SUSE-SU-2022:3273-1: important: Security update for MozillaFirefox

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Sep 14 10:33:46 UTC 2022


   SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3273-1
Rating:             important
References:         #1200793 #1201758 #1202645 
Cross-References:   CVE-2022-2200 CVE-2022-2505 CVE-2022-34468
                    CVE-2022-34469 CVE-2022-34470 CVE-2022-34471
                    CVE-2022-34472 CVE-2022-34473 CVE-2022-34474
                    CVE-2022-34475 CVE-2022-34476 CVE-2022-34477
                    CVE-2022-34478 CVE-2022-34479 CVE-2022-34480
                    CVE-2022-34481 CVE-2022-34482 CVE-2022-34483
                    CVE-2022-34484 CVE-2022-34485 CVE-2022-36314
                    CVE-2022-36318 CVE-2022-36319 CVE-2022-38472
                    CVE-2022-38473 CVE-2022-38476 CVE-2022-38477
                    CVE-2022-38478
CVSS scores:
                    CVE-2022-2505 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-36314 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2022-36318 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2022-36319 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Linux Enterprise Server for SAP Applications 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP5
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

   An update that fixes 28 vulnerabilities is now available.

Description:

   This update for MozillaFirefox fixes the following issues:

   Mozilla Firefox was updated to 102.2.0esr ESR:

   * Fixed: Various stability, functionality, and security fixes.

   - MFSA 2022-34 (bsc#1202645)

     * CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error
       handling
     * CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have
       inherited the parent's permissions
     * CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in
       PK11_ChangePW
     * CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
       Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
     * CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in
       Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13

   Firefox Extended Support Release 102.1 ESR

     * Fixed: Various stability, functionality, and security fixes.

   - MFSA 2022-30 (bsc#1201758)

     * CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS
       transforms
     * CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources
       reflected URL parameters
     * CVE-2022-36314 (bmo#1773894) Opening local <code>.lnk</code> files
       could cause unexpected network loads
     * CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in
       Firefox 103 and 102.1

   - Firefox Extended Support Release 102.0.1 ESR

     * Fixed: Fixed bookmark shortcut creation by dragging to Windows File
       Explorer and dropping partially broken (bmo#1774683)
     * Fixed: Fixed bookmarks sidebar flashing white when opened in dark mode
       (bmo#1776157)
     * Fixed: Fixed multilingual spell checking not working with content in
       both English and a non-Latin alphabet (bmo#1773802)
     * Fixed: Developer tools:  Fixed an issue where the console
       output keep getting scrolled to the bottom when the last visible
        message is an evaluation result (bmo#1776262)
     * Fixed: Fixed *Delete cookies and site data when Firefox is closed*
       checkbox getting disabled on startup (bmo#1777419)
     * Fixed: Various stability fixes

   Firefox 102.0 ESR:

   * New:

     - We now provide more secure connections: Firefox can now automatically
       upgrade to HTTPS using HTTPS RR as Alt-Svc headers.
     - For added viewing pleasure, full-range color levels are now supported
       for video playback on many systems.
     - Find it easier now! Mac users can now access the macOS share options
       from the Firefox File menu.
     - Voilà! Support for images containing ICC v4 profiles is enabled on
       macOS.
     - Firefox now supports the new AVIF image format, which is based on the
       modern and royalty-free AV1 video codec. It
       offers significant bandwidth savings for sites compared to existing
        image formats. It also supports transparency and
       other advanced features.
     - Firefox PDF viewer now supports filling more forms (e.g., XFA-based
       forms, used by multiple governments and banks). Learn more.
     - When available system memory is critically low, Firefox on Windows
       will automatically unload tabs based on their last access time, memory
       usage, and other attributes. This helps to reduce Firefox
       out-of-memory crashes. Forgot something? Switching to an unloaded tab
       automatically reloads it.
     - To prevent session loss for macOS users who are running Firefox from a
       mounted .dmg file, they’ll now be prompted to finish installation.
       Bear in mind, this permission prompt
       only appears the first time these users run Firefox on their computer.
     - For your safety, Firefox now blocks downloads that rely on insecure
       connections, protecting against potentially malicious or unsafe
       downloads. Learn more and see where to find downloads in Firefox.
     - Improved web compatibility for privacy protections with SmartBlock
       3.0: In Private Browsing and Strict Tracking Protection, Firefox goes
       to great lengths to protect your web browsing activity from trackers.
       As part of this, the built- in content blocking will automatically
       block third-party scripts, images, and other content from being loaded
       from cross-site tracking companies reported by Disconnect. Learn more.
     - Introducing a new referrer tracking protection in Strict Tracking
       Protection and Private Browsing. This feature prevents sites from
       unknowingly leaking private information to trackers. Learn more.
     - Introducing Firefox Suggest, a feature that provides website
       suggestions as you type into the address bar. Learn more about this
       faster way to navigate the web and locale- specific features.
     - Firefox macOS now uses Apple's low-power mode for fullscreen video on
       sites such as YouTube and Twitch. This meaningfully extends battery
       life in long viewing sessions. Now your kids can find out what the fox
       says on a loop without you ever missing a beat…
     - With this release, power users can use about:unloads to release system
       resources by manually unloading tabs without closing them.
     - On Windows, there will now be fewer interruptions because Firefox
       won’t prompt you for updates. Instead, a background agent will
       download and install updates even if Firefox is closed.
     - On Linux, we’ve improved WebGL performance and reduced power
       consumption for many users.
     - To better protect all Firefox users against side-channel attacks, such
       as Spectre, we introduced Site Isolation.
     - Firefox no longer warns you by default when you exit the browser or
       close a window using a menu, button, or three-key command. This should
       cut back on unwelcome notifications, which is always nice—however,
       if you prefer a bit of notice, you’ll still have full control over
       the quit/close modal behavior. All warnings can be managed within
       Firefox Settings. No worries! More details here.
     - Firefox supports the new Snap Layouts menus when running on Windows 11.
     - RLBox—a new technology that hardens Firefox against potential
       security vulnerabilities in third-party libraries—is now enabled on
       all platforms.
     - We’ve reduced CPU usage on macOS in Firefox and WindowServer during
       event processing.
     - We’ve also reduced the power usage of software decoded video on
       macOS, especially in fullscreen. This includes streaming sites such as
       Netflix and Amazon Prime Video.
     - You can now move the Picture-in-Picture toggle button to the opposite
       side of the video. Simply look for the new context menu option Move
       Picture-in-Picture Toggle to Left (Right) Side.
     - We’ve made significant improvements in noise suppression and
       auto-gain-control, as well as slight improvements in echo-cancellation
       to provide you with a better overall experience.
     - We’ve also significantly reduced main-thread load.
     - When printing, you can now choose to print only the
       odd/even pages.
     - Firefox now supports and displays the new style of scrollbars on
       Windows 11.
     - Firefox has a new optimized download flow. Instead of prompting every
       time, files will download automatically. However, they can still be
       opened from the downloads panel with just one click. Easy! More
       information
     - Firefox no longer asks what to do for each file by default. You
       won’t be prompted to choose a helper application or save to disk
       before downloading a file unless you have changed your download action
       setting for that type of file.
    -  Any files you download will be immediately saved on your disk.
       Depending on the current configuration, they’ll be saved in your
       preferred download folder, or you’ll be asked to select a location
       for each download. Windows and Linux users will find their downloaded
       files in the destination folder. They’ll no longer be put in the
       Temp folder.
     - Firefox allows users to choose from a number of built-in search
       engines to set as their default. In this release, some users who had
       previously configured a default engine might notice their default
       search engine has changed since Mozilla was unable to secure formal
       permission to continue including certain search engines in Firefox.
     - You can now toggle Narrate in ReaderMode with the keyboard shortcut
       "n."
     - You can find added support for search—with or without
       diacritics—in the PDF viewer.
     - The Linux sandbox has been strengthened: processes exposed to web
       content no longer have access to the X Window system (X11).
     - Firefox now supports credit card autofill and capture in Germany,
       France, and the United Kingdom.
     - We now support captions/subtitles display on YouTube, Prime Video, and
       Netflix videos you watch in Picture-in-Picture. Just turn on the
       subtitles on the in-page video player, and they will appear in PiP.
     - Picture-in-Picture now also supports video captions on websites that
       use Web Video Text Track (WebVTT) format (e.g., Coursera.org, Canadian
       Broadcasting Corporation, and many more).
     - On the first run after install, Firefox detects when its language does
       not match the operating system language and
       offers the user a choice between the two languages.
     - Firefox spell checking now checks spelling in multiple languages. To
       enable additional languages, select them in the text field’s context
       menu.
     - HDR video is now supported in Firefox on Mac—starting with YouTube!
       Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy
       higher-fidelity video content. No need to manually flip any
       preferences to turn HDR video support
       on—just make sure battery preferences are NOT set to “optimize
        video streaming while on battery”.
     - Hardware-accelerated AV1 video decoding is enabled on Windows with
       supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce
       30). Installing the AV1 Video Extension from the Microsoft Store may
       also be required.
     - Video overlay is enabled on Windows for Intel GPUs, reducing power
       usage during video playback.
     - Improved fairness between painting and handling other events. This
       noticeably improves the performance of the volume slider on Twitch.
     - Scrollbars on Linux and Windows 11 won't take space by default. On
       Linux, users can change this in Settings. On Windows, Firefox follows
       the system setting (System Settings > Accessibility > Visual Effects >
       Always show scrollbars).
     - Firefox now ignores less restricted referrer policies—including
       unsafe-url, no-referrer-when-downgrade, and
       origin-when-cross-origin—for cross-site subresource/iframe requests
       to prevent privacy leaks from the referrer.
     - Reading is now easier with the prefers-contrast media query, which
       allows sites to detect if the user has requested that web content is
       presented with a higher (or lower) contrast.
     - All non-configured MIME types can now be assigned a custom action upon
       download completion.
     - Firefox now allows users to use as many microphones as they want, at
       the same time, during video conferencing. The most exciting benefit is
       that you can easily switch your microphones at any time (if your
       conferencing service provider enables this flexibility).
     - Print preview has been updated.

     * Fixed: Various security fixes.

   - MFSA 2022-24 (bsc#1200793)

     * CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way
       to overlay the address bar with web content
     * CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory
     * CVE-2022-34468 (bmo#1768537) CSP sandbox header without
       `allow-scripts` can be bypassed via retargeted javascript: URI
     * CVE-2022-34482 (bmo#845880) Drag and drop of malicious image could
       have led to malicious executable and potential code execution
     * CVE-2022-34483 (bmo#1335845) Drag and drop of malicious image could
       have led to malicious executable and potential code execution
     * CVE-2022-34476 (bmo#1387919) ASN.1 parser could have been tricked into
       accepting malformed ASN.1
     * CVE-2022-34481 (bmo#1483699, bmo#1497246) Potential integer overflow
       in ReplaceElementsAt
     * CVE-2022-34474 (bmo#1677138) Sandboxed iframes could redirect to
       external schemes
     * CVE-2022-34469 (bmo#1721220) TLS certificate errors on HSTS-protected
       domains could be bypassed by the user on Firefox for Android
     * CVE-2022-34471 (bmo#1766047) Compromised server could trick a browser
       into an addon downgrade
     * CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP
       requests being blocked
     * CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a
       user accepts a prompt
     * CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part
       of prototype pollution
     * CVE-2022-34480 (bmo#1454072) Free of uninitialized pointer in lg_init
     * CVE-2022-34477 (bmo#1731614) MediaError message property leaked
       information on cross-
       origin same-site pages
     * CVE-2022-34475 (bmo#1757210) HTML Sanitizer could have been bypassed
       via same-origin script via use tags
     * CVE-2022-34473 (bmo#1770888) HTML Sanitizer could have been bypassed
       via use tags
     * CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in
       Firefox 102 and Firefox ESR 91.11
     * CVE-2022-34485 (bmo#1768409, bmo#1768578) Memory safety bugs fixed in
       Firefox 102


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3273=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3273=1

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-3273=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3273=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3273=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3273=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3273=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-3273=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1

   - SUSE OpenStack Cloud 9 (x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      MozillaFirefox-102.2.0-112.130.1
      MozillaFirefox-branding-SLE-102-35.9.1
      MozillaFirefox-debuginfo-102.2.0-112.130.1
      MozillaFirefox-debugsource-102.2.0-112.130.1
      MozillaFirefox-devel-102.2.0-112.130.1
      MozillaFirefox-translations-common-102.2.0-112.130.1


References:

   https://www.suse.com/security/cve/CVE-2022-2200.html
   https://www.suse.com/security/cve/CVE-2022-2505.html
   https://www.suse.com/security/cve/CVE-2022-34468.html
   https://www.suse.com/security/cve/CVE-2022-34469.html
   https://www.suse.com/security/cve/CVE-2022-34470.html
   https://www.suse.com/security/cve/CVE-2022-34471.html
   https://www.suse.com/security/cve/CVE-2022-34472.html
   https://www.suse.com/security/cve/CVE-2022-34473.html
   https://www.suse.com/security/cve/CVE-2022-34474.html
   https://www.suse.com/security/cve/CVE-2022-34475.html
   https://www.suse.com/security/cve/CVE-2022-34476.html
   https://www.suse.com/security/cve/CVE-2022-34477.html
   https://www.suse.com/security/cve/CVE-2022-34478.html
   https://www.suse.com/security/cve/CVE-2022-34479.html
   https://www.suse.com/security/cve/CVE-2022-34480.html
   https://www.suse.com/security/cve/CVE-2022-34481.html
   https://www.suse.com/security/cve/CVE-2022-34482.html
   https://www.suse.com/security/cve/CVE-2022-34483.html
   https://www.suse.com/security/cve/CVE-2022-34484.html
   https://www.suse.com/security/cve/CVE-2022-34485.html
   https://www.suse.com/security/cve/CVE-2022-36314.html
   https://www.suse.com/security/cve/CVE-2022-36318.html
   https://www.suse.com/security/cve/CVE-2022-36319.html
   https://www.suse.com/security/cve/CVE-2022-38472.html
   https://www.suse.com/security/cve/CVE-2022-38473.html
   https://www.suse.com/security/cve/CVE-2022-38476.html
   https://www.suse.com/security/cve/CVE-2022-38477.html
   https://www.suse.com/security/cve/CVE-2022-38478.html
   https://bugzilla.suse.com/1200793
   https://bugzilla.suse.com/1201758
   https://bugzilla.suse.com/1202645



More information about the sle-security-updates mailing list