SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2298-1
Rating:             important
References:         #1092548 #1096449 #1098998 
Cross-References:   CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
                    CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
                    CVE-2018-12366 CVE-2018-12368 CVE-2018-5150
                    CVE-2018-5154 CVE-2018-5155 CVE-2018-5156
                    CVE-2018-5157 CVE-2018-5158 CVE-2018-5159
                    CVE-2018-5168 CVE-2018-5178 CVE-2018-5183
                    CVE-2018-5188 CVE-2018-6126
Affected Products:
                    SUSE Linux Enterprise Module for Desktop Applications 15
______________________________________________________________________________

   An update that fixes 20 vulnerabilities is now available.

Description:

   This update for MozillaFirefox to the 52.9 ESR release fixes the following
   issues:

   These security issues were fixed:

   - Firefox ESR 52.9:
   - CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1,
     and Firefox ESR 52.9 (bsc#1098998).
   - CVE-2018-12368 No warning when opening executable SettingContent-ms
     files (bsc#1098998).
   - CVE-2018-12366 Invalid data handling during QCMS transformations
     (bsc#1098998).
   - CVE-2018-12365 Compromised IPC child process can list local filenames
     (bsc#1098998).
   - CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins
     (bsc#1098998).
   - CVE-2018-12363 Use-after-free when appending DOM nodes (bsc#1098998).
   - CVE-2018-12362 Integer overflow in SSSE3 scaler (bsc#1098998).
   - CVE-2018-12360 Use-after-free when using focus() (bsc#1098998).
   - CVE-2018-5156 Media recorder segmentation fault when track type is
     changed during capture (bsc#1098998).
   - CVE-2018-12359 Buffer overflow using computed size of canvas element
     (bsc#1098998).

   - Firefox ESR 52.8:
   - CVE-2018-6126: Prevent heap buffer overflow in rasterizing paths in SVG
     with Skia (bsc#1096449).
   - CVE-2018-5183: Backport critical security fixes in Skia (bsc#1092548).
   - CVE-2018-5154: Use-after-free with SVG animations and clip paths
     (bsc#1092548).
   - CVE-2018-5155: Use-after-free with SVG animations and text paths
     (bsc#1092548).
   - CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF
     files (bsc#1092548).
   - CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
     (bsc#1092548).
   - CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
     (bsc#1092548).
   - CVE-2018-5168: Lightweight themes can be installed without user
     interaction (bsc#1092548).
   - CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
     through legacy extension (bsc#1092548).
   - CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR
     52.8 (bsc#1092548).

   These non-security issues were fixed:

   - Various stability and regression fixes
   - Performance improvements to the Safe Browsing service to avoid slowdowns
     while updating site classification data


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Desktop Applications 15:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1536=1



Package List:

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-52.9.0esr-3.7.12
      MozillaFirefox-debuginfo-52.9.0esr-3.7.12
      MozillaFirefox-debugsource-52.9.0esr-3.7.12
      MozillaFirefox-translations-common-52.9.0esr-3.7.12
      MozillaFirefox-translations-other-52.9.0esr-3.7.12

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le x86_64):

      MozillaFirefox-devel-52.9.0esr-3.7.12


References:

   https://www.suse.com/security/cve/CVE-2018-12359.html
   https://www.suse.com/security/cve/CVE-2018-12360.html
   https://www.suse.com/security/cve/CVE-2018-12362.html
   https://www.suse.com/security/cve/CVE-2018-12363.html
   https://www.suse.com/security/cve/CVE-2018-12364.html
   https://www.suse.com/security/cve/CVE-2018-12365.html
   https://www.suse.com/security/cve/CVE-2018-12366.html
   https://www.suse.com/security/cve/CVE-2018-12368.html
   https://www.suse.com/security/cve/CVE-2018-5150.html
   https://www.suse.com/security/cve/CVE-2018-5154.html
   https://www.suse.com/security/cve/CVE-2018-5155.html
   https://www.suse.com/security/cve/CVE-2018-5156.html
   https://www.suse.com/security/cve/CVE-2018-5157.html
   https://www.suse.com/security/cve/CVE-2018-5158.html
   https://www.suse.com/security/cve/CVE-2018-5159.html
   https://www.suse.com/security/cve/CVE-2018-5168.html
   https://www.suse.com/security/cve/CVE-2018-5178.html
   https://www.suse.com/security/cve/CVE-2018-5183.html
   https://www.suse.com/security/cve/CVE-2018-5188.html
   https://www.suse.com/security/cve/CVE-2018-6126.html
   https://bugzilla.suse.com/1092548
   https://bugzilla.suse.com/1096449
   https://bugzilla.suse.com/1098998

SUSE: 2018:2298-1 important: MozillaFirefox

August 10, 2018
An update that fixes 20 vulnerabilities is now available

Summary

This update for MozillaFirefox to the 52.9 ESR release fixes the following issues: These security issues were fixed: - Firefox ESR 52.9: - CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9 (bsc#1098998). - CVE-2018-12368 No warning when opening executable SettingContent-ms files (bsc#1098998). - CVE-2018-12366 Invalid data handling during QCMS transformations (bsc#1098998). - CVE-2018-12365 Compromised IPC child process can list local filenames (bsc#1098998). - CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins (bsc#1098998). - CVE-2018-12363 Use-after-free when appending DOM nodes (bsc#1098998). - CVE-2018-12362 Integer overflow in SSSE3 scaler (bsc#1098998). - CVE-2018-12360 Use-after-free when using focus() (bsc#1098998). - CVE-2018-5156 Media recorder segmentation fault when track type is changed during capture (bsc#1098998). - CVE-2018-12359 Buffer overflow using computed size of canvas element (bsc#1098998). - Firefox ESR 52.8: - CVE-2018-6126: Prevent heap buffer overflow in rasterizing paths in SVG with Skia (bsc#1096449). - CVE-2018-5183: Backport critical security fixes in Skia (bsc#1092548). - CVE-2018-5154: Use-after-free with SVG animations and clip paths (bsc#1092548). - CVE-2018-5155: Use-after-free with SVG animations and text paths (bsc#1092548). - CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files (bsc#1092548). - CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer (bsc#1092548). - CVE-2018-5159: Integer overflow and out-of-bounds write in Skia (bsc#1092548). - CVE-2018-5168: Lightweight themes can be installed without user interaction (bsc#1092548). - CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension (bsc#1092548). - CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 (bsc#1092548). These non-security issues were fixed: - Various stability and regression fixes - Performance improvements to the Safe Browsing service to avoid slowdowns while updating site classification data Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-1536=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64): MozillaFirefox-52.9.0esr-3.7.12 MozillaFirefox-debuginfo-52.9.0esr-3.7.12 MozillaFirefox-debugsource-52.9.0esr-3.7.12 MozillaFirefox-translations-common-52.9.0esr-3.7.12 MozillaFirefox-translations-other-52.9.0esr-3.7.12 - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le x86_64): MozillaFirefox-devel-52.9.0esr-3.7.12

References

#1092548 #1096449 #1098998

Cross- CVE-2018-12359 CVE-2018-12360 CVE-2018-12362

CVE-2018-12363 CVE-2018-12364 CVE-2018-12365

CVE-2018-12366 CVE-2018-12368 CVE-2018-5150

CVE-2018-5154 CVE-2018-5155 CVE-2018-5156

CVE-2018-5157 CVE-2018-5158 CVE-2018-5159

CVE-2018-5168 CVE-2018-5178 CVE-2018-5183

CVE-2018-5188 CVE-2018-6126

Affected Products:

SUSE Linux Enterprise Module for Desktop Applications 15

https://www.suse.com/security/cve/CVE-2018-12359.html

https://www.suse.com/security/cve/CVE-2018-12360.html

https://www.suse.com/security/cve/CVE-2018-12362.html

https://www.suse.com/security/cve/CVE-2018-12363.html

https://www.suse.com/security/cve/CVE-2018-12364.html

https://www.suse.com/security/cve/CVE-2018-12365.html

https://www.suse.com/security/cve/CVE-2018-12366.html

https://www.suse.com/security/cve/CVE-2018-12368.html

https://www.suse.com/security/cve/CVE-2018-5150.html

https://www.suse.com/security/cve/CVE-2018-5154.html

https://www.suse.com/security/cve/CVE-2018-5155.html

https://www.suse.com/security/cve/CVE-2018-5156.html

https://www.suse.com/security/cve/CVE-2018-5157.html

https://www.suse.com/security/cve/CVE-2018-5158.html

https://www.suse.com/security/cve/CVE-2018-5159.html

https://www.suse.com/security/cve/CVE-2018-5168.html

https://www.suse.com/security/cve/CVE-2018-5178.html

https://www.suse.com/security/cve/CVE-2018-5183.html

https://www.suse.com/security/cve/CVE-2018-5188.html

https://www.suse.com/security/cve/CVE-2018-6126.html

https://bugzilla.suse.com/1092548

https://bugzilla.suse.com/1096449

https://bugzilla.suse.com/1098998

Severity
Announcement ID: SUSE-SU-2018:2298-1
Rating: important

Related News