English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 146377 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.842714
Category:Ubuntu Local Security Checks
Title:Ubuntu: Security Advisory (USN-2917-2)
Summary:The remote host is missing an update for the 'firefox' package(s) announced via the USN-2917-2 advisory.
Description:Summary:
The remote host is missing an update for the 'firefox' package(s) announced via the USN-2917-2 advisory.

Vulnerability Insight:
USN-2917-1 fixed vulnerabilities in Firefox. This update caused several
regressions that could result in search engine settings being lost, the
list of search providers appearing empty or the location bar breaking
after typing an invalid URL. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1950)

Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel
Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto,
Tyson Smith, Andrea Marchesini, and Jukka Jylanki discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2016-1952,
CVE-2016-1953)

Nicolas Golubovic discovered that CSP violation reports can be used to
overwrite local files. If a user were tricked in to opening a specially
crafted website with addon signing disabled and unpacked addons installed,
an attacker could potentially exploit this to gain additional privileges.
(CVE-2016-1954)

Muneaki Nishimura discovered that CSP violation reports contained full
paths for cross-origin iframe navigations. An attacker could potentially
exploit this to steal confidential data. (CVE-2016-1955)

Ucha Gobejishvili discovered that performing certain WebGL operations
resulted in memory resource exhaustion with some Intel GPUs, requiring
a reboot. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial
of service. (CVE-2016-1956)

Jose Martinez and Romina Santillan discovered a memory leak in
libstagefright during MPEG4 video file processing in some circumstances.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
memory exhaustion. (CVE-2016-1957)

Abdulrahman Alqabandi discovered that the addressbar could be blank or
filled with page defined content in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to conduct URL spoofing attacks. (CVE-2016-1958)

Looben Yang discovered an out-of-bounds read in Service Worker Manager. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'firefox' package(s) on Ubuntu 12.04, Ubuntu 14.04, Ubuntu 15.10.

Solution:
Please install the updated package(s).

CVSS Score:
7.1

CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2016-1950
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
BugTraq ID: 84223
http://www.securityfocus.com/bid/84223
Debian Security Information: DSA-3510 (Google Search)
http://www.debian.org/security/2016/dsa-3510
Debian Security Information: DSA-3520 (Google Search)
http://www.debian.org/security/2016/dsa-3520
Debian Security Information: DSA-3688 (Google Search)
http://www.debian.org/security/2016/dsa-3688
https://security.gentoo.org/glsa/201605-06
RedHat Security Advisories: RHSA-2016:0495
http://rhn.redhat.com/errata/RHSA-2016-0495.html
http://www.securitytracker.com/id/1035215
SuSE Security Announcement: SUSE-SU-2016:0727 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html
SuSE Security Announcement: SUSE-SU-2016:0777 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html
SuSE Security Announcement: SUSE-SU-2016:0820 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html
SuSE Security Announcement: SUSE-SU-2016:0909 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html
SuSE Security Announcement: openSUSE-SU-2016:0731 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html
SuSE Security Announcement: openSUSE-SU-2016:0733 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
SuSE Security Announcement: openSUSE-SU-2016:1557 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html
http://www.ubuntu.com/usn/USN-2917-1
http://www.ubuntu.com/usn/USN-2917-2
http://www.ubuntu.com/usn/USN-2917-3
http://www.ubuntu.com/usn/USN-2924-1
http://www.ubuntu.com/usn/USN-2934-1
Common Vulnerability Exposure (CVE) ID: CVE-2016-1952
SuSE Security Announcement: openSUSE-SU-2016:0876 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00089.html
SuSE Security Announcement: openSUSE-SU-2016:0894 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html
SuSE Security Announcement: openSUSE-SU-2016:1767 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00006.html
SuSE Security Announcement: openSUSE-SU-2016:1769 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00007.html
SuSE Security Announcement: openSUSE-SU-2016:1778 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00008.html
Common Vulnerability Exposure (CVE) ID: CVE-2016-1953
Common Vulnerability Exposure (CVE) ID: CVE-2016-1954
Common Vulnerability Exposure (CVE) ID: CVE-2016-1955
Common Vulnerability Exposure (CVE) ID: CVE-2016-1956
Common Vulnerability Exposure (CVE) ID: CVE-2016-1957
Common Vulnerability Exposure (CVE) ID: CVE-2016-1958
CopyrightCopyright (C) 2016 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.