SUSE-SU-2022:3273-1: important: Security update for MozillaFirefox
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Sep 14 10:33:46 UTC 2022
SUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3273-1
Rating: important
References: #1200793 #1201758 #1202645
Cross-References: CVE-2022-2200 CVE-2022-2505 CVE-2022-34468
CVE-2022-34469 CVE-2022-34470 CVE-2022-34471
CVE-2022-34472 CVE-2022-34473 CVE-2022-34474
CVE-2022-34475 CVE-2022-34476 CVE-2022-34477
CVE-2022-34478 CVE-2022-34479 CVE-2022-34480
CVE-2022-34481 CVE-2022-34482 CVE-2022-34483
CVE-2022-34484 CVE-2022-34485 CVE-2022-36314
CVE-2022-36318 CVE-2022-36319 CVE-2022-38472
CVE-2022-38473 CVE-2022-38476 CVE-2022-38477
CVE-2022-38478
CVSS scores:
CVE-2022-2505 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-36314 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-36318 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-36319 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________
An update that fixes 28 vulnerabilities is now available.
Description:
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 102.2.0esr ESR:
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-34 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error
handling
* CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have
inherited the parent's permissions
* CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in
PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363)
Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in
Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13
Firefox Extended Support Release 102.1 ESR
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-30 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS
transforms
* CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources
reflected URL parameters
* CVE-2022-36314 (bmo#1773894) Opening local <code>.lnk</code> files
could cause unexpected network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in
Firefox 103 and 102.1
- Firefox Extended Support Release 102.0.1 ESR
* Fixed: Fixed bookmark shortcut creation by dragging to Windows File
Explorer and dropping partially broken (bmo#1774683)
* Fixed: Fixed bookmarks sidebar flashing white when opened in dark mode
(bmo#1776157)
* Fixed: Fixed multilingual spell checking not working with content in
both English and a non-Latin alphabet (bmo#1773802)
* Fixed: Developer tools: Fixed an issue where the console
output keep getting scrolled to the bottom when the last visible
message is an evaluation result (bmo#1776262)
* Fixed: Fixed *Delete cookies and site data when Firefox is closed*
checkbox getting disabled on startup (bmo#1777419)
* Fixed: Various stability fixes
Firefox 102.0 ESR:
* New:
- We now provide more secure connections: Firefox can now automatically
upgrade to HTTPS using HTTPS RR as Alt-Svc headers.
- For added viewing pleasure, full-range color levels are now supported
for video playback on many systems.
- Find it easier now! Mac users can now access the macOS share options
from the Firefox File menu.
- Voilà ! Support for images containing ICC v4 profiles is enabled on
macOS.
- Firefox now supports the new AVIF image format, which is based on the
modern and royalty-free AV1 video codec. It
offers significant bandwidth savings for sites compared to existing
image formats. It also supports transparency and
other advanced features.
- Firefox PDF viewer now supports filling more forms (e.g., XFA-based
forms, used by multiple governments and banks). Learn more.
- When available system memory is critically low, Firefox on Windows
will automatically unload tabs based on their last access time, memory
usage, and other attributes. This helps to reduce Firefox
out-of-memory crashes. Forgot something? Switching to an unloaded tab
automatically reloads it.
- To prevent session loss for macOS users who are running Firefox from a
mounted .dmg file, they’ll now be prompted to finish installation.
Bear in mind, this permission prompt
only appears the first time these users run Firefox on their computer.
- For your safety, Firefox now blocks downloads that rely on insecure
connections, protecting against potentially malicious or unsafe
downloads. Learn more and see where to find downloads in Firefox.
- Improved web compatibility for privacy protections with SmartBlock
3.0: In Private Browsing and Strict Tracking Protection, Firefox goes
to great lengths to protect your web browsing activity from trackers.
As part of this, the built- in content blocking will automatically
block third-party scripts, images, and other content from being loaded
from cross-site tracking companies reported by Disconnect. Learn more.
- Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing. This feature prevents sites from
unknowingly leaking private information to trackers. Learn more.
- Introducing Firefox Suggest, a feature that provides website
suggestions as you type into the address bar. Learn more about this
faster way to navigate the web and locale- specific features.
- Firefox macOS now uses Apple's low-power mode for fullscreen video on
sites such as YouTube and Twitch. This meaningfully extends battery
life in long viewing sessions. Now your kids can find out what the fox
says on a loop without you ever missing a beat…
- With this release, power users can use about:unloads to release system
resources by manually unloading tabs without closing them.
- On Windows, there will now be fewer interruptions because Firefox
won’t prompt you for updates. Instead, a background agent will
download and install updates even if Firefox is closed.
- On Linux, we’ve improved WebGL performance and reduced power
consumption for many users.
- To better protect all Firefox users against side-channel attacks, such
as Spectre, we introduced Site Isolation.
- Firefox no longer warns you by default when you exit the browser or
close a window using a menu, button, or three-key command. This should
cut back on unwelcome notifications, which is always nice—however,
if you prefer a bit of notice, you’ll still have full control over
the quit/close modal behavior. All warnings can be managed within
Firefox Settings. No worries! More details here.
- Firefox supports the new Snap Layouts menus when running on Windows 11.
- RLBox—a new technology that hardens Firefox against potential
security vulnerabilities in third-party libraries—is now enabled on
all platforms.
- We’ve reduced CPU usage on macOS in Firefox and WindowServer during
event processing.
- We’ve also reduced the power usage of software decoded video on
macOS, especially in fullscreen. This includes streaming sites such as
Netflix and Amazon Prime Video.
- You can now move the Picture-in-Picture toggle button to the opposite
side of the video. Simply look for the new context menu option Move
Picture-in-Picture Toggle to Left (Right) Side.
- We’ve made significant improvements in noise suppression and
auto-gain-control, as well as slight improvements in echo-cancellation
to provide you with a better overall experience.
- We’ve also significantly reduced main-thread load.
- When printing, you can now choose to print only the
odd/even pages.
- Firefox now supports and displays the new style of scrollbars on
Windows 11.
- Firefox has a new optimized download flow. Instead of prompting every
time, files will download automatically. However, they can still be
opened from the downloads panel with just one click. Easy! More
information
- Firefox no longer asks what to do for each file by default. You
won’t be prompted to choose a helper application or save to disk
before downloading a file unless you have changed your download action
setting for that type of file.
- Any files you download will be immediately saved on your disk.
Depending on the current configuration, they’ll be saved in your
preferred download folder, or you’ll be asked to select a location
for each download. Windows and Linux users will find their downloaded
files in the destination folder. They’ll no longer be put in the
Temp folder.
- Firefox allows users to choose from a number of built-in search
engines to set as their default. In this release, some users who had
previously configured a default engine might notice their default
search engine has changed since Mozilla was unable to secure formal
permission to continue including certain search engines in Firefox.
- You can now toggle Narrate in ReaderMode with the keyboard shortcut
"n."
- You can find added support for search—with or without
diacritics—in the PDF viewer.
- The Linux sandbox has been strengthened: processes exposed to web
content no longer have access to the X Window system (X11).
- Firefox now supports credit card autofill and capture in Germany,
France, and the United Kingdom.
- We now support captions/subtitles display on YouTube, Prime Video, and
Netflix videos you watch in Picture-in-Picture. Just turn on the
subtitles on the in-page video player, and they will appear in PiP.
- Picture-in-Picture now also supports video captions on websites that
use Web Video Text Track (WebVTT) format (e.g., Coursera.org, Canadian
Broadcasting Corporation, and many more).
- On the first run after install, Firefox detects when its language does
not match the operating system language and
offers the user a choice between the two languages.
- Firefox spell checking now checks spelling in multiple languages. To
enable additional languages, select them in the text field’s context
menu.
- HDR video is now supported in Firefox on Mac—starting with YouTube!
Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy
higher-fidelity video content. No need to manually flip any
preferences to turn HDR video support
on—just make sure battery preferences are NOT set to “optimize
video streaming while on batteryâ€.
- Hardware-accelerated AV1 video decoding is enabled on Windows with
supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce
30). Installing the AV1 Video Extension from the Microsoft Store may
also be required.
- Video overlay is enabled on Windows for Intel GPUs, reducing power
usage during video playback.
- Improved fairness between painting and handling other events. This
noticeably improves the performance of the volume slider on Twitch.
- Scrollbars on Linux and Windows 11 won't take space by default. On
Linux, users can change this in Settings. On Windows, Firefox follows
the system setting (System Settings > Accessibility > Visual Effects >
Always show scrollbars).
- Firefox now ignores less restricted referrer policies—including
unsafe-url, no-referrer-when-downgrade, and
origin-when-cross-origin—for cross-site subresource/iframe requests
to prevent privacy leaks from the referrer.
- Reading is now easier with the prefers-contrast media query, which
allows sites to detect if the user has requested that web content is
presented with a higher (or lower) contrast.
- All non-configured MIME types can now be assigned a custom action upon
download completion.
- Firefox now allows users to use as many microphones as they want, at
the same time, during video conferencing. The most exciting benefit is
that you can easily switch your microphones at any time (if your
conferencing service provider enables this flexibility).
- Print preview has been updated.
* Fixed: Various security fixes.
- MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way
to overlay the address bar with web content
* CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537) CSP sandbox header without
`allow-scripts` can be bypassed via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880) Drag and drop of malicious image could
have led to malicious executable and potential code execution
* CVE-2022-34483 (bmo#1335845) Drag and drop of malicious image could
have led to malicious executable and potential code execution
* CVE-2022-34476 (bmo#1387919) ASN.1 parser could have been tricked into
accepting malformed ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246) Potential integer overflow
in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138) Sandboxed iframes could redirect to
external schemes
* CVE-2022-34469 (bmo#1721220) TLS certificate errors on HSTS-protected
domains could be bypassed by the user on Firefox for Android
* CVE-2022-34471 (bmo#1766047) Compromised server could trick a browser
into an addon downgrade
* CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP
requests being blocked
* CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a
user accepts a prompt
* CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part
of prototype pollution
* CVE-2022-34480 (bmo#1454072) Free of uninitialized pointer in lg_init
* CVE-2022-34477 (bmo#1731614) MediaError message property leaked
information on cross-
origin same-site pages
* CVE-2022-34475 (bmo#1757210) HTML Sanitizer could have been bypassed
via same-origin script via use tags
* CVE-2022-34473 (bmo#1770888) HTML Sanitizer could have been bypassed
via use tags
* CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in
Firefox 102 and Firefox ESR 91.11
* CVE-2022-34485 (bmo#1768409, bmo#1768578) Memory safety bugs fixed in
Firefox 102
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3273=1
- SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3273=1
- SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-3273=1
- SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3273=1
- SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3273=1
- SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3273=1
- SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3273=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-3273=1
Package List:
- SUSE OpenStack Cloud Crowbar 9 (x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
- SUSE OpenStack Cloud 9 (x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
- SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
- SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
- SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
- SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
- SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
MozillaFirefox-102.2.0-112.130.1
MozillaFirefox-branding-SLE-102-35.9.1
MozillaFirefox-debuginfo-102.2.0-112.130.1
MozillaFirefox-debugsource-102.2.0-112.130.1
MozillaFirefox-devel-102.2.0-112.130.1
MozillaFirefox-translations-common-102.2.0-112.130.1
References:
https://www.suse.com/security/cve/CVE-2022-2200.html
https://www.suse.com/security/cve/CVE-2022-2505.html
https://www.suse.com/security/cve/CVE-2022-34468.html
https://www.suse.com/security/cve/CVE-2022-34469.html
https://www.suse.com/security/cve/CVE-2022-34470.html
https://www.suse.com/security/cve/CVE-2022-34471.html
https://www.suse.com/security/cve/CVE-2022-34472.html
https://www.suse.com/security/cve/CVE-2022-34473.html
https://www.suse.com/security/cve/CVE-2022-34474.html
https://www.suse.com/security/cve/CVE-2022-34475.html
https://www.suse.com/security/cve/CVE-2022-34476.html
https://www.suse.com/security/cve/CVE-2022-34477.html
https://www.suse.com/security/cve/CVE-2022-34478.html
https://www.suse.com/security/cve/CVE-2022-34479.html
https://www.suse.com/security/cve/CVE-2022-34480.html
https://www.suse.com/security/cve/CVE-2022-34481.html
https://www.suse.com/security/cve/CVE-2022-34482.html
https://www.suse.com/security/cve/CVE-2022-34483.html
https://www.suse.com/security/cve/CVE-2022-34484.html
https://www.suse.com/security/cve/CVE-2022-34485.html
https://www.suse.com/security/cve/CVE-2022-36314.html
https://www.suse.com/security/cve/CVE-2022-36318.html
https://www.suse.com/security/cve/CVE-2022-36319.html
https://www.suse.com/security/cve/CVE-2022-38472.html
https://www.suse.com/security/cve/CVE-2022-38473.html
https://www.suse.com/security/cve/CVE-2022-38476.html
https://www.suse.com/security/cve/CVE-2022-38477.html
https://www.suse.com/security/cve/CVE-2022-38478.html
https://bugzilla.suse.com/1200793
https://bugzilla.suse.com/1201758
https://bugzilla.suse.com/1202645
More information about the sle-security-updates
mailing list