Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-Windows

2017-03-20T00:00:00

Description

This host is installed with Mozilla Firefox ESR and is prone to multiple vulnerabilities.

{"id": "OPENVAS:1361412562310810821", "type": "openvas", "bulletinFamily": "scanner", "title": "Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-Windows", "description": "This host is installed with Mozilla Firefox\n ESR and is prone to multiple vulnerabilities.", "published": "2017-03-20T00:00:00", "modified": "2019-07-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810821", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://www.mozilla.org/en-US/security/advisories/mfsa2017-08"], "cvelist": ["CVE-2017-5428"], "lastseen": "2019-07-19T22:05:46", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201703-15"]}, {"type": "centos", "idList": ["CESA-2017:0558"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0467"]}, {"type": "cve", "idList": ["CVE-2017-5428"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5428"]}, {"type": "fedora", "idList": ["FEDORA:600E16075DAE", "FEDORA:974106070D38"]}, {"type": "freebsd", "idList": ["5F453B69-ABAB-4E76-B6E5-2ED0BAFCAEE3"]}, {"type": "kaspersky", "idList": ["KLA10971"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/FREEBSD-CVE-2017-5429/", "MSF:ILITIES/FREEBSD-CVE-2017-5432/", "MSF:ILITIES/FREEBSD-CVE-2017-5444/", "MSF:ILITIES/FREEBSD-CVE-2017-5446/", "MSF:ILITIES/FREEBSD-CVE-2017-5448/", "MSF:ILITIES/FREEBSD-CVE-2017-5449/", "MSF:ILITIES/FREEBSD-CVE-2017-5459/", "MSF:ILITIES/FREEBSD-CVE-2017-5460/", "MSF:ILITIES/REDHAT_LINUX-CVE-2017-5428/", "MSF:ILITIES/SUSE-CVE-2017-5429/", "MSF:ILITIES/SUSE-CVE-2017-5433/", "MSF:ILITIES/SUSE-CVE-2017-5434/", "MSF:ILITIES/SUSE-CVE-2017-5435/", "MSF:ILITIES/SUSE-CVE-2017-5438/", "MSF:ILITIES/SUSE-CVE-2017-5439/", "MSF:ILITIES/SUSE-CVE-2017-5440/", "MSF:ILITIES/SUSE-CVE-2017-5441/", "MSF:ILITIES/SUSE-CVE-2017-5442/", "MSF:ILITIES/SUSE-CVE-2017-5444/", "MSF:ILITIES/SUSE-CVE-2017-5445/", "MSF:ILITIES/SUSE-CVE-2017-5447/", "MSF:ILITIES/SUSE-CVE-2017-5448/", "MSF:ILITIES/SUSE-CVE-2017-5464/", "MSF:ILITIES/SUSE-CVE-2017-5469/", "MSF:ILITIES/UBUNTU-CVE-2017-5429/", "MSF:ILITIES/UBUNTU-CVE-2017-5432/", "MSF:ILITIES/UBUNTU-CVE-2017-5433/", "MSF:ILITIES/UBUNTU-CVE-2017-5434/", "MSF:ILITIES/UBUNTU-CVE-2017-5435/", "MSF:ILITIES/UBUNTU-CVE-2017-5436/", "MSF:ILITIES/UBUNTU-CVE-2017-5439/", "MSF:ILITIES/UBUNTU-CVE-2017-5440/", "MSF:ILITIES/UBUNTU-CVE-2017-5441/", "MSF:ILITIES/UBUNTU-CVE-2017-5442/", "MSF:ILITIES/UBUNTU-CVE-2017-5444/", "MSF:ILITIES/UBUNTU-CVE-2017-5445/", "MSF:ILITIES/UBUNTU-CVE-2017-5446/", "MSF:ILITIES/UBUNTU-CVE-2017-5449/", "MSF:ILITIES/UBUNTU-CVE-2017-5464/", "MSF:ILITIES/UBUNTU-CVE-2017-5465/"]}, {"type": "mozilla", "idList": ["MFSA2017-08"]}, {"type": "nessus", "idList": ["700012.PRM", "700013.PRM", "CENTOS_RHSA-2017-0558.NASL", "EULEROS_SA-2017-1047.NASL", "EULEROS_SA-2017-1048.NASL", "FEDORA_2017-9E1CCFE586.NASL", "FEDORA_2017-CD33654294.NASL", "FREEBSD_PKG_5F453B69ABAB4E76B6E52ED0BAFCAEE3.NASL", "MACOSX_FIREFOX_52_0_1.NASL", "MACOSX_FIREFOX_52_0_1_ESR.NASL", "MOZILLA_FIREFOX_52_0_1.NASL", "MOZILLA_FIREFOX_52_0_1ESR.NASL", "NEWSTART_CGSL_NS-SA-2019-0103_FIREFOX.NASL", "OPENSUSE-2017-368.NASL", "ORACLELINUX_ELSA-2017-0558.NASL", "REDHAT-RHSA-2017-0558.NASL", "SL_20170317_FIREFOX_ON_SL7_X.NASL", "UBUNTU_USN-3238-1.NASL", "VIRTUOZZO_VZLSA-2017-0558.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810819", "OPENVAS:1361412562310810820", "OPENVAS:1361412562310810822", "OPENVAS:1361412562310843100", "OPENVAS:1361412562310851526", "OPENVAS:1361412562310871774", "OPENVAS:1361412562310872521", "OPENVAS:1361412562310872528", "OPENVAS:1361412562310882683", "OPENVAS:1361412562311220171047", "OPENVAS:1361412562311220171048"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-0558", "ELSA-2017-1104", "ELSA-2018-2113", "ELSA-2018-2693", "ELSA-2019-3281", "ELSA-2019-4108", "ELSA-2020-0086", "ELSA-2020-0521", "ELSA-2020-0816", "ELSA-2020-1339", "ELSA-2020-1406", "ELSA-2020-1429", "ELSA-2020-2036", "ELSA-2020-2378"]}, {"type": "redhat", "idList": ["RHSA-2017:0558"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5428"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:0765-1"]}, {"type": "ubuntu", "idList": ["USN-3238-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5428"]}, {"type": "zdi", "idList": ["ZDI-17-234"]}], "rev": 4}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201703-15"]}, {"type": "centos", "idList": ["CESA-2017:0558"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0467"]}, {"type": "cve", "idList": ["CVE-2017-5428"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5428"]}, {"type": "fedora", "idList": ["FEDORA:600E16075DAE", "FEDORA:974106070D38"]}, {"type": "freebsd", "idList": ["5F453B69-ABAB-4E76-B6E5-2ED0BAFCAEE3"]}, {"type": "kaspersky", "idList": ["KLA10971"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/SUSE-CVE-2017-5429/", "MSF:ILITIES/SUSE-CVE-2017-5433/", "MSF:ILITIES/SUSE-CVE-2017-5435/", "MSF:ILITIES/SUSE-CVE-2017-5438/", "MSF:ILITIES/SUSE-CVE-2017-5439/", "MSF:ILITIES/SUSE-CVE-2017-5440/", "MSF:ILITIES/SUSE-CVE-2017-5442/", "MSF:ILITIES/SUSE-CVE-2017-5445/", "MSF:ILITIES/SUSE-CVE-2017-5447/", "MSF:ILITIES/SUSE-CVE-2017-5464/", "MSF:ILITIES/SUSE-CVE-2017-5469/", "MSF:ILITIES/UBUNTU-CVE-2017-5429/", "MSF:ILITIES/UBUNTU-CVE-2017-5434/", "MSF:ILITIES/UBUNTU-CVE-2017-5440/", "MSF:ILITIES/UBUNTU-CVE-2017-5445/"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2017-0558.NASL", "EULEROS_SA-2017-1047.NASL", "EULEROS_SA-2017-1048.NASL", "FEDORA_2017-9E1CCFE586.NASL", "FEDORA_2017-CD33654294.NASL", "FREEBSD_PKG_5F453B69ABAB4E76B6E52ED0BAFCAEE3.NASL", "MOZILLA_FIREFOX_52_0_1.NASL", "MOZILLA_FIREFOX_52_0_1ESR.NASL", "OPENSUSE-2017-368.NASL", "ORACLELINUX_ELSA-2017-0558.NASL", "REDHAT-RHSA-2017-0558.NASL", "SL_20170317_FIREFOX_ON_SL7_X.NASL", "UBUNTU_USN-3238-1.NASL", "VIRTUOZZO_VZLSA-2017-0558.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810819", "OPENVAS:1361412562310810820", "OPENVAS:1361412562310810822", "OPENVAS:1361412562310843100", "OPENVAS:1361412562310851526", "OPENVAS:1361412562310871774", "OPENVAS:1361412562310872521", "OPENVAS:1361412562310872528", "OPENVAS:1361412562310882683"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-0558", "ELSA-2017-1104"]}, {"type": "redhat", "idList": ["RHSA-2017:0558"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5428"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:0765-1"]}, {"type": "ubuntu", "idList": ["USN-3238-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5428"]}, {"type": "zdi", "idList": ["ZDI-17-234"]}]}, "exploitation": null, "vulnersScore": 0.3}, "pluginID": "1361412562310810821", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-Windows\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810821\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-20 13:41:45 +0530 (Mon, 20 Mar 2017)\");\n script_name(\"Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n ESR and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an integer overflow\n in createImageBitmap().\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this vulnerability\n will allow remote attackers to cause buffer overflow.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version before 52.0.1\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version 52.0.1\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_firefox_detect_portable_win.nasl\");\n script_mandatory_keys(\"Firefox-ESR/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ffVer, test_version:\"52.0.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"52.0.1\");\n security_message(data:report);\n exit(0);\n}\n", "naslFamily": "Buffer overflow", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659709850}}

{"nessus": [{"lastseen": "2022-06-16T16:17:35", "description": "An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-20T00:00:00", "type": "nessus", "title": "RHEL 7 : firefox (RHSA-2017:0558)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2020-05-29T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:firefox", "p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2017-0558.NASL", "href": "https://www.tenable.com/plugins/nessus/97822", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0558. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97822);\n script_version(\"3.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_xref(name:\"RHSA\", value:\"2017:0558\");\n\n script_name(english:\"RHEL 7 : firefox (RHSA-2017:0558)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this\nissue. Upstream acknowledges Chaitin Security Research Lab via Trend\nMicro's Zero Day Initiative as the original reporters.\"\n );\n # https://www.mozilla.org/en-US/security/advisories/mfsa2017-08\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0558\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-5428\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox and / or firefox-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0558\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"firefox-52.0-5.el7_3\", allowmaj:TRUE)) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"firefox-debuginfo-52.0-5.el7_3\", allowmaj:TRUE)) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / firefox-debuginfo\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:34", "description": "The Mozilla Foundation reports :\n\nAn integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-20T00:00:00", "type": "nessus", "title": "FreeBSD : firefox -- integer overflow in createImageBitmap() (5f453b69-abab-4e76-b6e5-2ed0bafcaee3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:firefox", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_5F453B69ABAB4E76B6E52ED0BAFCAEE3.NASL", "href": "https://www.tenable.com/plugins/nessus/97809", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97809);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-5428\");\n\n script_name(english:\"FreeBSD : firefox -- integer overflow in createImageBitmap() (5f453b69-abab-4e76-b6e5-2ed0bafcaee3)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Mozilla Foundation reports :\n\nAn integer overflow in createImageBitmap() was reported through the\nPwn2Own contest. The fix for this vulnerability disables the\nexperimental extensions to the createImageBitmap API. This function\nruns in the content sandbox, requiring a second vulnerability to\ncompromise a user's computer.\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2017-08/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/\"\n );\n # https://vuxml.freebsd.org/freebsd/5f453b69-abab-4e76-b6e5-2ed0bafcaee3.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?37ab2057\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"firefox<52.0.1,1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:09", "description": "From Red Hat Security Advisory 2017:0558 :\n\nAn update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-20T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : firefox (ELSA-2017-0558)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:firefox", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2017-0558.NASL", "href": "https://www.tenable.com/plugins/nessus/97820", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:0558 and \n# Oracle Linux Security Advisory ELSA-2017-0558 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97820);\n script_version(\"3.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_xref(name:\"RHSA\", value:\"2017:0558\");\n\n script_name(english:\"Oracle Linux 7 : firefox (ELSA-2017-0558)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2017:0558 :\n\nAn update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this\nissue. Upstream acknowledges Chaitin Security Research Lab via Trend\nMicro's Zero Day Initiative as the original reporters.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-March/006787.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"firefox-52.0-5.0.1.el7_3\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:16:21", "description": "An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-21T00:00:00", "type": "nessus", "title": "CentOS 7 : firefox (CESA-2017:0558)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:firefox", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2017-0558.NASL", "href": "https://www.tenable.com/plugins/nessus/97836", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0558 and \n# CentOS Errata and Security Advisory 2017:0558 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97836);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_xref(name:\"RHSA\", value:\"2017:0558\");\n\n script_name(english:\"CentOS 7 : firefox (CESA-2017:0558)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this\nissue. Upstream acknowledges Chaitin Security Research Lab via Trend\nMicro's Zero Day Initiative as the original reporters.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-March/022344.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d473d92d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5428\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"firefox-52.0-5.el7.centos\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:18:00", "description": "An integer overflow was discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to cause a denial of service via application crash or execute arbitrary code. (CVE-2017-5428).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-21T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerability (USN-3238-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-09-18T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:firefox", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:16.10"], "id": "UBUNTU_USN-3238-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97855", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3238-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97855);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_xref(name:\"USN\", value:\"3238-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerability (USN-3238-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An integer overflow was discovered in Firefox. If a user were tricked\nin to opening a specially crafted website, an attacker could exploit\nthis to cause a denial of service via application crash or execute\narbitrary code. (CVE-2017-5428).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3238-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"firefox\", pkgver:\"52.0.1+build2-0ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"firefox\", pkgver:\"52.0.1+build2-0ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"firefox\", pkgver:\"52.0.1+build2-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"firefox\", pkgver:\"52.0.1+build2-0ubuntu0.16.10.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:06", "description": "Mozilla Firefox was updated to 52.0.1 to fix one security issue :\n\n - CVE-2017-5428: integer overflow in createImageBitmap() (boo#1029822, MFSA 2017-08)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-21T00:00:00", "type": "nessus", "title": "openSUSE Security Update : Mozilla Firefox (openSUSE-2017-368)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:MozillaFirefox", "p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream", "p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols", "p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo", "p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource", "p-cpe:/a:novell:opensuse:MozillaFirefox-devel", "p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common", "p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other", "cpe:/o:novell:opensuse:42.1", "cpe:/o:novell:opensuse:42.2"], "id": "OPENSUSE-2017-368.NASL", "href": "https://www.tenable.com/plugins/nessus/97843", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-368.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97843);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-5428\");\n\n script_name(english:\"openSUSE Security Update : Mozilla Firefox (openSUSE-2017-368)\");\n script_summary(english:\"Check for the openSUSE-2017-368 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mozilla Firefox was updated to 52.0.1 to fix one security issue :\n\n - CVE-2017-5428: integer overflow in createImageBitmap()\n (boo#1029822, MFSA 2017-08)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1029822\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Mozilla Firefox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-branding-upstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-buildsymbols\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaFirefox-translations-other\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-branding-upstream-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-buildsymbols-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-debuginfo-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-debugsource-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-devel-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-translations-common-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"MozillaFirefox-translations-other-52.0.1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-branding-upstream-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-buildsymbols-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-debuginfo-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-debugsource-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-devel-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-translations-common-52.0.1-57.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"MozillaFirefox-translations-other-52.0.1-57.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MozillaFirefox / MozillaFirefox-branding-upstream / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:05", "description": "Security Fix(es) :\n\n - A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-21T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : firefox on SL7.x x86_64 (20170317)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:firefox", "p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20170317_FIREFOX_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/97845", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97845);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2017-5428\");\n\n script_name(english:\"Scientific Linux Security Update : firefox on SL7.x x86_64 (20170317)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - A flaw was found in the processing of malformed web\n content. A web page containing malicious content could\n cause Firefox to crash or, potentially, execute\n arbitrary code with the privileges of the user running\n Firefox. (CVE-2017-5428)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1703&L=scientific-linux-errata&F=&S=&P=8844\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1c5385fd\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox and / or firefox-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-52.0-5.el7_3\", allowmaj:TRUE)) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-debuginfo-52.0-5.el7_3\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / firefox-debuginfo\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:59", "description": "- Added fix for CVE-2017-5428\n\n - Added fix for mozbz#1158076\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-27T00:00:00", "type": "nessus", "title": "Fedora 25 : firefox (2017-cd33654294)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:firefox", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-CD33654294.NASL", "href": "https://www.tenable.com/plugins/nessus/97971", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-cd33654294.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97971);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_xref(name:\"FEDORA\", value:\"2017-cd33654294\");\n\n script_name(english:\"Fedora 25 : firefox (2017-cd33654294)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Added fix for CVE-2017-5428\n\n - Added fix for mozbz#1158076\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-cd33654294\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"firefox-52.0-6.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:00", "description": "- Added fix for CVE-2017-5428\n\n - Added fix for mozbz#1158076\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "type": "nessus", "title": "Fedora 24 : firefox (2017-9e1ccfe586)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:firefox", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-9E1CCFE586.NASL", "href": "https://www.tenable.com/plugins/nessus/99056", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-9e1ccfe586.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99056);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_xref(name:\"FEDORA\", value:\"2017-9e1ccfe586\");\n\n script_name(english:\"Fedora 24 : firefox (2017-9e1ccfe586)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Added fix for CVE-2017-5428\n\n - Added fix for mozbz#1158076\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-9e1ccfe586\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"firefox-52.0-6.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:33", "description": "The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 52.0.1. It is, therefore, affected by an integer overflow condition in the nsGlobalWindow::CreateImageBitmap() function within file dom/base/nsGlobalWindow.cpp due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to corrupt memory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "type": "nessus", "title": "Mozilla Firefox < 52.0.1 CreateImageBitmap RCE (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:mozilla:firefox"], "id": "MACOSX_FIREFOX_52_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/99123", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99123);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_xref(name:\"MFSA\", value:\"2017-08\");\n\n script_name(english:\"Mozilla Firefox < 52.0.1 CreateImageBitmap RCE (macOS)\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote macOS or Mac OS X host contains a web browser that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Mozilla Firefox installed on the remote macOS or Mac\nOS X host is prior to 52.0.1. It is, therefore, affected by an integer\noverflow condition in the nsGlobalWindow::CreateImageBitmap() function\nwithin file dom/base/nsGlobalWindow.cpp due to improper validation of\ncertain input. An unauthenticated, remote attacker can exploit this to\ncorrupt memory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a\nsecond vulnerability to compromise a user's computer.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox version 52.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5428\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_firefox_installed.nasl\");\n script_require_keys(\"MacOSX/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nkb_base = \"MacOSX/Firefox\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\n\nis_esr = get_kb_item(kb_base+\"/is_esr\");\nif (!isnull(is_esr)) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');\n\nmozilla_check_version(version:version, path:path, product:'firefox', fix:'52.0.1', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:18:00", "description": "The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 52.0.1. It is, therefore, affected by an integer overflow condition in the nsGlobalWindow::CreateImageBitmap() function within file dom/base/nsGlobalWindow.cpp due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to corrupt memory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "type": "nessus", "title": "Mozilla Firefox ESR < 52.0.1 CreateImageBitmap RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:mozilla:firefox_esr"], "id": "MOZILLA_FIREFOX_52_0_1ESR.NASL", "href": "https://www.tenable.com/plugins/nessus/99126", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99126);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_xref(name:\"MFSA\", value:\"2017-08\");\n\n script_name(english:\"Mozilla Firefox ESR < 52.0.1 CreateImageBitmap RCE\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Mozilla Firefox ESR installed on the remote Windows\nhost is prior to 52.0.1. It is, therefore, affected by an integer\noverflow condition in the nsGlobalWindow::CreateImageBitmap() function\nwithin file dom/base/nsGlobalWindow.cpp due to improper validation of\ncertain input. An unauthenticated, remote attacker can exploit this to\ncorrupt memory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a\nsecond vulnerability to compromise a user's computer.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox ESR version 52.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5428\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox_esr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Firefox/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Firefox\");\n\nmozilla_check_version(installs:installs, product:'firefox', esr:TRUE, fix:'52.0.1', min:'52', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:17:37", "description": "The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0.1. It is, therefore, affected by an integer overflow condition in the nsGlobalWindow::CreateImageBitmap() function within file dom/base/nsGlobalWindow.cpp due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to corrupt memory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "type": "nessus", "title": "Mozilla Firefox < 52.0.1 CreateImageBitmap RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:mozilla:firefox"], "id": "MOZILLA_FIREFOX_52_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/99125", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99125);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_xref(name:\"MFSA\", value:\"2017-08\");\n\n script_name(english:\"Mozilla Firefox < 52.0.1 CreateImageBitmap RCE\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Mozilla Firefox installed on the remote Windows host is\nprior to 52.0.1. It is, therefore, affected by an integer overflow\ncondition in the nsGlobalWindow::CreateImageBitmap() function within\nfile dom/base/nsGlobalWindow.cpp due to improper validation of certain\ninput. An unauthenticated, remote attacker can exploit this to corrupt\nmemory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a\nsecond vulnerability to compromise a user's computer.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox version 52.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5428\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Firefox/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Firefox\");\n\nmozilla_check_version(installs:installs, product:'firefox', fix:'52.0.1', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:18:18", "description": "The version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is prior to 52.0.1. It is, therefore, affected by an integer overflow condition in the nsGlobalWindow::CreateImageBitmap() function within file dom/base/nsGlobalWindow.cpp due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to corrupt memory, possibly resulting in the execution of arbitrary code.\n\nNote that this function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-31T00:00:00", "type": "nessus", "title": "Mozilla Firefox ESR < 52.0.1 CreateImageBitmap RCE (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:mozilla:firefox_esr"], "id": "MACOSX_FIREFOX_52_0_1_ESR.NASL", "href": "https://www.tenable.com/plugins/nessus/99124", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99124);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_xref(name:\"MFSA\", value:\"2017-08\");\n\n script_name(english:\"Mozilla Firefox ESR < 52.0.1 CreateImageBitmap RCE (macOS)\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote macOS or Mac OS X host contains a web browser that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Mozilla Firefox ESR installed on the remote macOS or\nMac OS X host is prior to 52.0.1. It is, therefore, affected by an\ninteger overflow condition in the nsGlobalWindow::CreateImageBitmap()\nfunction within file dom/base/nsGlobalWindow.cpp due to improper\nvalidation of certain input. An unauthenticated, remote attacker can\nexploit this to corrupt memory, possibly resulting in the execution of\narbitrary code.\n\nNote that this function runs in the content sandbox, requiring a\nsecond vulnerability to compromise a user's computer.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox ESR version 52.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5428\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox_esr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_firefox_installed.nasl\");\n script_require_keys(\"MacOSX/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nkb_base = \"MacOSX/Firefox\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\n\nis_esr = get_kb_item(kb_base+\"/is_esr\");\nif (isnull(is_esr)) audit(AUDIT_NOT_INST, \"Mozilla Firefox ESR\");\n\nmozilla_check_version(version:version, path:path, product:'firefox', esr:TRUE, fix:'52.0.1', min:'52', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:27:46", "description": "An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters.\n\nNote that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-13T00:00:00", "type": "nessus", "title": "Virtuozzo 7 : firefox (VZLSA-2017-0558)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:firefox", "cpe:/o:virtuozzo:virtuozzo:7"], "id": "VIRTUOZZO_VZLSA-2017-0558.NASL", "href": "https://www.tenable.com/plugins/nessus/101439", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101439);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-5428\"\n );\n\n script_name(english:\"Virtuozzo 7 : firefox (VZLSA-2017-0558)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es) :\n\n* A flaw was found in the processing of malformed web content. A web\npage containing malicious content could cause Firefox to crash or,\npotentially, execute arbitrary code with the privileges of the user\nrunning Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this\nissue. Upstream acknowledges Chaitin Security Research Lab via Trend\nMicro's Zero Day Initiative as the original reporters.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0558.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de10e00c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0558\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected firefox package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:X\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"firefox-52.0-5.vl7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:37:36", "description": "Versions of Mozilla Firefox prior to 52.01 are unpatched for an integer overflow condition in the 'nsGlobalWindow::CreateImageBitmap()' function in 'dom/base/nsGlobalWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and execute arbitrary code.", "cvss3": {"score": 5.6, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2017-03-20T00:00:00", "type": "nessus", "title": "Mozilla Firefox < 52.01 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*"], "id": "700012.PRM", "href": "https://www.tenable.com/plugins/nnm/700012", "sourceData": "Binary data 700012.prm", "cvss": {"score": 6.8, "vector": "CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:37:36", "description": "Versions of Mozilla Firefox ESR earlier than 45.8.0 are unpatched for an integer overflow condition in the 'nsGlobalWindow::CreateImageBitmap()' function in 'dom/base/nsGlobalWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and execute arbitrary code.", "cvss3": {"score": 5.6, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2017-03-20T00:00:00", "type": "nessus", "title": "Mozilla Firefox ESR < 45.8.0 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-11-06T00:00:00", "cpe": ["cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"], "id": "700013.PRM", "href": "https://www.tenable.com/plugins/nnm/700013", "sourceData": "Binary data 700013.prm", "cvss": {"score": 6.8, "vector": "CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:37:10", "description": "According to the versions of the firefox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405,CVE-2017-5428)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP1 : firefox (EulerOS-SA-2017-1048)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5398", "CVE-2017-5400", "CVE-2017-5401", "CVE-2017-5402", "CVE-2017-5404", "CVE-2017-5405", "CVE-2017-5407", "CVE-2017-5408", "CVE-2017-5410", "CVE-2017-5428"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:firefox", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1048.NASL", "href": "https://www.tenable.com/plugins/nessus/99893", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99893);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-5398\",\n \"CVE-2017-5400\",\n \"CVE-2017-5401\",\n \"CVE-2017-5402\",\n \"CVE-2017-5404\",\n \"CVE-2017-5405\",\n \"CVE-2017-5407\",\n \"CVE-2017-5408\",\n \"CVE-2017-5410\",\n \"CVE-2017-5428\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : firefox (EulerOS-SA-2017-1048)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the firefox package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple flaws were found in the processing of\n malformed web content. A web page containing malicious\n content could cause Firefox to crash or, potentially,\n execute arbitrary code with the privileges of the user\n running Firefox. (CVE-2017-5398, CVE-2017-5400,\n CVE-2017-5401, CVE-2017-5402, CVE-2017-5404,\n CVE-2017-5407, CVE-2017-5408, CVE-2017-5410,\n CVE-2017-5405,CVE-2017-5428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1048\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d6a52dec\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected firefox packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:X\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"firefox-52.0-5.0.1.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg, allowmaj:TRUE)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:36:56", "description": "According to the versions of the firefox package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405,CVE-2017-5428)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : firefox (EulerOS-SA-2017-1047)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5398", "CVE-2017-5400", "CVE-2017-5401", "CVE-2017-5402", "CVE-2017-5404", "CVE-2017-5405", "CVE-2017-5407", "CVE-2017-5408", "CVE-2017-5410", "CVE-2017-5428"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:firefox", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1047.NASL", "href": "https://www.tenable.com/plugins/nessus/99892", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99892);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2017-5398\",\n \"CVE-2017-5400\",\n \"CVE-2017-5401\",\n \"CVE-2017-5402\",\n \"CVE-2017-5404\",\n \"CVE-2017-5405\",\n \"CVE-2017-5407\",\n \"CVE-2017-5408\",\n \"CVE-2017-5410\",\n \"CVE-2017-5428\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : firefox (EulerOS-SA-2017-1047)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the firefox package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple flaws were found in the processing of\n malformed web content. A web page containing malicious\n content could cause Firefox to crash or, potentially,\n execute arbitrary code with the privileges of the user\n running Firefox. (CVE-2017-5398, CVE-2017-5400,\n CVE-2017-5401, CVE-2017-5402, CVE-2017-5404,\n CVE-2017-5407, CVE-2017-5408, CVE-2017-5410,\n CVE-2017-5405,CVE-2017-5428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1047\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad017917\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected firefox packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:X\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"firefox-52.0-5.0.1.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg, allowmaj:TRUE)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T21:57:38", "description": "The remote NewStart CGSL host, running version MAIN 4.05, has firefox packages installed that are affected by multiple vulnerabilities:\n\n - A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5459)\n\n - An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5447)\n\n - An out-of-bounds read when an HTTP/2 connection to a servers sends DATA frames with incorrect data content.\n This leads to a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5446)\n\n - An out-of-bounds write in ClearKeyDecryptor while decrypting some Clearkey-encrypted media content. The ClearKeyDecryptor code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5448)\n\n - A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5449)\n\n - A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5442)\n\n - An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5443)\n\n - A buffer overflow vulnerability while parsing application/http-index-format format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5444)\n\n - A use-after-free vulnerability when holding a selection during scroll events. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5441)\n\n - A use-after-free vulnerability occurs during certain text input selection resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5432)\n\n - A use-after-free vulnerability in frame selection triggered by a combination of malicious script content and key presses by a user. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5460)\n\n - During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5464)\n\n - Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5469)\n\n - An out-of-bounds read while processing SVG content in ConvolvePixel. This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5465)\n\n - A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5433)\n\n - A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5434)\n\n - A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5438)\n\n - A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5439)\n\n - A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5435)\n\n - An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7758)\n\n - A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.\n (CVE-2017-7757)\n\n - A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory.\n These issues were addressed in Graphite 2 version 1.3.10. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7778)\n\n - An out of bounds read vulnerability was found in libevent in the search_make_new function. If an attacker could cause an application using libevent to attempt resolving an empty hostname, an out of bounds read could occur possibly leading to a crash. (CVE-2016-10197)\n\n - A vulnerability was found in libevent with the parsing of DNS requests and replies. An attacker could send a forged DNS response to an application using libevent which could lead to reading data out of bounds on the heap, potentially disclosing a small amount of application memory. (CVE-2016-10195)\n\n - A vulnerability was found in libevent with the parsing of IPv6 addresses. If an attacker could cause an application using libevent to parse a malformed address in IPv6 notation of more than 2GiB in length, a stack overflow would occur leading to a crash.\n (CVE-2016-10196)\n\n - An assertion error has been reported in graphite2. An attacker could possibly exploit this flaw to cause an application crash. (CVE-2017-7775)\n\n - A use-after-free vulnerability during video control operations when a element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash.\n This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7750)\n\n - A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR).\n This could result in a potentially exploitable crash.\n This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7756)\n\n - A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7749)\n\n - A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7752)\n\n - A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7751)\n\n - A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash.\n This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-5472)\n\n - An out-of-bounds read in WebGL with a maliciously crafted ImageInfo object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7754)\n\n - Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-5470)\n\n - An out of bounds read flaw related to graphite2::Silf::readGraphite has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-7774)\n\n - A heap-based buffer overflow flaw related to lz4::decompress (src/Decompressor) has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code.\n (CVE-2017-7773)\n\n - A heap-based buffer overflow flaw related to lz4::decompress has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code. (CVE-2017-7772)\n\n - An out of bounds read flaw related to graphite2::Pass::readPass has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-7771)\n\n - The use of uninitialized memory related to graphite2::GlyphCache::Loader::read_glyph has been reported in graphite2. An attacker could possibly exploit this flaw to negatively impact the execution of an application using graphite2 in unknown ways.\n (CVE-2017-7777)\n\n - An out of bounds read flaw related to graphite2::Silf::getClassGlyph has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-7776)\n\n - Characters from the Canadian Syllabics unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw punycode form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from Aspirational Use Scripts such as Canadian Syllabics to be mixed with Latin characters in the moderately restrictive IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as Limited Use Scripts.. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7764)\n\n - Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5429)\n\n - A vulnerability while parsing application/http-index- format format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5445)\n\n - A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions during matching while evaluating context, leading to objects being used when they no longer exist. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5440)\n\n - An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5436)\n\n - A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0103)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-10195", "CVE-2016-10196", "CVE-2016-10197", "CVE-2016-6354", "CVE-2017-5428", "CVE-2017-5429", "CVE-2017-5432", "CVE-2017-5433", "CVE-2017-5434", "CVE-2017-5435", "CVE-2017-5436", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5440", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5443", "CVE-2017-5444", "CVE-2017-5445", "CVE-2017-5446", "CVE-2017-5447", "CVE-2017-5448", "CVE-2017-5449", "CVE-2017-5459", "CVE-2017-5460", "CVE-2017-5464", "CVE-2017-5465", "CVE-2017-5469", "CVE-2017-5470", "CVE-2017-5472", "CVE-2017-7749", "CVE-2017-7750", "CVE-2017-7751", "CVE-2017-7752", "CVE-2017-7754", "CVE-2017-7756", "CVE-2017-7757", "CVE-2017-7758", "CVE-2017-7764", "CVE-2017-7771", "CVE-2017-7772", "CVE-2017-7773", "CVE-2017-7774", "CVE-2017-7775", "CVE-2017-7776", "CVE-2017-7777", "CVE-2017-7778"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0103_FIREFOX.NASL", "href": "https://www.tenable.com/plugins/nessus/127332", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0103. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127332);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\n \"CVE-2016-10195\",\n \"CVE-2016-10196\",\n \"CVE-2016-10197\",\n \"CVE-2017-5428\",\n \"CVE-2017-5429\",\n \"CVE-2017-5432\",\n \"CVE-2017-5433\",\n \"CVE-2017-5434\",\n \"CVE-2017-5435\",\n \"CVE-2017-5436\",\n \"CVE-2017-5438\",\n \"CVE-2017-5439\",\n \"CVE-2017-5440\",\n \"CVE-2017-5441\",\n \"CVE-2017-5442\",\n \"CVE-2017-5443\",\n \"CVE-2017-5444\",\n \"CVE-2017-5445\",\n \"CVE-2017-5446\",\n \"CVE-2017-5447\",\n \"CVE-2017-5448\",\n \"CVE-2017-5449\",\n \"CVE-2017-5459\",\n \"CVE-2017-5460\",\n \"CVE-2017-5464\",\n \"CVE-2017-5465\",\n \"CVE-2017-5469\",\n \"CVE-2017-5470\",\n \"CVE-2017-5472\",\n \"CVE-2017-7749\",\n \"CVE-2017-7750\",\n \"CVE-2017-7751\",\n \"CVE-2017-7752\",\n \"CVE-2017-7754\",\n \"CVE-2017-7756\",\n \"CVE-2017-7757\",\n \"CVE-2017-7758\",\n \"CVE-2017-7764\",\n \"CVE-2017-7771\",\n \"CVE-2017-7772\",\n \"CVE-2017-7773\",\n \"CVE-2017-7774\",\n \"CVE-2017-7775\",\n \"CVE-2017-7776\",\n \"CVE-2017-7777\",\n \"CVE-2017-7778\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.05 : firefox Multiple Vulnerabilities (NS-SA-2019-0103)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.05, has firefox packages installed that are affected by multiple\nvulnerabilities:\n\n - A buffer overflow in WebGL triggerable by web content,\n resulting in a potentially exploitable crash. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5459)\n\n - An out-of-bounds read during the processing of glyph\n widths during text layout. This results in a potentially\n exploitable crash and could allow an attacker to read\n otherwise inaccessible memory. This vulnerability\n affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox\n ESR < 52.1, and Firefox < 53. (CVE-2017-5447)\n\n - An out-of-bounds read when an HTTP/2 connection to a\n servers sends DATA frames with incorrect data content.\n This leads to a potentially exploitable crash. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5446)\n\n - An out-of-bounds write in ClearKeyDecryptor while\n decrypting some Clearkey-encrypted media content. The\n ClearKeyDecryptor code runs within the Gecko Media\n Plugin (GMP) sandbox. If a second mechanism is found to\n escape the sandbox, this vulnerability allows for the\n writing of arbitrary data within memory, resulting in a\n potentially exploitable crash. This vulnerability\n affects Firefox ESR < 45.9, Firefox ESR < 52.1, and\n Firefox < 53. (CVE-2017-5448)\n\n - A possibly exploitable crash triggered during layout and\n manipulation of bidirectional unicode text in concert\n with CSS animations. This vulnerability affects\n Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox <\n 53. (CVE-2017-5449)\n\n - A use-after-free vulnerability during changes in style\n when manipulating DOM elements. This results in a\n potentially exploitable crash. This vulnerability\n affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox\n ESR < 52.1, and Firefox < 53. (CVE-2017-5442)\n\n - An out-of-bounds write vulnerability while decoding\n improperly formed BinHex format archives. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5443)\n\n - A buffer overflow vulnerability while parsing\n application/http-index-format format content when the\n header contains improperly formatted data. This allows\n for an out-of-bounds read of data from memory. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5444)\n\n - A use-after-free vulnerability when holding a selection\n during scroll events. This results in a potentially\n exploitable crash. This vulnerability affects\n Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <\n 52.1, and Firefox < 53. (CVE-2017-5441)\n\n - A use-after-free vulnerability occurs during certain\n text input selection resulting in a potentially\n exploitable crash. This vulnerability affects\n Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <\n 52.1, and Firefox < 53. (CVE-2017-5432)\n\n - A use-after-free vulnerability in frame selection\n triggered by a combination of malicious script content\n and key presses by a user. This results in a potentially\n exploitable crash. This vulnerability affects\n Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <\n 52.1, and Firefox < 53. (CVE-2017-5460)\n\n - During DOM manipulations of the accessibility tree\n through script, the DOM tree can become out of sync with\n the accessibility tree, leading to memory corruption and\n a potentially exploitable crash. This vulnerability\n affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox\n ESR < 52.1, and Firefox < 53. (CVE-2017-5464)\n\n - Fixed potential buffer overflows in generated Firefox\n code due to CVE-2016-6354 issue in Flex. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5469)\n\n - An out-of-bounds read while processing SVG content in\n ConvolvePixel. This results in a crash and also allows\n for otherwise inaccessible memory being copied into SVG\n graphic content, which could then displayed. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5465)\n\n - A use-after-free vulnerability in SMIL animation\n functions occurs when pointers to animation elements in\n an array are dropped from the animation controller while\n still in use. This results in a potentially exploitable\n crash. This vulnerability affects Thunderbird < 52.1,\n Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox <\n 53. (CVE-2017-5433)\n\n - A use-after-free vulnerability occurs when redirecting\n focus handling which results in a potentially\n exploitable crash. This vulnerability affects\n Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <\n 52.1, and Firefox < 53. (CVE-2017-5434)\n\n - A use-after-free vulnerability during XSLT processing\n due to the result handler being held by a freed handler\n during handling. This results in a potentially\n exploitable crash. This vulnerability affects\n Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <\n 52.1, and Firefox < 53. (CVE-2017-5438)\n\n - A use-after-free vulnerability during XSLT processing\n due to poor handling of template parameters. This\n results in a potentially exploitable crash. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5439)\n\n - A use-after-free vulnerability occurs during transaction\n processing in the editor during design mode\n interactions. This results in a potentially exploitable\n crash. This vulnerability affects Thunderbird < 52.1,\n Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox <\n 53. (CVE-2017-5435)\n\n - An out-of-bounds read vulnerability with the Opus\n encoder when the number of channels in an audio stream\n changes while the encoder is in use. This vulnerability\n affects Firefox < 54, Firefox ESR < 52.2, and\n Thunderbird < 52.2. (CVE-2017-7758)\n\n - A use-after-free vulnerability in IndexedDB when one of\n its objects is destroyed in memory while a method on it\n is still being executed. This results in a potentially\n exploitable crash. This vulnerability affects Firefox <\n 54, Firefox ESR < 52.2, and Thunderbird < 52.2.\n (CVE-2017-7757)\n\n - A number of security vulnerabilities in the Graphite 2\n library including out-of-bounds reads, buffer overflow\n reads and writes, and the use of uninitialized memory.\n These issues were addressed in Graphite 2 version\n 1.3.10. This vulnerability affects Firefox < 54, Firefox\n ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7778)\n\n - An out of bounds read vulnerability was found in\n libevent in the search_make_new function. If an attacker\n could cause an application using libevent to attempt\n resolving an empty hostname, an out of bounds read could\n occur possibly leading to a crash. (CVE-2016-10197)\n\n - A vulnerability was found in libevent with the parsing\n of DNS requests and replies. An attacker could send a\n forged DNS response to an application using libevent\n which could lead to reading data out of bounds on the\n heap, potentially disclosing a small amount of\n application memory. (CVE-2016-10195)\n\n - A vulnerability was found in libevent with the parsing\n of IPv6 addresses. If an attacker could cause an\n application using libevent to parse a malformed address\n in IPv6 notation of more than 2GiB in length, a stack\n overflow would occur leading to a crash.\n (CVE-2016-10196)\n\n - An assertion error has been reported in graphite2. An\n attacker could possibly exploit this flaw to cause an\n application crash. (CVE-2017-7775)\n\n - A use-after-free vulnerability during video control\n operations when a element holds a reference to\n an older window if that window has been replaced in the\n DOM. This results in a potentially exploitable crash.\n This vulnerability affects Firefox < 54, Firefox ESR <\n 52.2, and Thunderbird < 52.2. (CVE-2017-7750)\n\n - A use-after-free and use-after-scope vulnerability when\n logging errors from headers for XML HTTP Requests (XHR).\n This could result in a potentially exploitable crash.\n This vulnerability affects Firefox < 54, Firefox ESR <\n 52.2, and Thunderbird < 52.2. (CVE-2017-7756)\n\n - A use-after-free vulnerability when using an incorrect\n URL during the reloading of a docshell. This results in\n a potentially exploitable crash. This vulnerability\n affects Firefox < 54, Firefox ESR < 52.2, and\n Thunderbird < 52.2. (CVE-2017-7749)\n\n - A use-after-free vulnerability during specific user\n interactions with the input method editor (IME) in some\n languages due to how events are handled. This results in\n a potentially exploitable crash but would require\n specific user interaction to trigger. This vulnerability\n affects Firefox < 54, Firefox ESR < 52.2, and\n Thunderbird < 52.2. (CVE-2017-7752)\n\n - A use-after-free vulnerability with content viewer\n listeners that results in a potentially exploitable\n crash. This vulnerability affects Firefox < 54, Firefox\n ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7751)\n\n - A use-after-free vulnerability with the frameloader\n during tree reconstruction while regenerating CSS layout\n when attempting to use a node in the tree that no longer\n exists. This results in a potentially exploitable crash.\n This vulnerability affects Firefox < 54, Firefox ESR <\n 52.2, and Thunderbird < 52.2. (CVE-2017-5472)\n\n - An out-of-bounds read in WebGL with a maliciously\n crafted ImageInfo object during WebGL operations. This\n vulnerability affects Firefox < 54, Firefox ESR < 52.2,\n and Thunderbird < 52.2. (CVE-2017-7754)\n\n - Memory safety bugs were reported in Firefox 53 and\n Firefox ESR 52.1. Some of these bugs showed evidence of\n memory corruption and we presume that with enough effort\n that some of these could be exploited to run arbitrary\n code. This vulnerability affects Firefox < 54, Firefox\n ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-5470)\n\n - An out of bounds read flaw related to\n graphite2::Silf::readGraphite has been reported in\n graphite2. An attacker could possibly exploit this flaw\n to disclose potentially sensitive memory or cause an\n application crash. (CVE-2017-7774)\n\n - A heap-based buffer overflow flaw related to\n lz4::decompress (src/Decompressor) has been reported\n in graphite2. An attacker could exploit this issue to\n cause a crash or, possibly, execute arbitrary code.\n (CVE-2017-7773)\n\n - A heap-based buffer overflow flaw related to\n lz4::decompress has been reported in graphite2. An\n attacker could exploit this issue to cause a crash or,\n possibly, execute arbitrary code. (CVE-2017-7772)\n\n - An out of bounds read flaw related to\n graphite2::Pass::readPass has been reported in\n graphite2. An attacker could possibly exploit this flaw\n to disclose potentially sensitive memory or cause an\n application crash. (CVE-2017-7771)\n\n - The use of uninitialized memory related to\n graphite2::GlyphCache::Loader::read_glyph has been\n reported in graphite2. An attacker could possibly\n exploit this flaw to negatively impact the execution of\n an application using graphite2 in unknown ways.\n (CVE-2017-7777)\n\n - An out of bounds read flaw related to\n graphite2::Silf::getClassGlyph has been reported in\n graphite2. An attacker could possibly exploit this flaw\n to disclose potentially sensitive memory or cause an\n application crash. (CVE-2017-7776)\n\n - Characters from the Canadian Syllabics unicode block\n can be mixed with characters from other unicode blocks\n in the addressbar instead of being rendered as their raw\n punycode form, allowing for domain name spoofing\n attacks through character confusion. The current Unicode\n standard allows characters from Aspirational Use\n Scripts such as Canadian Syllabics to be mixed with\n Latin characters in the moderately restrictive IDN\n profile. We have changed Firefox behavior to match the\n upcoming Unicode version 10.0 which removes this\n category and treats them as Limited Use Scripts.. This\n vulnerability affects Firefox < 54, Firefox ESR < 52.2,\n and Thunderbird < 52.2. (CVE-2017-7764)\n\n - Memory safety bugs were reported in Firefox 52, Firefox\n ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of\n these bugs showed evidence of memory corruption and we\n presume that with enough effort that some of these could\n be exploited to run arbitrary code. This vulnerability\n affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox\n ESR < 52.1, and Firefox < 53. (CVE-2017-5429)\n\n - A vulnerability while parsing application/http-index-\n format format content where uninitialized values are\n used to create an array. This could allow the reading of\n uninitialized memory into the arrays affected. This\n vulnerability affects Thunderbird < 52.1, Firefox ESR <\n 45.9, Firefox ESR < 52.1, and Firefox < 53.\n (CVE-2017-5445)\n\n - A use-after-free vulnerability during XSLT processing\n due to a failure to propagate error conditions during\n matching while evaluating context, leading to objects\n being used when they no longer exist. This results in a\n potentially exploitable crash. This vulnerability\n affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox\n ESR < 52.1, and Firefox < 53. (CVE-2017-5440)\n\n - An out-of-bounds write in the Graphite 2 library\n triggered with a maliciously crafted Graphite font. This\n results in a potentially exploitable crash. This issue\n was fixed in the Graphite 2 library as well as Mozilla\n products. This vulnerability affects Thunderbird < 52.1,\n Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox <\n 53. (CVE-2017-5436)\n\n - A flaw was found in the processing of malformed web\n content. A web page containing malicious content could\n cause Firefox to crash or, potentially, execute\n arbitrary code with the privileges of the user running\n Firefox. (CVE-2017-5428)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0103\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL firefox packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7778\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.05\": [\n \"firefox-52.2.0-1.el6.centos\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T17:48:04", "description": "An integer overflow in \"createImageBitmap()\" was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the \"createImageBitmap\" API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer. This vulnerability affects Firefox ESR < 52.0.1 and Firefox < 52.0.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-11T21:29:00", "type": "cve", "title": "CVE-2017-5428", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2018-08-09T15:27:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_eus:7.3", "cpe:/o:redhat:enterprise_linux_server_aus:7.3", "cpe:/o:redhat:enterprise_linux_server_eus:7.4", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.5", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.4"], "id": "CVE-2017-5428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5428", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*"]}], "archlinux": [{"lastseen": "2021-07-28T14:34:09", "description": "Arch Linux Security Advisory ASA-201703-15\n==========================================\n\nSeverity: High\nDate : 2017-03-18\nCVE-ID : CVE-2017-5428\nPackage : firefox\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-219\n\nSummary\n=======\n\nThe package firefox before version 52.0.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 52.0.1-1.\n\n# pacman -Syu \"firefox>=52.0.1-1\"\n\nThe problem has been fixed upstream in version 52.0.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn integer overflow in createImageBitmap() was reported through the\nPwn2Own contest. The fix for this vulnerability disables the\nexperimental extensions to the createImageBitmap API. This function\nruns in the content sandbox, requiring a second vulnerability to\ncompromise a user's computer.\n\nImpact\n======\n\nA remote attacker might be able to execute arbitrary code on the\naffected host.\n\nReferences\n==========\n\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2017-08/#CVE-2017-5428\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1348168\nhttps://security.archlinux.org/CVE-2017-5428", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-18T00:00:00", "type": "archlinux", "title": "[ASA-201703-15] firefox: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-18T00:00:00", "id": "ASA-201703-15", "href": "https://security.archlinux.org/ASA-201703-15", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:34:53", "description": "An integer overflow exists in Mozilla Firefox. The vulnerability is due to an overly large value of image offset, length and layout arguments of createImageBitmap method. A remote attacker could exploit this vulnerability by enticing the target user to open a specially crafted web page.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-06-05T00:00:00", "type": "checkpoint_advisories", "title": "Mozilla Firefox createImageBitmap Integer Overflow (CVE-2017-5428)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-06-14T00:00:00", "id": "CPAI-2017-0467", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2022-01-21T00:05:58", "description": "A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T21:17:35", "type": "redhatcve", "title": "CVE-2017-5428", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2022-01-20T21:20:31", "id": "RH:CVE-2017-5428", "href": "https://access.redhat.com/security/cve/cve-2017-5428", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:03:48", "description": "An integer overflow in \"createImageBitmap()\" was reported through the\nPwn2Own contest. The fix for this vulnerability disables the experimental\nextensions to the \"createImageBitmap\" API. This function runs in the\ncontent sandbox, requiring a second vulnerability to compromise a user's\ncomputer. This vulnerability affects Firefox ESR < 52.0.1 and Firefox <\n52.0.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-20T00:00:00", "type": "ubuntucve", "title": "CVE-2017-5428", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-20T00:00:00", "id": "UB:CVE-2017-5428", "href": "https://ubuntu.com/security/CVE-2017-5428", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2021-08-18T11:18:40", "description": "### *Detect date*:\n03/17/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nInteger overflow vulnerability was found in Mozilla Firefox and Mozilla Firefox ESR. By exploiting this vulnerability malicious users possibly can obtain sensitive information and cause a denial of service. This vulnerability can be exploited remotely via experimental extensions.\n\n### *Affected products*:\nMozilla Firefox versions earlier than 52.0.1 \nMozilla Firefox ESR versions earlier than 52.0.1\n\n### *Solution*:\nUpdate to latest version \n[Mozilla Firefox ESR](<https://www.mozilla.org/en-US/firefox/organizations/all/>) \n[Mozilla Firefox](<https://www.mozilla.org/en-US/firefox/new/>)\n\n### *Original advisories*:\n[MFSA 2017-08](<https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Mozilla Firefox](<https://threats.kaspersky.com/en/product/Mozilla-Firefox/>)\n\n### *CVE-IDS*:\n[CVE-2017-5428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5428>)7.5Critical", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "kaspersky", "title": "KLA10971 Vulnerability in Mozilla Firefox and Mozilla Firefox ESR", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2020-06-03T00:00:00", "id": "KLA10971", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10971/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2022-01-31T21:36:48", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of createImageBitmap. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-30T00:00:00", "type": "zdi", "title": "(Pwn2Own) Mozilla Firefox createImageBitmap Integer Overflow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-30T00:00:00", "id": "ZDI-17-234", "href": "https://www.zerodayinitiative.com/advisories/ZDI-17-234/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mozilla": [{"lastseen": "2021-12-29T14:12:12", "description": "An integer overflow in createImageBitmap() was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "mozilla", "title": "integer overflow in createImageBitmap() \u2014 Mozilla", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-17T00:00:00", "id": "MFSA2017-08", "href": "https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2021-10-21T04:42:12", "description": "Mozilla Firefox is an open source web browser.\n\nSecurity Fix(es):\n\n* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T20:55:35", "type": "redhat", "title": "(RHSA-2017:0558) Critical: firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2018-04-11T23:33:32", "id": "RHSA-2017:0558", "href": "https://access.redhat.com/errata/RHSA-2017:0558", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:55", "description": "[52.0-5.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-17T00:00:00", "id": "ELSA-2017-0558", "href": "http://linux.oracle.com/errata/ELSA-2017-0558.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:24:26", "description": "[68.6.1-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[68.6.1-1]\n- Update to 68.6.1 ESR\n* Wed Mar 04 2020 Jan Horak \n- Update to 68.6.0 build1\n[68.5.0-3]\n- Added fix for rhbz#1805667\n- Enabled mzbz@1170092 - Firefox prefs at /etc\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2020-6819", "CVE-2020-6820"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-1339", "href": "http://linux.oracle.com/errata/ELSA-2020-1339.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:24:45", "description": "[68.7.0-2.0.1.el8_1]\n- Rebuild to pickup Oracle default bookmarks [Orabug: 30069264]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n- Remove upstream references [Orabug: 30530527]\n[68.7.0-2]\n- Update to 68.7.0 build3\n[68.6.1-1]\n- Update to 68.6.1 ESR\n* Wed Mar 04 2020 Jan Horak \n- Update to 68.6.0 build1\n[68.5.0-3]\n- Added fix for rhbz#1805667\n- Enabled mzbz@1170092 - Firefox prefs at /etc\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-09T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2020-6821", "CVE-2020-6822", "CVE-2020-6825"], "modified": "2020-04-09T00:00:00", "id": "ELSA-2020-1406", "href": "http://linux.oracle.com/errata/ELSA-2020-1406.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T06:24:50", "description": "[68.9.0-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n* Fri May 29 2020 Jan Horak \n- Update to 68.9.0 build1\n- Added patch for pipewire 0.3\n* Mon May 11 2020 Jan Horak \n- Added s390x specific patches\n* Wed Apr 29 2020 Jan Horak \n- Update to 68.8.0 build1\n[68.7.0-3]\n- Added fix for rhbz#1821418\n[68.7.0-2]\n- Update to 68.7.0 build3\n[68.6.1-1]\n- Update to 68.6.1 ESR\n* Wed Mar 04 2020 Jan Horak \n- Update to 68.6.0 build1\n[68.5.0-3]\n- Added fix for rhbz#1805667\n- Enabled mzbz@1170092 - Firefox prefs at /etc\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2020-12405", "CVE-2020-12406", "CVE-2020-12410"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-2378", "href": "http://linux.oracle.com/errata/ELSA-2020-2378.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:24:37", "description": "[68.5.0-2.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2020-6796", "CVE-2020-6798", "CVE-2020-6800"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-0521", "href": "http://linux.oracle.com/errata/ELSA-2020-0521.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:25:09", "description": "[68.7.0-2.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[68.7.0-2]\n- Update to 68.7.0 build3\n[68.6.1-1]\n- Update to 68.6.1 ESR\n* Wed Mar 04 2020 Jan Horak \n- Update to 68.6.0 build1\n[68.5.0-3]\n- Added fix for rhbz#1805667\n- Enabled mzbz@1170092 - Firefox prefs at /etc\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2020-6821", "CVE-2020-6822", "CVE-2020-6825"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-1429", "href": "http://linux.oracle.com/errata/ELSA-2020-1429.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T06:24:23", "description": "[68.8.0-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n* Wed Apr 29 2020 Jan Horak \n- Update to 68.8.0 build1\n[68.7.0-3]\n- Added fix for rhbz#1821418\n[68.7.0-2]\n- Update to 68.7.0 build3\n[68.6.1-1]\n- Update to 68.6.1 ESR\n* Wed Mar 04 2020 Jan Horak \n- Update to 68.6.0 build1\n[68.5.0-3]\n- Added fix for rhbz#1805667\n- Enabled mzbz@1170092 - Firefox prefs at /etc\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2020-12387", "CVE-2020-12392", "CVE-2020-12395", "CVE-2020-6831"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-2036", "href": "http://linux.oracle.com/errata/ELSA-2020-2036.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:24:53", "description": "[68.4.1-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17022", "CVE-2019-17024", "CVE-2019-17026"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-0086", "href": "http://linux.oracle.com/errata/ELSA-2020-0086.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-09-25T02:10:06", "description": "[60.2.0-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {}, "published": "2018-09-24T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-12379", "CVE-2018-12378", "CVE-2017-5428", "CVE-2018-12377", "CVE-2017-16541", "CVE-2018-12376"], "modified": "2018-09-24T00:00:00", "id": "ELSA-2018-2693", "href": "http://linux.oracle.com/errata/ELSA-2018-2693.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-07-28T14:25:11", "description": "[68.3.0-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2019-17005", "CVE-2019-17008", "CVE-2019-17010", "CVE-2019-17011", "CVE-2019-17012"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2019-4108", "href": "http://linux.oracle.com/errata/ELSA-2019-4108.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:25:11", "description": "[68.6.0-1.0.1.el6_10]\n- fix LD_LIBRARY_PATH\n- Update distribution for Oracle Linux [Orabug: 30143292]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[68.6.0-1]\n- Update to 68.6.0 build1\n[68.5.0-3]\n- Added fix for rhbz#1805667\n- Enabled mzbz@1170092 - Firefox prefs at /etc\n* Fri Feb 07 2020 Jan Horak \n- Update to 68.5.0 build2\n* Wed Feb 05 2020 Jan Horak \n- Update to 68.5.0 build1\n* Wed Jan 08 2020 Jan Horak \n- Update to 68.4.1esr build1\n* Fri Jan 03 2020 Jan Horak \n- Update to 68.4.0esr build1\n* Wed Dec 18 2019 Jan Horak \n- Fix for wrong intl.accept_lang when using non en-us langpack\n[68.3.0-1]\n- Update to 68.3.0 ESR\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2019-20503", "CVE-2020-6805", "CVE-2020-6806", "CVE-2020-6807", "CVE-2020-6811", "CVE-2020-6812", "CVE-2020-6814"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2020-0816", "href": "http://linux.oracle.com/errata/ELSA-2020-0816.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:24:55", "description": "[68.2.0-4.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[68.2.0-4]\n- Added patch for TLS 1.3 support.\n[68.2.0-3]\n- Rebuild\n[68.2.0-2]\n- Rebuild\n[68.2.0-1]\n- Update to 68.2.0 ESR\n[68.1.0-6]\n- Enable system nss on RHEL6\n[68.1.0-2]\n- Enable building langpacks\n[68.1.0-1]\n- Update to 68.1.0 ESR\n[68.0.1-4]\n- Enable system nss\n[68.0.1-3]\n- Enable official branding\n[68.0.1-2]\n- Enabled PipeWire on RHEL8\n[68.0.1-1]\n- Updated to 68.0.1 ESR\n[68.0-0.11]\n- Update to 68.0 ESR\n[68.0-0.10]\n- Updated to 68.0 alpha 13\n- Enabled second arches\n[68.0-0.1]\n- Updated to 68.0 alpha\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)\n[60.5.1-1]\n- Update to 60.5.1 ESR\n[60.5.0-3]\n- Added fix for rhbz#1672424 - Firefox crashes on NFS drives.\n[60.5.0-2]\n- Updated to 60.5.0 ESR build2\n[60.5.0-1]\n- Updated to 60.5.0 ESR build1\n[60.4.0-3]\n- Fixing fontconfig warnings (rhbz#1601475)\n[60.4.0-2]\n- Added pipewire patch from Tomas Popela (rhbz#1664270)\n[60.4.0-1]\n- Update to 60.4.0 ESR\n[60.3.0-2]\n- Added firefox-gnome-shell-extension\n[60.3.0-1]\n- Update to 60.3.0 ESR\n[60.2.2-2]\n- Added patch for rhbz#1633932\n[60.2.2-1]\n- Update to 60.2.2 ESR\n[60.2.1-1]\n- Update to 60.2.1 ESR\n[60.2.0-1]\n- Update to 60.2.0 ESR\n[60.1.0-9]\n- Do not set user agent (rhbz#1608065)\n- GTK dialogs are localized now (rhbz#1619373)\n- JNLP association works again (rhbz#1607457)\n[60.1.0-8]\n- Fixed homepage and bookmarks (rhbz#1606778)\n- Fixed missing file associations in RHEL6 (rhbz#1613565)\n[60.1.0-7]\n- Run at-spi-bus if not running already (for the bundled gtk3)\n[60.1.0-6]\n- Fix for missing schemes for bundled gtk3\n[60.1.0-5]\n- Added mesa-libEGL dependency to gtk3/rhel6\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-07T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2019-11757", "CVE-2019-11758", "CVE-2019-11759", "CVE-2019-11760", "CVE-2019-11761", "CVE-2019-11762", "CVE-2019-11763", "CVE-2019-11764"], "modified": "2020-07-07T00:00:00", "id": "ELSA-2019-3281", "href": "http://linux.oracle.com/errata/ELSA-2019-3281.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:24:56", "description": "[60.1.0-4.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[60.1.0-4]\n- Disabled jemalloc on all second arches\n[60.1.0-3]\n- Updated to 60.1.0 ESR build2\n[60.1.0-2]\n- Disabled jemalloc on second arches\n[60.1.0-1]\n- Updated to 60.1.0 ESR\n[60.0-12]\n- Fixing bundled libffi issues\n- Readded some requirements\n[60.0-10]\n- Added fix for mozilla BZ#1436242 - IPC crashes.\n[60.0-9]\n- Bundling libffi for the sec-arches\n- Added openssl-devel for the Python\n- Fixing bundled gtk3\n[60.0-8]\n- Added fix for mozilla BZ#1458492\n[60.0-7]\n- Added patch from rhbz#1498561 to fix ppc64(le) crashes.\n[60.0-6]\n- Disabled jemalloc on second arches\n[60.0-4]\n- Update to 60.0 ESR\n[52.7.0-1]\n- Update to 52.7.0 ESR\n[52.6.0-2]\n- Build Firefox for desktop arches only (x86_64 and ppc64le)\n[52.6.0-1]\n- Update to 52.6.0 ESR\n[52.5.0-1]\n- Update to 52.5.0 ESR\n[52.4.0-1]\n- Update to 52.4.0 ESR\n[52.3.0-3]\n- Update to 52.3.0 ESR (b2)\n- Require correct nss version\n[52.2.0-1]\n- Update to 52.2.0 ESR\n[52.1.2-1]\n- Update to 52.1.2 ESR\n[52.0-7]\n- Added fix for accept language (rhbz#1454322)\n[52.0-6]\n- Removing patch required for older NSS from RHEL 7.3\n- Added patch for rhbz#1414564\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-04T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2017-7762", "CVE-2018-12359", "CVE-2018-12360", "CVE-2018-12362", "CVE-2018-12363", "CVE-2018-12364", "CVE-2018-12365", "CVE-2018-12366", "CVE-2018-5156", "CVE-2018-5188", "CVE-2018-6126"], "modified": "2018-07-04T00:00:00", "id": "ELSA-2018-2113", "href": "http://linux.oracle.com/errata/ELSA-2018-2113.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:25:09", "description": "[52.1.0-2.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n- Force requirement of newer gdk-pixbuf2 to ensure a proper update (Todd Vierling) [orabug 19847484]\n[52.1.0-2]\n- Update to 52.1.0 ESR (Build3)\n[52.1.0-1]\n- Update to 52.1.0 ESR\n[52.0-5]\n- Added fix for mozbz#1348168/CVE-2017-5428\n[52.0-4]\n- Update to 52.0 ESR (b4)\n[52.0-3]\n- Added fix for rhbz#1423012 - ppc64 gfx crashes\n[52.0-2]\n- Enable system nss\n[52.0-1]\n- Update to 52.0ESR (B1)\n- Build RHEL7 package for Gtk3\n[52.0-0.13]\n- Added fix for rhbz#1414535\n[52.0-0.12]\n- Update to 52.0b8\n[52.0-0.11]\n- Readded addons patch\n[52.0-0.10]\n- Update to 52.0b3\n[52.0-0.9]\n- Update to 52.0b2\n[52.0-0.8]\n- Update to 52.0b1\n[52.0-0.5]\n- Firefox Aurora 52 testing build\n[45.5.0-1]\n- Update to 45.5.0 ESR\n[45.4.0-3]\n- Added upcoming upstream patches mozbz#1018486\n[45.4.0-2]\n- Added Laszlo Ersek patch for aarch64 crashes\n[45.4.0-1]\n- Update to 45.4.0 ESR\n[45.3.0-1]\n- Update to 45.3.0 ESR\n[45.2.0-3]\n- Added fix for mozbz#256180\n[45.2.0-2]\n- Added fix for mozbz#975832, rhbz#1343202\n[45.2.0-1]\n- Update to 45.2.0 ESR\n[45.1.1-2]\n- Added fix for mozbz#1270046 - new Samba auth response\n[45.1.1-1]\n- Update to 45.1.1 ESR\n[45.1.0-3]\n- Disabled ffmpeg (rhbz#1330898)\n[45.1.0-1]\n- Fixed some regressions introduced by rebase\n[45.1.0-1]\n- Update to 45.1.0 ESR\n[45.0.2-1]\n- Update to 45.0.2 ESR\n[45.0.1-1]\n- Update to 45.0.1 ESR\n[45.0-5]\n- Fixed crashed after start (rhbz#1323744, rhbz#1323738)\n[45.0-4]\n- Added system-level location for configuring Firefox (rhbz#1206239)\n[45.0-3]\n- Update to 45.0 ESR\n[38.5.0-3]\n- Update to 38.5.0 ESR\n[38.4.0-1]\n- Update to 38.4.0 ESR\n[38.3.0-2]\n- Update to 38.3.0 ESR\n[38.2.1-1]\n- Update to 38.2.1 ESR\n[38.2.0-4]\n- Update to 38.2.0 ESR\n[38.1.1-1]\n- Update to 38.1.1 ESR\n[38.1.0-1]\n- Update to 38.1.0 ESR\n[38.0.1-2]\n- Fixed rhbz#1222807 by removing preun section\n[38.0.1-1]\n- Update to 38.0.1 ESR\n[38.0-4]\n- Fixed rhbz#1221286 - After update to Firefox 38 ESR\n all RH preferences are gone\n[38.0-3]\n- Enabled system nss\n- Removed unused patches\n* Mon May 04 2015 Jan Horak - 38.0-2\n- Update to 38.0 ESR\n[38.0b8-0.11]\n- Update to 38.0 Beta 8\n[38.0b6-0.10]\n- Added patch for mozbz#1152515\n[38.0b6-0.9]\n- Update to 38.0 Beta 6\n[38.0b5-0.8]\n- Update to 38.0 Beta 5\n[38.0b3-0.7]\n- Update to 38.0 Beta 3\n[38.0b1-0.6]\n- Added patch for mozbz#1152391\n[38.0b1-0.5]\n- Fix build on AArch64 (based on upstream skia changes)\n[38.0b1-0.4]\n- Enabled debug build\n[38.0b1-1]\n- Update to 38.0b1\n[31.5.0-2]\n- Update to 31.5.0 ESR Build 2\n[31.4.0-1]\n- Update to 31.4.0 ESR\n[31.3.0-6]\n- Fixed Bug 1140385 - [HP HPS 7.1 bug] assertion\n 'sys_page_size == 0' when starting firefox\n[31.3.0-5]\n- Fixed problems with dictionary (mozbz#1097550)\n- JS JIT fixes for ppc64le\n[31.3.0-3]\n- Fixed geolocation key location\n[31.3.0-2]\n- Disable exact rooting for JS\n[31.3.0-1]\n- Update to 31.3.0 ESR Build 2\n- Fix for geolocation API (rhbz#1063739)\n[31.2.0-5]\n- Enabled gstreamer-1 support (rhbz#1161077)\n[31.2.0-4]\n- Fix webRTC for aarch64, ppc64le (rhbz#1148622)\n[31.2.0-3]\n- Update to 31.2.0 ESR\n- Fix for mozbz#1042889\n[31.1.0-7]\n- Enable WebM on all arches\n[31.1.0-6]\n- Enable all NPAPI plugins by default to keep compatibility\n with the FF24 line\n[31.1.0-5]\n- Added workaround for rhbz#1134876\n[31.1.0-3]\n- Disable mozilla::pkix (mozbz#1063315)\n- Enable image cache\n[31.1.0-2]\n- A workaround for rhbz#1110291\n[31.1.0-1]\n- Update to 31.1.0 ESR\n[31.0-3]\n- Built with system libvpx/WebM\n[31.0-2]\n- Built with system nss/nspr\n[31.0-1]\n- Update to 31.0 ESR\n[24.6.0-1]\n- Update to 24.6.0 ESR\n[24.5.0-2]\n- Removed unused patches\n[24.5.0-1]\n- Update to 24.5.0 ESR\n[24.4.0-3]\n- Added a workaround for Bug 1054242 - RHEVM: Extremely high memory\n usage in Firefox 24 ESR on RHEL 6.5\n[24.4.0-2]\n- fixed rhbz#1067343 - Broken languagepack configuration\n after firefox update\n[24.4.0-1]\n- Update to 24.4.0 ESR\n[24.3.0-3]\n- fixed rhbz#1054832 - Firefox does not support Camellia cipher\n[24.3.0-1]\n- Update to 24.3.0 ESR\n[24.2.0-3]\n- Mass rebuild 2014-01-24\n[24.2.0-2]\n- Mass rebuild 2013-12-27\n[24.2.0-1]\n- Update to 24.2.0 ESR\n[24.1.0-5]\n- Fixed mozbz#938730 - avoid mix of memory allocators (crashes)\n when using system sqlite\n[24.1.0-4]\n- Fixed rhbz#1034541 - No translation being picked up\n from langpacks for firefox\n[24.1.0-3]\n- Conflicts with old, xulrunner based firefox\n[24.1.0-2]\n- Ship dependentlibs.list (rhbz#1027782)\n- Nss/nspr dependency update\n[24.1.0-1]\n- Update to 24.1.0 ESR\n[24.0-2]\n- Build as stand alone browser, without xulrunner\n[24.0-1]\n- Update to 24.0 ESR\n[17.0.9-1]\n- Update to 17.0.9 ESR\n[17.0.8-2]\n- Desktop file update\n- Spec file tweaks\n[17.0.8-1]\n- Update to 17.0.8 ESR\n[17.0.7-2]\n- Updated manual page\n[17.0.7-1]\n- Update to 17.0.7 ESR\n[17.0.6-1]\n- Update to 17.0.6 ESR\n[17.0.5-3]\n- Removed mozilla prefix from desktop file (rhbz#826960)\n[17.0.5-2]\n- Updated XulRunner SDK check\n[17.0.5-1]\n- Update to 17.0.5 ESR\n[17.0.4-2]\n- Fixed rhbz#837606 - firefox has no x-scheme-handler/http mime\n[17.0.4-1]\n- Update to 17.0.4 ESR\n- Added fix for mozbz#239254 - [Linux] Support disk cache on a local path\n[17.0.2-3]\n- Added NM preferences\n[17.0.2-2]\n- Updated preferences (NFS, nspluginwrapper)\n[17.0.2-1]\n- Update to 17.0.2 ESR\n[17.0.1-1]\n- Update to 17.0.1 ESR\n[10.0.8-2]\n- Update to 10.0.8 ESR\n[10.0.7-1]\n- Update to 10.0.7 ESR\n[10.0.6-1]\n- Update to 10.0.6 ESR\n[10.0.5-4]\n- Enabled WebM\n[10.0.5-2]\n- Added fix for mozbz#703633, rhbz#818341\n[10.0.5-1]\n- Update to 10.0.5 ESR\n[10.0.4-1]\n- Update to 10.0.4 ESR\n[10.0.3-1]\n- Update to 10.0.3 ESR\n[10.0.1-1]\n- Update to 10.0.1 ESR\n[10.0-3]\n- Update to 10.0 ESR\n[10.0-1]\n- Update to 10.0\n[7.0-5]\n- Update to 7.0\n[7.0-4]\n- Update to 7.0 Beta 6\n[7.0-2]\n- Update to 7.0 Beta 4\n[5.0-1]\n- Update to 5.0\n[3.6.18-1]\n- Fixed #698313 - 'background-repeat' css property isn't rendered well\n- Update to 3.6.18\n[3.6.17-1]\n- Update to 3.6.17\n[3.6.15-1]\n- Update to 3.6.15\n[3.6.14-4]\n- Update to build3\n[3.6.14-3]\n- Update to build2\n[3.6.14-2]\n- Update to 3.6.14", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-20T00:00:00", "type": "oraclelinux", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428", "CVE-2017-5429", "CVE-2017-5432", "CVE-2017-5433", "CVE-2017-5434", "CVE-2017-5435", "CVE-2017-5436", "CVE-2017-5437", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5440", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5443", "CVE-2017-5444", "CVE-2017-5445", "CVE-2017-5446", "CVE-2017-5447", "CVE-2017-5448", "CVE-2017-5449", "CVE-2017-5459", "CVE-2017-5460", "CVE-2017-5464", "CVE-2017-5465", "CVE-2017-5469"], "modified": "2017-04-20T00:00:00", "id": "ELSA-2017-1104", "href": "http://linux.oracle.com/errata/ELSA-2017-1104.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nThe Mozilla Foundation reports:\n\nAn integer overflow in createImageBitmap() was reported\n\t through the Pwn2Own contest. The fix for this vulnerability\n\t disables the experimental extensions to the\n\t createImageBitmap API. This function runs in the content\n\t sandbox, requiring a second vulnerability to compromise a\n\t user's computer.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-17T00:00:00", "type": "freebsd", "title": "firefox -- integer overflow in createImageBitmap()", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-17T00:00:00", "id": "5F453B69-ABAB-4E76-B6E5-2ED0BAFCAEE3", "href": "https://vuxml.freebsd.org/freebsd/5f453b69-abab-4e76-b6e5-2ed0bafcaee3.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2021-06-08T18:39:48", "description": "Mozilla Firefox was updated to 52.0.1 to fix one security issue:\n\n - CVE-2017-5428: integer overflow in createImageBitmap() (boo#1029822,\n MFSA 2017-08)\n\n", "cvss3": {}, "published": "2017-03-21T00:09:23", "type": "suse", "title": "Security update for Mozilla Firefox (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-21T00:09:23", "id": "OPENSUSE-SU-2017:0765-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00021.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-01-31T18:27:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for Mozilla (openSUSE-SU-2017:0765-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851526", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851526", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851526\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-21 05:51:13 +0100 (Tue, 21 Mar 2017)\");\n script_cve_id(\"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for Mozilla (openSUSE-SU-2017:0765-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Mozilla'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Mozilla Firefox was updated to 52.0.1 to fix one security issue:\n\n - CVE-2017-5428: integer overflow in createImageBitmap() (boo#1029822,\n MFSA 2017-08)\");\n\n script_tag(name:\"affected\", value:\"Mozilla on openSUSE Leap 42.2, openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0765-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.2|openSUSELeap42\\.1)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox\", rpm:\"MozillaFirefox~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-branding-upstream\", rpm:\"MozillaFirefox-branding-upstream~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-buildsymbols\", rpm:\"MozillaFirefox-buildsymbols~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-debuginfo\", rpm:\"MozillaFirefox-debuginfo~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-debugsource\", rpm:\"MozillaFirefox-debugsource~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-devel\", rpm:\"MozillaFirefox-devel~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-translations-common\", rpm:\"MozillaFirefox-translations-common~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-translations-other\", rpm:\"MozillaFirefox-translations-other~52.0.1~57.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox\", rpm:\"MozillaFirefox~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-branding-upstream\", rpm:\"MozillaFirefox-branding-upstream~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-buildsymbols\", rpm:\"MozillaFirefox-buildsymbols~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-debuginfo\", rpm:\"MozillaFirefox-debuginfo~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-debugsource\", rpm:\"MozillaFirefox-debugsource~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-devel\", rpm:\"MozillaFirefox-devel~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-translations-common\", rpm:\"MozillaFirefox-translations-common~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaFirefox-translations-other\", rpm:\"MozillaFirefox-translations-other~52.0.1~58.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-25T00:00:00", "type": "openvas", "title": "Fedora Update for firefox FEDORA-2017-cd33654294", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872521", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872521", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for firefox FEDORA-2017-cd33654294\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872521\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-25 05:57:09 +0100 (Sat, 25 Mar 2017)\");\n script_cve_id(\"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for firefox FEDORA-2017-cd33654294\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"firefox on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-cd33654294\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NAY7J5V7XLXM6AUVQA62BLONQMHFFK4\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~52.0~6.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T22:06:28", "description": "This host is installed with Mozilla Firefox\n and is prone to buffer overflow vulnerability.", "cvss3": {}, "published": "2017-03-20T00:00:00", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2017-08_2017-08)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310810820", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810820", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox Security Updates(mfsa_2017-08_2017-08)-MAC OS X\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810820\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-20 13:41:26 +0530 (Mon, 20 Mar 2017)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2017-08_2017-08)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n and is prone to buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an integer overflow\n in createImageBitmap().\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this vulnerability\n will allow remote attackers to cause buffer overflow.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 52.0.1\n on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 52.0.1\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ffVer, test_version:\"52.0.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"52.0.1\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:01", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-18T00:00:00", "type": "openvas", "title": "RedHat Update for firefox RHSA-2017:0558-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871774", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871774", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for firefox RHSA-2017:0558-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871774\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 06:36:58 +0100 (Sat, 18 Mar 2017)\");\n script_cve_id(\"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for firefox RHSA-2017:0558-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mozilla Firefox is an open source web browser.\n\nSecurity Fix(es):\n\n * A flaw was found in the processing of malformed web content. A web page\ncontaining malicious content could cause Firefox to crash or, potentially,\nexecute arbitrary code with the privileges of the user running Firefox.\n(CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue.\nUpstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero\nDay Initiative as the original reporters.\");\n script_tag(name:\"affected\", value:\"firefox on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:0558-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-March/msg00039.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~52.0~5.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"firefox-debuginfo\", rpm:\"firefox-debuginfo~52.0~5.el7_3\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:31", "description": "Check the version of firefox", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "openvas", "title": "CentOS Update for firefox CESA-2017:0558 centos7", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-03-08T00:00:00", "id": "OPENVAS:1361412562310882683", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882683", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for firefox CESA-2017:0558 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882683\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-21 05:50:36 +0100 (Tue, 21 Mar 2017)\");\n script_cve_id(\"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for firefox CESA-2017:0558 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of firefox\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mozilla Firefox is an open source web\nbrowser.\n\nSecurity Fix(es):\n\n * A flaw was found in the processing of malformed web content. A web page\ncontaining malicious content could cause Firefox to crash or, potentially,\nexecute arbitrary code with the privileges of the user running Firefox.\n(CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue.\nUpstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero\nDay Initiative as the original reporters.\");\n script_tag(name:\"affected\", value:\"firefox on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0558\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-March/022344.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~52.0~5.el7.centos\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:56", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-29T00:00:00", "type": "openvas", "title": "Fedora Update for firefox FEDORA-2017-9e1ccfe586", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872528", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872528", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for firefox FEDORA-2017-9e1ccfe586\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872528\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-29 06:26:57 +0200 (Wed, 29 Mar 2017)\");\n script_cve_id(\"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for firefox FEDORA-2017-9e1ccfe586\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"firefox on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9e1ccfe586\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T2MTBBE3ELRRCBYS64TCE4US6VBLJE7I\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~52.0~6.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:29", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "openvas", "title": "Ubuntu Update for firefox USN-3238-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310843100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843100", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for firefox USN-3238-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843100\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-21 05:51:05 +0100 (Tue, 21 Mar 2017)\");\n script_cve_id(\"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for firefox USN-3238-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"An integer overflow was discovered in\n Firefox. If a user were tricked in to opening a specially crafted website, an\n attacker could exploit this to cause a denial of service via application crash\n or execute arbitrary code. (CVE-2017-5428)\");\n script_tag(name:\"affected\", value:\"firefox on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3238-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3238-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"52.0.1+build2-0ubuntu0.14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"52.0.1+build2-0ubuntu0.16.10.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"52.0.1+build2-0ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"firefox\", ver:\"52.0.1+build2-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T22:06:51", "description": "This host is installed with Mozilla Firefox\n ESR and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-03-20T00:00:00", "type": "openvas", "title": "Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310810822", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810822", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-MAC OS X\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810822\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-20 13:41:55 +0530 (Mon, 20 Mar 2017)\");\n script_name(\"Mozilla Firefox ESR Security Updates(mfsa_2017-08_2017-08)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n ESR and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an integer overflow\n in createImageBitmap().\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this vulnerability\n will allow remote attackers to cause buffer overflow.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version before 52.0.1\n on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version 52.0.1\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox-ESR/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ffVer, test_version:\"52.0.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"52.0.1\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T22:05:21", "description": "This host is installed with Mozilla Firefox\n and is prone to buffer overflow vulnerability.", "cvss3": {}, "published": "2017-03-20T00:00:00", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2017-08_2017-08)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5428"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310810819", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810819", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mozilla Firefox Security Updates(mfsa_2017-08_2017-08)-Windows\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810819\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2017-5428\");\n script_bugtraq_id(96959);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-20 13:40:58 +0530 (Mon, 20 Mar 2017)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2017-08_2017-08)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n and is prone to buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an integer overflow\n in createImageBitmap().\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this vulnerability\n will allow remote attackers to cause buffer overflow.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 52.0.1\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 52.0.1\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2017-08\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_firefox_detect_portable_win.nasl\");\n script_mandatory_keys(\"Firefox/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:ffVer, test_version:\"52.0.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"52.0.1\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:50", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for firefox (EulerOS-SA-2017-1048)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5410", "CVE-2017-5408", "CVE-2017-5407", "CVE-2017-5400", "CVE-2017-5405", "CVE-2017-5401", "CVE-2017-5398", "CVE-2017-5428", "CVE-2017-5404", "CVE-2017-5402"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171048", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1048\");\n script_version(\"2020-01-23T15:42:05+0000\");\n script_cve_id(\"CVE-2017-5398\", \"CVE-2017-5400\", \"CVE-2017-5401\", \"CVE-2017-5402\", \"CVE-2017-5404\", \"CVE-2017-5405\", \"CVE-2017-5407\", \"CVE-2017-5408\", \"CVE-2017-5410\", \"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 15:42:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:46:27 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for firefox (EulerOS-SA-2017-1048)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1048\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1048\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'firefox' package(s) announced via the EulerOS-SA-2017-1048 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405, CVE-2017-5428)\");\n\n script_tag(name:\"affected\", value:\"'firefox' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~52.0~5.0.1.h1\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:22", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for firefox (EulerOS-SA-2017-1047)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5410", "CVE-2017-5408", "CVE-2017-5407", "CVE-2017-5400", "CVE-2017-5405", "CVE-2017-5401", "CVE-2017-5398", "CVE-2017-5428", "CVE-2017-5404", "CVE-2017-5402"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171047", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171047", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1047\");\n script_version(\"2020-01-23T15:42:05+0000\");\n script_cve_id(\"CVE-2017-5398\", \"CVE-2017-5400\", \"CVE-2017-5401\", \"CVE-2017-5402\", \"CVE-2017-5404\", \"CVE-2017-5405\", \"CVE-2017-5407\", \"CVE-2017-5408\", \"CVE-2017-5410\", \"CVE-2017-5428\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 15:42:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:46:18 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for firefox (EulerOS-SA-2017-1047)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1047\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1047\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'firefox' package(s) announced via the EulerOS-SA-2017-1047 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405, CVE-2017-5428)\");\n\n script_tag(name:\"affected\", value:\"'firefox' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~52.0~5.0.1.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-07-27T16:27:00", "description": "An integer overflow in \"createImageBitmap()\" was reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental extensions to the \"createImageBitmap\" API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer. This vulnerability affects Firefox ESR < 52.0.1 and Firefox < 52.0.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-11T21:29:00", "type": "debiancve", "title": "CVE-2017-5428", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2018-06-11T21:29:00", "id": "DEBIANCVE:CVE-2017-5428", "href": "https://security-tracker.debian.org/tracker/CVE-2017-5428", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2022-02-27T11:51:50", "description": "**CentOS Errata and Security Advisory** CESA-2017:0558\n\n\nMozilla Firefox is an open source web browser.\n\nSecurity Fix(es):\n\n* A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-5428)\n\nRed Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Chaitin Security Research Lab via Trend Micro's Zero Day Initiative as the original reporters.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2017-March/059263.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2017:0558", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-20T08:40:56", "type": "centos", "title": "firefox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-20T08:40:56", "id": "CESA-2017:0558", "href": "https://lists.centos.org/pipermail/centos-announce/2017-March/059263.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2022-01-04T12:15:40", "description": "An integer overflow was discovered in Firefox. If a user were tricked in \nto opening a specially crafted website, an attacker could exploit this to \ncause a denial of service via application crash or execute arbitrary code. \n(CVE-2017-5428)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-20T00:00:00", "type": "ubuntu", "title": "Firefox vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-20T00:00:00", "id": "USN-3238-1", "href": "https://ubuntu.com/security/notices/USN-3238-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-24T18:58:28", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: firefox-52.0-6.fc25", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-24T18:58:28", "id": "FEDORA:974106070D38", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4NAY7J5V7XLXM6AUVQA62BLONQMHFFK4/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-28T23:55:29", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: firefox-52.0-6.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5428"], "modified": "2017-03-28T23:55:29", "id": "FEDORA:600E16075DAE", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/T2MTBBE3ELRRCBYS64TCE4US6VBLJE7I/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}