SUSE-SU-2023:2849-1: important: Security update for MozillaFirefox, MozillaFirefox-branding-SLE
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Jul 17 09:36:57 UTC 2023
# Security update for MozillaFirefox, MozillaFirefox-branding-SLE
Announcement ID: SUSE-SU-2023:2849-1
Rating: important
References:
* #1212101
* #1212438
Cross-References:
* CVE-2023-3482
* CVE-2023-37201
* CVE-2023-37202
* CVE-2023-37203
* CVE-2023-37204
* CVE-2023-37205
* CVE-2023-37206
* CVE-2023-37207
* CVE-2023-37208
* CVE-2023-37209
* CVE-2023-37210
* CVE-2023-37211
* CVE-2023-37212
CVSS scores:
* CVE-2023-3482 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2023-37201 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-37202 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-37203 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-37204 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2023-37205 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2023-37206 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* CVE-2023-37207 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2023-37208 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-37209 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-37210 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
* CVE-2023-37211 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2023-37212 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
* SUSE CaaS Platform 4.0
* SUSE Linux Enterprise High Performance Computing 15 SP1
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
* SUSE Linux Enterprise Server 15 SP1
* SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
* SUSE Linux Enterprise Server for SAP Applications 15 SP1
An update that solves 13 vulnerabilities can now be installed.
## Description:
This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following
issues:
Changes in MozillaFirefox and MozillaFirefox-branding-SLE:
This update provides Firefox Extended Support Release 115.0 ESR
* New:
* Required fields are now highlighted in PDF forms.
* Improved performance on high-refresh rate monitors (120Hz+).
* Buttons in the Tabs toolbar can now be reached with Tab, Shift+Tab, and
Arrow keys. View this article for additional details.
* Windows' "Make text bigger" accessibility setting now affects all the UI and
content pages, rather than only applying to system font sizes.
* Non-breaking spaces are now preserved—preventing automatic line breaks—when
copying text from a form control.
* Fixed WebGL performance issues on NVIDIA binary drivers via DMA-Buf on
Linux.
* Fixed an issue in which Firefox startup could be significantly slowed down
by the processing of Web content local storage. This had the greatest impact
on users with platter hard drives and significant local storage.
* Removed a configuration option to allow SHA-1 signatures in certificates:
SHA-1 signatures in certificates—long since determined to no longer be
secure enough—are now not supported.
* Highlight color is preserved correctly after typing `Enter` in the mail
composer of Yahoo Mail and Outlook. After bypassing the https only error
page navigating back would take you to the error page that was previously
dismissed. Back now takes you to the previous site that was visited.
* Paste unformatted shortcut (shift+ctrl/cmd+v) now works in plain text
contexts, such as input and text area.
* Added an option to print only the current page from the print preview
dialog.
* Swipe to navigate (two fingers on a touchpad swiped left or right to perform
history back or forward) on Windows is now enabled.
* Stability on Windows is significantly improved as Firefox handles low-memory
situations much better.
* Touchpad scrolling on macOS was made more accessible by reducing unintended
diagonal scrolling opposite of the intended scroll axis.
* Firefox is less likely to run out of memory on Linux and performs more
efficiently for the rest of the system when memory runs low.
* It is now possible to edit PDFs: including writing text, drawing, and adding
signatures.
* Setting Firefox as your default browser now also makes it the default PDF
application on Windows systems.
* Swipe-to-navigate (two fingers on a touchpad swiped left or right to perform
history back or forward) now works for Linux users on Wayland.
* Text Recognition in images allows users on macOS 10.15 and higher to extract
text from the selected image (such as a meme or screenshot).
* Firefox View helps you get back to content you previously discovered. A
pinned tab allows you to find and open recently closed tabs on your current
device and access tabs from other devices (via our “Tab Pickup” feature).
* Import maps, which allow web pages to control the behavior of JavaScript
imports, are now enabled by default.
* Processes used for background tabs now use efficiency mode on Windows 11 to
limit resource use.
* The shift+esc keyboard shortcut now opens the Process Manager, offering a
way to quickly identify processes that are using too many resources.
* Firefox now supports properly color correcting images tagged with ICCv4
profiles.
* Support for non-English characters when saving and printing PDF forms.
* The bookmarks toolbar's default "Only show on New Tab" state works correctly
for blank new tabs. As before, you can change the bookmark toolbar's
behavior using the toolbar context menu.
* Manifest Version 3 (MV3) extension support is now enabled by default (MV2
remains enabled/supported). This major update also ushers an exciting user
interface change in the form of the new extensions button.
* The Arbitrary Code Guard exploit protection has been enabled in the media
playback utility processes, improving security for Windows users.
* The native HTML date picker for date and datetime inputs can now be used
with a keyboard alone, improving its accessibility for screen reader users.
Users with limited mobility can also now use common keyboard shortcuts to
navigate the calendar grid and month selection spinners.
* Firefox builds in the Spanish from Spain (es-ES) and Spanish from Argentina
(es-AR) locales now come with a built- in dictionary for the Firefox
spellchecker.
* On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls the page instead
of zooming. This avoids accidental zooming and matches the behavior of other
web browsers on macOS.
* It's now possible to import bookmarks, history and passwords not only from
Edge, Chrome or Safari but also from Opera, Opera GX, and Vivaldi.
* GPU sandboxing has been enabled on Windows.
* On Windows, third-party modules can now be blocked from injecting themselves
into Firefox, which can be helpful if they are causing crashes or other
undesirable behavior.
* Date, time, and datetime-local input fields can now be cleared with
`Cmd+Backspace` and `Cmd+Delete` shortcut on macOS and `Ctrl+Backspace` and
`Ctrl+Delete` on Windows and Linux.
* GPU-accelerated Canvas2D is enabled by default on macOS and Linux.
* WebGL performance improvement on Windows, MacOS and Linux.
* Enables overlay of hardware-decoded video with non-Intel GPUs on Windows
10/11, improving video playback performance and video scaling quality.
* Windows native notifications are now enabled.
* Firefox Relay users can now opt-in to create Relay email masks directly from
the Firefox credential manager. You must be signed in with your Firefox
Account.
* We’ve added two new locales: Silhe Friulian (fur) and Sardinian (sc).
* Right-clicking on password fields now shows an option to reveal the
password.
* Private windows and ETP set to strict will now include email tracking
protection. This will make it harder for email trackers to learn the
browsing habits of Firefox users. You can check the Tracking Content in the
sub-panel on the shield icon panel.
* The deprecated U2F Javascript API is now disabled by default. The U2F
protocol remains usable through the WebAuthn API. The U2F API can be re-
enabled using the `security.webauth.u2f` preference.
* Say hello to enhanced Picture-in-Picture! Rewind, check video duration, and
effortlessly switch to full-screen mode on the web's most popular video
websites.
* Firefox's address bar is already a great place to search for what you're
looking for. Now you'll always be able to see your web search terms and
refine them while viewing your search's results - no additional scrolling
needed! Also, a new result menu has been added making it easier to remove
history results and dismiss sponsored Firefox Suggest entries.
* Private windows now protect users even better by blocking third-party
cookies and storage of content trackers.
* Passwords automatically generated by Firefox now include special characters,
giving users more secure passwords by default.
* Firefox 115 introduces a redesigned accessibility engine which significantly
improves the speed, responsiveness, and stability of Firefox when used with:
* Screen readers, as well as certain other accessibility software;
* East Asian input methods;
* Enterprise single sign-on software; and
* Other applications which use accessibility frameworks to access information.
* Firefox 115 now supports AV1 Image Format files containing animations
(AVIS), improving support for AVIF images across the web.
* The Windows GPU sandbox first shipped in the Firefox 110 release has been
tightened to enhance the security benefits it provides.
* A 13-year-old feature request was fulfilled and Firefox now supports files
being drag-and-dropped directly from Microsoft Outlook. A special thanks to
volunteer contributor Marco Spiess for helping to get this across the finish
line!
* Users on macOS can now access the Services sub-menu directly from Firefox
context menus.
* On Windows, the elastic overscroll effect has been enabled by default. When
two-finger scrolling on the touchpad or scrolling on the touchscreen, you
will now see a bouncing animation when scrolling past the edge of a scroll
container.
* Firefox is now available in the Tajik (tg) language.
* Added UI to manage the DNS over HTTPS exception list.
* Bookmarks can now be searched from the Bookmarks menu. The Bookmarks menu is
accessible by adding the Bookmarks menu button to the toolbar.
* Restrict searches to your local browsing history by selecting Search history
from the History, Library or Application menu buttons.
* Mac users can now capture video from their cameras in all supported native
resolutions. This enables resolutions higher than 1280x720.
* It is now possible to reorder the extensions listed in the extensions panel.
* Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn
authenticators over USB. Some advanced features, such as fully passwordless
logins, require a PIN to be set on the authenticator.
* Pocket Recommended content can now be seen in France, Italy, and Spain.
* DNS over HTTPS settings are now part of the Privacy & Security section of
the Settings page and allow the user to choose from all the supported modes.
* Migrating from another browser? Now you can bring over payment methods
you've saved in Chrome-based browsers to Firefox.
* Hardware video decoding enabled for Intel GPUs on Linux.
* The Tab Manager dropdown now features close buttons, so you can close tabs
more quickly.
* Windows Magnifier now follows the text cursor correctly when the Firefox
title bar is visible.
* Undo and redo are now available in Password fields.
[1]:https://support.mozilla.org/kb/access-toolbar-functions- using-
keyboard?_gl=1 _16it7nj_ _ga _MTEzNjg4MjY5NC4xNjQ1MjAxMDU3_
_ga_MQ7767QQQW*MTY1Njk2MzExMS43LjEuMTY1Njk2MzIzMy4w
[2]:https://support.mozilla.org/kb/how-set-tab-pickup-firefox-view
[3]:https://support.mozilla.org/kb/task-manager-tabs-or-extensions-are-
slowing-firefox
[4]:https://blog.mozilla.org/addons/2022/11/17/manifest-v3-signing-
available-november-21-on-firefox-nightly/
[5]:https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-
next-steps/ [6]:https://support.mozilla.org/kb/unified-extensions
[7]:https://support.mozilla.org/kb/import-data-another-browser
[8]:https://support.mozilla.org/kb/identify-problems-third-party-modules-
firefox-windows [9]:https://support.mozilla.org/kb/how-generate-secure-
password-firefox
[10]:https://blog.mozilla.org/accessibility/firefox-113-accessibility-
performance/
* Fixed: Various security fixes. MFSA 2023-22 (bsc#1212438)
* CVE-2023-3482 (bmo#1839464) Block all cookies bypass for localstorage
* CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment
mismatch in SpiderMonkey
* CVE-2023-37203 (bmo#291640) Drag and Drop API may provide access to local
system files
* CVE-2023-37204 (bmo#1832195) Fullscreen notification obscured via option
element
* CVE-2023-37205 (bmo#1704420) URL spoofing in address bar using RTL
characters
* CVE-2023-37206 (bmo#1813299) Insufficient validation of symlinks in the
FileSystem API
* CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files
* CVE-2023-37209 (bmo#1837993) Use-after-free in `NotifyOnHistoryReload`
* CVE-2023-37210 (bmo#1821886) Full-screen mode exit prevention
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550,
bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
and Thunderbird 102.13
* CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206, bmo#1827076,
bmo#1828690, bmo#1833503, bmo#1835710, bmo#1838587) Memory safety bugs fixed
in Firefox 115
* Fixed potential SIGILL on older CPUs (bsc#1212101)
* Fixed: Various security fixes and other quality
## Patch Instructions:
To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-2849=1
* SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-2849=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP1
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-2849=1
* SUSE CaaS Platform 4.0
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform
you if it detects new updates and let you then trigger updating of the complete
cluster in a controlled way.
## Package List:
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64
x86_64)
* MozillaFirefox-debuginfo-115.0-150000.150.91.1
* MozillaFirefox-115.0-150000.150.91.1
* MozillaFirefox-debugsource-115.0-150000.150.91.1
* MozillaFirefox-translations-other-115.0-150000.150.91.1
* MozillaFirefox-translations-common-115.0-150000.150.91.1
* MozillaFirefox-branding-SLE-115-150000.4.25.1
* SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
* MozillaFirefox-devel-115.0-150000.150.91.1
* SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x
x86_64)
* MozillaFirefox-debuginfo-115.0-150000.150.91.1
* MozillaFirefox-115.0-150000.150.91.1
* MozillaFirefox-debugsource-115.0-150000.150.91.1
* MozillaFirefox-translations-other-115.0-150000.150.91.1
* MozillaFirefox-translations-common-115.0-150000.150.91.1
* MozillaFirefox-branding-SLE-115-150000.4.25.1
* SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch)
* MozillaFirefox-devel-115.0-150000.150.91.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
* MozillaFirefox-debuginfo-115.0-150000.150.91.1
* MozillaFirefox-115.0-150000.150.91.1
* MozillaFirefox-debugsource-115.0-150000.150.91.1
* MozillaFirefox-translations-other-115.0-150000.150.91.1
* MozillaFirefox-translations-common-115.0-150000.150.91.1
* MozillaFirefox-branding-SLE-115-150000.4.25.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch)
* MozillaFirefox-devel-115.0-150000.150.91.1
* SUSE CaaS Platform 4.0 (x86_64)
* MozillaFirefox-debuginfo-115.0-150000.150.91.1
* MozillaFirefox-115.0-150000.150.91.1
* MozillaFirefox-debugsource-115.0-150000.150.91.1
* MozillaFirefox-translations-other-115.0-150000.150.91.1
* MozillaFirefox-translations-common-115.0-150000.150.91.1
* MozillaFirefox-branding-SLE-115-150000.4.25.1
* SUSE CaaS Platform 4.0 (noarch)
* MozillaFirefox-devel-115.0-150000.150.91.1
## References:
* https://www.suse.com/security/cve/CVE-2023-3482.html
* https://www.suse.com/security/cve/CVE-2023-37201.html
* https://www.suse.com/security/cve/CVE-2023-37202.html
* https://www.suse.com/security/cve/CVE-2023-37203.html
* https://www.suse.com/security/cve/CVE-2023-37204.html
* https://www.suse.com/security/cve/CVE-2023-37205.html
* https://www.suse.com/security/cve/CVE-2023-37206.html
* https://www.suse.com/security/cve/CVE-2023-37207.html
* https://www.suse.com/security/cve/CVE-2023-37208.html
* https://www.suse.com/security/cve/CVE-2023-37209.html
* https://www.suse.com/security/cve/CVE-2023-37210.html
* https://www.suse.com/security/cve/CVE-2023-37211.html
* https://www.suse.com/security/cve/CVE-2023-37212.html
* https://bugzilla.suse.com/show_bug.cgi?id=1212101
* https://bugzilla.suse.com/show_bug.cgi?id=1212438
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230717/9c3a6d37/attachment.htm>
More information about the sle-security-updates
mailing list