SUSE-SU-2019:2545-1: important: Security update for MozillaFirefox

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Oct 3 13:11:05 MDT 2019


   SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:2545-1
Rating:             important
References:         #1109465 #1117473 #1123482 #1124525 #1133810 
                    #1138688 #1140868 #1141322 #1145665 #1149292 
                    #1149293 #1149294 #1149295 #1149296 #1149297 
                    #1149298 #1149299 #1149302 #1149303 #1149304 
                    #1149323 
Cross-References:   CVE-2019-11710 CVE-2019-11714 CVE-2019-11716
                    CVE-2019-11718 CVE-2019-11720 CVE-2019-11721
                    CVE-2019-11723 CVE-2019-11724 CVE-2019-11725
                    CVE-2019-11727 CVE-2019-11728 CVE-2019-11733
                    CVE-2019-11735 CVE-2019-11736 CVE-2019-11738
                    CVE-2019-11740 CVE-2019-11742 CVE-2019-11743
                    CVE-2019-11744 CVE-2019-11746 CVE-2019-11747
                    CVE-2019-11748 CVE-2019-11749 CVE-2019-11750
                    CVE-2019-11751 CVE-2019-11752 CVE-2019-11753
                    CVE-2019-9811 CVE-2019-9812
Affected Products:
                    SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
                    SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
                    SUSE Linux Enterprise Module for Desktop Applications 15-SP1
                    SUSE Linux Enterprise Module for Desktop Applications 15
______________________________________________________________________________

   An update that fixes 29 vulnerabilities is now available.

Description:

   This update for MozillaFirefox to 68.1 fixes the following issues:

   Security issues fixed:

   - CVE-2019-9811: Fixed a sandbox escape via installation of malicious
     language pack. (bsc#1140868)
   - CVE-2019-9812: Fixed a sandbox escape through Firefox Sync. (bsc#1149294)
   - CVE-2019-11710: Fixed several memory safety bugs. (bsc#1140868)
   - CVE-2019-11714: Fixed a potentially exploitable crash in Necko.
     (bsc#1140868)
   - CVE-2019-11716: Fixed a sandbox bypass. (bsc#1140868)
   - CVE-2019-11718: Fixed inadequate sanitation in the Activity Stream
     component. (bsc#1140868)
   - CVE-2019-11720: Fixed a character encoding XSS vulnerability.
     (bsc#1140868)
   - CVE-2019-11721: Fixed a homograph domain spoofing issue through unicode
     latin 'kra' character. (bsc#1140868)
   - CVE-2019-11723: Fixed a cookie leakage during add-on fetching across
     private browsing boundaries. (bsc#1140868)
   - CVE-2019-11724: Fixed an outdated permission, granting access to retired
     site input.mozilla.org. (bsc#1140868)
   - CVE-2019-11725: Fixed a Safebrowsing bypass involving WebSockets.
     (bsc#1140868)
   - CVE-2019-11727: Fixed a vulnerability where it possible to force NSS to
     sign CertificateVerify with PKCS#1 v1.5 signatures when those are the
     only ones advertised by server in CertificateRequest in TLS 1.3.
     (bsc#1141322)
   - CVE-2019-11728: Fixed an improper handling of the Alt-Svc header that
     allowed remote port scans. (bsc#1140868)
   - CVE-2019-11733: Fixed an insufficient protection of stored passwords in
     'Saved Logins'. (bnc#1145665)
   - CVE-2019-11735: Fixed several memory safety bugs. (bnc#1149293)
   - CVE-2019-11736: Fixed a file manipulation and privilege escalation in
     Mozilla Maintenance Service. (bnc#1149292)
   - CVE-2019-11738: Fixed a content security policy bypass through
     hash-based sources in directives. (bnc#1149302)
   - CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
   - CVE-2019-11742: Fixed a same-origin policy violation involving SVG
     filters and canvas to steal cross-origin images. (bsc#1149303)
   - CVE-2019-11743: Fixed a timing side-channel attack on cross-origin
     information, utilizing unload event attributes. (bsc#1149298)
   - CVE-2019-11744: Fixed an XSS caused by breaking out of title and
     textarea elements using innerHTML. (bsc#1149304)
   - CVE-2019-11746: Fixed a use-after-free while manipulating video.
     (bsc#1149297)
   - CVE-2019-11752: Fixed a use-after-free while extracting a key value in
     IndexedDB. (bsc#1149296)
   - CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance
     Service in custom Firefox installation location. (bsc#1149295)

   Non-security issues fixed:

   - Latest update now also released for s390x. (bsc#1109465)
   - Fixed a segmentation fault on s390vsl082. (bsc#1117473)
   - Fixed a crash on SLES15 s390x. (bsc#1124525)
   - Fixed a segmentation fault. (bsc#1133810)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2545=1

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2545=1

   - SUSE Linux Enterprise Module for Desktop Applications 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2545=1

   - SUSE Linux Enterprise Module for Desktop Applications 15:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-2545=1



Package List:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-branding-upstream-68.1.0-3.54.2
      MozillaFirefox-debuginfo-68.1.0-3.54.2
      MozillaFirefox-debugsource-68.1.0-3.54.2

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (x86_64):

      MozillaFirefox-buildsymbols-68.1.0-3.54.2

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (s390x):

      MozillaFirefox-devel-68.1.0-3.54.2

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-branding-upstream-68.1.0-3.54.2
      MozillaFirefox-debuginfo-68.1.0-3.54.2
      MozillaFirefox-debugsource-68.1.0-3.54.2

   - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-68.1.0-3.54.2
      MozillaFirefox-branding-SLE-68-4.8.5
      MozillaFirefox-debuginfo-68.1.0-3.54.2
      MozillaFirefox-debugsource-68.1.0-3.54.2
      MozillaFirefox-translations-common-68.1.0-3.54.2
      MozillaFirefox-translations-other-68.1.0-3.54.2

   - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64):

      MozillaFirefox-devel-68.1.0-3.54.2

   - SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-68.1.0-3.54.2
      MozillaFirefox-branding-SLE-68-4.8.5
      MozillaFirefox-debuginfo-68.1.0-3.54.2
      MozillaFirefox-debugsource-68.1.0-3.54.2
      MozillaFirefox-devel-68.1.0-3.54.2
      MozillaFirefox-translations-common-68.1.0-3.54.2
      MozillaFirefox-translations-other-68.1.0-3.54.2


References:

   https://www.suse.com/security/cve/CVE-2019-11710.html
   https://www.suse.com/security/cve/CVE-2019-11714.html
   https://www.suse.com/security/cve/CVE-2019-11716.html
   https://www.suse.com/security/cve/CVE-2019-11718.html
   https://www.suse.com/security/cve/CVE-2019-11720.html
   https://www.suse.com/security/cve/CVE-2019-11721.html
   https://www.suse.com/security/cve/CVE-2019-11723.html
   https://www.suse.com/security/cve/CVE-2019-11724.html
   https://www.suse.com/security/cve/CVE-2019-11725.html
   https://www.suse.com/security/cve/CVE-2019-11727.html
   https://www.suse.com/security/cve/CVE-2019-11728.html
   https://www.suse.com/security/cve/CVE-2019-11733.html
   https://www.suse.com/security/cve/CVE-2019-11735.html
   https://www.suse.com/security/cve/CVE-2019-11736.html
   https://www.suse.com/security/cve/CVE-2019-11738.html
   https://www.suse.com/security/cve/CVE-2019-11740.html
   https://www.suse.com/security/cve/CVE-2019-11742.html
   https://www.suse.com/security/cve/CVE-2019-11743.html
   https://www.suse.com/security/cve/CVE-2019-11744.html
   https://www.suse.com/security/cve/CVE-2019-11746.html
   https://www.suse.com/security/cve/CVE-2019-11747.html
   https://www.suse.com/security/cve/CVE-2019-11748.html
   https://www.suse.com/security/cve/CVE-2019-11749.html
   https://www.suse.com/security/cve/CVE-2019-11750.html
   https://www.suse.com/security/cve/CVE-2019-11751.html
   https://www.suse.com/security/cve/CVE-2019-11752.html
   https://www.suse.com/security/cve/CVE-2019-11753.html
   https://www.suse.com/security/cve/CVE-2019-9811.html
   https://www.suse.com/security/cve/CVE-2019-9812.html
   https://bugzilla.suse.com/1109465
   https://bugzilla.suse.com/1117473
   https://bugzilla.suse.com/1123482
   https://bugzilla.suse.com/1124525
   https://bugzilla.suse.com/1133810
   https://bugzilla.suse.com/1138688
   https://bugzilla.suse.com/1140868
   https://bugzilla.suse.com/1141322
   https://bugzilla.suse.com/1145665
   https://bugzilla.suse.com/1149292
   https://bugzilla.suse.com/1149293
   https://bugzilla.suse.com/1149294
   https://bugzilla.suse.com/1149295
   https://bugzilla.suse.com/1149296
   https://bugzilla.suse.com/1149297
   https://bugzilla.suse.com/1149298
   https://bugzilla.suse.com/1149299
   https://bugzilla.suse.com/1149302
   https://bugzilla.suse.com/1149303
   https://bugzilla.suse.com/1149304
   https://bugzilla.suse.com/1149323



More information about the sle-security-updates mailing list