SUSE-SU-2018:3476-1: important: Security update for MozillaFirefox

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Oct 25 16:16:32 MDT 2018


   SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3476-1
Rating:             important
References:         #1094767 #1107343 #1109363 #1109465 #1110506 
                    #1110507 
Cross-References:   CVE-2018-12383 CVE-2018-12385 CVE-2018-12386
                    CVE-2018-12387
Affected Products:
                    SUSE Linux Enterprise Module for Desktop Applications 15
______________________________________________________________________________

   An update that solves four vulnerabilities and has two
   fixes is now available.

Description:



   This update for MozillaFirefox to 60.2.2ESR fixes the following issues:

   Security issues fixed:

   MFSA 2018-24:

   - CVE-2018-12386: A Type confusion in JavaScript allowed remote code
     execution (bsc#1110506)
   - CVE-2018-12387: Array.prototype.push stack pointer vulnerability may
     have enabled exploits in the sandboxed content process (bsc#1110507)

   MFSA 2018-23:

   - CVE-2018-12385: Fixed a crash in TransportSecurityInfo due to cached
     data (bsc#1109363)
   - CVE-2018-12383: Setting a master password did not delete unencrypted
     previously stored passwords (bsc#1107343)

   Non security issues fixed:

   - Avoid undefined behavior in IPC fd-passing code (bsc#1094767)
   - Fixed a startup crash affecting users migrating from older ESR releases
   - Clean up old NSS DB files after upgrading
   - Fixed an endianness problem in bindgen's handling of bitfields, which
     was causing Firefox to crash on startup on big-endian machines.  Also,
     updates the cc crate, which was buggy in the version that was originally
     vendored in. (bsc#1109465)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Desktop Applications 15:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2482=1



Package List:

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-60.2.2-3.13.3
      MozillaFirefox-branding-SLE-60-4.5.3
      MozillaFirefox-debuginfo-60.2.2-3.13.3
      MozillaFirefox-debugsource-60.2.2-3.13.3
      MozillaFirefox-translations-common-60.2.2-3.13.3
      MozillaFirefox-translations-other-60.2.2-3.13.3

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le x86_64):

      MozillaFirefox-devel-60.2.2-3.13.3


References:

   https://www.suse.com/security/cve/CVE-2018-12383.html
   https://www.suse.com/security/cve/CVE-2018-12385.html
   https://www.suse.com/security/cve/CVE-2018-12386.html
   https://www.suse.com/security/cve/CVE-2018-12387.html
   https://bugzilla.suse.com/1094767
   https://bugzilla.suse.com/1107343
   https://bugzilla.suse.com/1109363
   https://bugzilla.suse.com/1109465
   https://bugzilla.suse.com/1110506
   https://bugzilla.suse.com/1110507



More information about the sle-security-updates mailing list