhat
(RHSA-2020:2825) Important: firefox security update
2020-07-06 20:18:27
(RHSA-2020:2826) Important: firefox security update
2020-07-06 20:39:10
(RHSA-2020:2827) Important: firefox security update
2020-07-06 20:39:44
ibm
ibm
mageia
mageia
Updated firefox packages fix security vulnerability
2020-07-05 01:47:21
Updated Thunderbird packages fix security vulnerabilities
2020-09-30 13:01:40
Updated thunderbird packages fix security vulnerability
2020-08-01 02:25:42
cve
cve
veracode
veracode
Arbitrary Code Execution
2020-08-06 21:32:18
Denial Of Service (DoS)
2020-08-06 21:32:32
Authorization Bypass
2020-08-06 21:32:23
prion
prion
Race condition
2020-07-09 15:15:00
Memory corruption
2020-07-09 15:15:00
Directory traversal
2020-07-09 15:15:00
debiancve
debiancve
ubuntucve
ubuntucve
redhatcve
redhatcve
alpinelinux
alpinelinux
fedora
fedora
[SECURITY] Fedora 31 Update: nss-3.54.0-1.fc31
2020-08-01 01:18:32
[SECURITY] Fedora 32 Update: nspr-4.26.0-1.fc32
2020-07-19 01:11:46