SUSE-CU-2025:7848-1: Security update of suse/kiosk/firefox-esr

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Nov 1 08:13:41 UTC 2025 

SUSE Container Update Advisory: suse/kiosk/firefox-esr
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7848-1
Container Tags        : suse/kiosk/firefox-esr:140.4 , suse/kiosk/firefox-esr:140.4-68.4 , suse/kiosk/firefox-esr:esr , suse/kiosk/firefox-esr:latest
Container Release     : 68.4
Severity              : important
Type                  : security
References            : 1226308 1241219 1245199 1251137 1251263 1251263 1251264 CVE-2025-11708
                        CVE-2025-11709 CVE-2025-11710 CVE-2025-11711 CVE-2025-11712 CVE-2025-11713
                        CVE-2025-11714 CVE-2025-11715 CVE-2025-3576 CVE-2025-59728 CVE-2025-7700
                        CVE-2025-9187 
-----------------------------------------------------------------

The container suse/kiosk/firefox-esr was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3596-1
Released:    Wed Oct 15 09:51:21 2025
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1251264

This update for curl fixes the following issue:

- rebuilds it against a newer nghttp2 to fix handling 2 or more whitespaces in headers. (bsc#1251264)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3715-1
Released:    Wed Oct 22 09:11:23 2025
Summary:     Security update for ffmpeg-4
Type:        security
Severity:    important
References:  1226308,1251137,CVE-2025-59728,CVE-2025-7700
This update for ffmpeg-4 fixes the following issues:

  - CVE-2025-59728: allocated space for the appended '/' (bsc#1251137)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3775-1
Released:    Fri Oct 24 14:23:37 2025
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1251263,CVE-2025-11708,CVE-2025-11709,CVE-2025-11710,CVE-2025-11711,CVE-2025-11712,CVE-2025-11713,CVE-2025-11714,CVE-2025-11715
This update for MozillaFirefox fixes the following issues:

Update to Firefox Extended Support Release 140.4.0 ESR (bsc#1251263).

- CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance()
- CVE-2025-11709: Out of bounds read/write in a privileged process triggered by WebGL textures
- CVE-2025-11710: Cross-process information leaked due to malicious IPC messages
- CVE-2025-11711: Some non-writable Object properties could be modified
- CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on web resources without a content-type
- CVE-2025-11713: Potential user-assisted code execution in “Copy as cURL” command
- CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
- CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3804-1
Released:    Mon Oct 27 12:35:04 2025
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1251263,CVE-2025-9187
This update for mozilla-nss fixes the following issues:

- Move NSS DB password hash away from SHA-1

Update to NSS 3.112.2:

  * Prevent leaks during pkcs12 decoding.
  * SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates

Update to NSS 3.112.1:

  * restore support for finding certificates by decoded serial number.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3836-1
Released:    Tue Oct 28 11:38:00 2025
Summary:     Recommended update for bash
Type:        recommended
Severity:    important
References:  1245199
This update for bash fixes the following issues:

- Fix histfile missing timestamp for the oldest record (bsc#1245199)


The following package changes have been done:

- libreadline7-7.0-150400.27.6.1 updated
- bash-4.4-150400.27.6.1 updated
- bash-sh-4.4-150400.27.6.1 updated
- libfreebl3-3.112.2-150400.3.60.1 updated
- mozilla-nss-certs-3.112.2-150400.3.60.1 updated
- krb5-1.20.1-150600.11.14.1 updated
- mozilla-nss-3.112.2-150400.3.60.1 updated
- libsoftokn3-3.112.2-150400.3.60.1 updated
- libcurl4-8.14.1-150700.7.2.1 updated
- libavutil56_70-4.4.6-150600.13.33.1 updated
- libswresample3_9-4.4.6-150600.13.33.1 updated
- libavcodec58_134-4.4.6-150600.13.33.1 updated
- MozillaFirefox-140.4.0-150200.152.207.1 updated
- container:suse-sle15-15.7-bc008ba5c6cb67bccdaa0a8a8a188754a0214276ba72f9d52f2925430dc5c502-0 updated
- container:registry.suse.com-bci-bci-micro-15.7-da008f7ab0d2262d5e978dc6ce8daeef3cd2f6cd454ccbfe84998b74c49a424b-0 updated

More information about the sle-container-updates mailing list