SUSE-SU-2023:2849-1: important: Security update for MozillaFirefox, MozillaFirefox-branding-SLE

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Jul 17 09:36:57 UTC 2023



# Security update for MozillaFirefox, MozillaFirefox-branding-SLE

Announcement ID: SUSE-SU-2023:2849-1  
Rating: important  
References:

  * #1212101
  * #1212438

  
Cross-References:

  * CVE-2023-3482
  * CVE-2023-37201
  * CVE-2023-37202
  * CVE-2023-37203
  * CVE-2023-37204
  * CVE-2023-37205
  * CVE-2023-37206
  * CVE-2023-37207
  * CVE-2023-37208
  * CVE-2023-37209
  * CVE-2023-37210
  * CVE-2023-37211
  * CVE-2023-37212

  
CVSS scores:

  * CVE-2023-3482 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  * CVE-2023-37201 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2023-37202 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2023-37203 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2023-37204 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  * CVE-2023-37205 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  * CVE-2023-37206 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  * CVE-2023-37207 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  * CVE-2023-37208 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2023-37209 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2023-37210 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  * CVE-2023-37211 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2023-37212 ( NVD ):  8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  
Affected Products:

  * SUSE CaaS Platform 4.0
  * SUSE Linux Enterprise High Performance Computing 15 SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
  * SUSE Linux Enterprise Server 15 SP1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1

  
  
An update that solves 13 vulnerabilities can now be installed.

## Description:

This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following
issues:

Changes in MozillaFirefox and MozillaFirefox-branding-SLE:

This update provides Firefox Extended Support Release 115.0 ESR

  * New:

  * Required fields are now highlighted in PDF forms.

  * Improved performance on high-refresh rate monitors (120Hz+).
  * Buttons in the Tabs toolbar can now be reached with Tab, Shift+Tab, and
    Arrow keys. View this article for additional details.
  * Windows' "Make text bigger" accessibility setting now affects all the UI and
    content pages, rather than only applying to system font sizes.
  * Non-breaking spaces are now preserved—preventing automatic line breaks—when
    copying text from a form control.
  * Fixed WebGL performance issues on NVIDIA binary drivers via DMA-Buf on
    Linux.
  * Fixed an issue in which Firefox startup could be significantly slowed down
    by the processing of Web content local storage. This had the greatest impact
    on users with platter hard drives and significant local storage.
  * Removed a configuration option to allow SHA-1 signatures in certificates:
    SHA-1 signatures in certificates—long since determined to no longer be
    secure enough—are now not supported.
  * Highlight color is preserved correctly after typing `Enter` in the mail
    composer of Yahoo Mail and Outlook. After bypassing the https only error
    page navigating back would take you to the error page that was previously
    dismissed. Back now takes you to the previous site that was visited.
  * Paste unformatted shortcut (shift+ctrl/cmd+v) now works in plain text
    contexts, such as input and text area.
  * Added an option to print only the current page from the print preview
    dialog.
  * Swipe to navigate (two fingers on a touchpad swiped left or right to perform
    history back or forward) on Windows is now enabled.
  * Stability on Windows is significantly improved as Firefox handles low-memory
    situations much better.
  * Touchpad scrolling on macOS was made more accessible by reducing unintended
    diagonal scrolling opposite of the intended scroll axis.
  * Firefox is less likely to run out of memory on Linux and performs more
    efficiently for the rest of the system when memory runs low.
  * It is now possible to edit PDFs: including writing text, drawing, and adding
    signatures.
  * Setting Firefox as your default browser now also makes it the default PDF
    application on Windows systems.
  * Swipe-to-navigate (two fingers on a touchpad swiped left or right to perform
    history back or forward) now works for Linux users on Wayland.
  * Text Recognition in images allows users on macOS 10.15 and higher to extract
    text from the selected image (such as a meme or screenshot).
  * Firefox View helps you get back to content you previously discovered. A
    pinned tab allows you to find and open recently closed tabs on your current
    device and access tabs from other devices (via our “Tab Pickup” feature).
  * Import maps, which allow web pages to control the behavior of JavaScript
    imports, are now enabled by default.
  * Processes used for background tabs now use efficiency mode on Windows 11 to
    limit resource use.
  * The shift+esc keyboard shortcut now opens the Process Manager, offering a
    way to quickly identify processes that are using too many resources.
  * Firefox now supports properly color correcting images tagged with ICCv4
    profiles.
  * Support for non-English characters when saving and printing PDF forms.
  * The bookmarks toolbar's default "Only show on New Tab" state works correctly
    for blank new tabs. As before, you can change the bookmark toolbar's
    behavior using the toolbar context menu.
  * Manifest Version 3 (MV3) extension support is now enabled by default (MV2
    remains enabled/supported). This major update also ushers an exciting user
    interface change in the form of the new extensions button.
  * The Arbitrary Code Guard exploit protection has been enabled in the media
    playback utility processes, improving security for Windows users.
  * The native HTML date picker for date and datetime inputs can now be used
    with a keyboard alone, improving its accessibility for screen reader users.
    Users with limited mobility can also now use common keyboard shortcuts to
    navigate the calendar grid and month selection spinners.
  * Firefox builds in the Spanish from Spain (es-ES) and Spanish from Argentina
    (es-AR) locales now come with a built- in dictionary for the Firefox
    spellchecker.
  * On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls the page instead
    of zooming. This avoids accidental zooming and matches the behavior of other
    web browsers on macOS.
  * It's now possible to import bookmarks, history and passwords not only from
    Edge, Chrome or Safari but also from Opera, Opera GX, and Vivaldi.
  * GPU sandboxing has been enabled on Windows.
  * On Windows, third-party modules can now be blocked from injecting themselves
    into Firefox, which can be helpful if they are causing crashes or other
    undesirable behavior.
  * Date, time, and datetime-local input fields can now be cleared with
    `Cmd+Backspace` and `Cmd+Delete` shortcut on macOS and `Ctrl+Backspace` and
    `Ctrl+Delete` on Windows and Linux.
  * GPU-accelerated Canvas2D is enabled by default on macOS and Linux.
  * WebGL performance improvement on Windows, MacOS and Linux.
  * Enables overlay of hardware-decoded video with non-Intel GPUs on Windows
    10/11, improving video playback performance and video scaling quality.
  * Windows native notifications are now enabled.
  * Firefox Relay users can now opt-in to create Relay email masks directly from
    the Firefox credential manager. You must be signed in with your Firefox
    Account.
  * We’ve added two new locales: Silhe Friulian (fur) and Sardinian (sc).
  * Right-clicking on password fields now shows an option to reveal the
    password.
  * Private windows and ETP set to strict will now include email tracking
    protection. This will make it harder for email trackers to learn the
    browsing habits of Firefox users. You can check the Tracking Content in the
    sub-panel on the shield icon panel.
  * The deprecated U2F Javascript API is now disabled by default. The U2F
    protocol remains usable through the WebAuthn API. The U2F API can be re-
    enabled using the `security.webauth.u2f` preference.
  * Say hello to enhanced Picture-in-Picture! Rewind, check video duration, and
    effortlessly switch to full-screen mode on the web's most popular video
    websites.
  * Firefox's address bar is already a great place to search for what you're
    looking for. Now you'll always be able to see your web search terms and
    refine them while viewing your search's results - no additional scrolling
    needed! Also, a new result menu has been added making it easier to remove
    history results and dismiss sponsored Firefox Suggest entries.
  * Private windows now protect users even better by blocking third-party
    cookies and storage of content trackers.
  * Passwords automatically generated by Firefox now include special characters,
    giving users more secure passwords by default.
  * Firefox 115 introduces a redesigned accessibility engine which significantly
    improves the speed, responsiveness, and stability of Firefox when used with:

    * Screen readers, as well as certain other accessibility software;
    * East Asian input methods;
    * Enterprise single sign-on software; and
    * Other applications which use accessibility frameworks to access information.
  * Firefox 115 now supports AV1 Image Format files containing animations
    (AVIS), improving support for AVIF images across the web.

  * The Windows GPU sandbox first shipped in the Firefox 110 release has been
    tightened to enhance the security benefits it provides.
  * A 13-year-old feature request was fulfilled and Firefox now supports files
    being drag-and-dropped directly from Microsoft Outlook. A special thanks to
    volunteer contributor Marco Spiess for helping to get this across the finish
    line!
  * Users on macOS can now access the Services sub-menu directly from Firefox
    context menus.
  * On Windows, the elastic overscroll effect has been enabled by default. When
    two-finger scrolling on the touchpad or scrolling on the touchscreen, you
    will now see a bouncing animation when scrolling past the edge of a scroll
    container.
  * Firefox is now available in the Tajik (tg) language.
  * Added UI to manage the DNS over HTTPS exception list.
  * Bookmarks can now be searched from the Bookmarks menu. The Bookmarks menu is
    accessible by adding the Bookmarks menu button to the toolbar.
  * Restrict searches to your local browsing history by selecting Search history
    from the History, Library or Application menu buttons.
  * Mac users can now capture video from their cameras in all supported native
    resolutions. This enables resolutions higher than 1280x720.
  * It is now possible to reorder the extensions listed in the extensions panel.
  * Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn
    authenticators over USB. Some advanced features, such as fully passwordless
    logins, require a PIN to be set on the authenticator.
  * Pocket Recommended content can now be seen in France, Italy, and Spain.
  * DNS over HTTPS settings are now part of the Privacy & Security section of
    the Settings page and allow the user to choose from all the supported modes.
  * Migrating from another browser? Now you can bring over payment methods
    you've saved in Chrome-based browsers to Firefox.
  * Hardware video decoding enabled for Intel GPUs on Linux.
  * The Tab Manager dropdown now features close buttons, so you can close tabs
    more quickly.
  * Windows Magnifier now follows the text cursor correctly when the Firefox
    title bar is visible.
  * Undo and redo are now available in Password fields.
    [1]:https://support.mozilla.org/kb/access-toolbar-functions- using-
    keyboard?_gl=1 _16it7nj_ _ga _MTEzNjg4MjY5NC4xNjQ1MjAxMDU3_
    _ga_MQ7767QQQW*MTY1Njk2MzExMS43LjEuMTY1Njk2MzIzMy4w
    [2]:https://support.mozilla.org/kb/how-set-tab-pickup-firefox-view
    [3]:https://support.mozilla.org/kb/task-manager-tabs-or-extensions-are-
    slowing-firefox
    [4]:https://blog.mozilla.org/addons/2022/11/17/manifest-v3-signing-
    available-november-21-on-firefox-nightly/
    [5]:https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-
    next-steps/ [6]:https://support.mozilla.org/kb/unified-extensions
    [7]:https://support.mozilla.org/kb/import-data-another-browser
    [8]:https://support.mozilla.org/kb/identify-problems-third-party-modules-
    firefox-windows [9]:https://support.mozilla.org/kb/how-generate-secure-
    password-firefox
    [10]:https://blog.mozilla.org/accessibility/firefox-113-accessibility-
    performance/

  * Fixed: Various security fixes. MFSA 2023-22 (bsc#1212438)

  * CVE-2023-3482 (bmo#1839464) Block all cookies bypass for localstorage

  * CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation
  * CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment
    mismatch in SpiderMonkey
  * CVE-2023-37203 (bmo#291640) Drag and Drop API may provide access to local
    system files
  * CVE-2023-37204 (bmo#1832195) Fullscreen notification obscured via option
    element
  * CVE-2023-37205 (bmo#1704420) URL spoofing in address bar using RTL
    characters
  * CVE-2023-37206 (bmo#1813299) Insufficient validation of symlinks in the
    FileSystem API
  * CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured
  * CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files
  * CVE-2023-37209 (bmo#1837993) Use-after-free in `NotifyOnHistoryReload`
  * CVE-2023-37210 (bmo#1821886) Full-screen mode exit prevention
  * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550,
    bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
    and Thunderbird 102.13
  * CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206, bmo#1827076,
    bmo#1828690, bmo#1833503, bmo#1835710, bmo#1838587) Memory safety bugs fixed
    in Firefox 115
  * Fixed potential SIGILL on older CPUs (bsc#1212101)

  * Fixed: Various security fixes and other quality

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-2849=1

  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-2849=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP1  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-2849=1

  * SUSE CaaS Platform 4.0  
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform
you if it detects new updates and let you then trigger updating of the complete
cluster in a controlled way.

## Package List:

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64
    x86_64)
    * MozillaFirefox-debuginfo-115.0-150000.150.91.1
    * MozillaFirefox-115.0-150000.150.91.1
    * MozillaFirefox-debugsource-115.0-150000.150.91.1
    * MozillaFirefox-translations-other-115.0-150000.150.91.1
    * MozillaFirefox-translations-common-115.0-150000.150.91.1
    * MozillaFirefox-branding-SLE-115-150000.4.25.1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
    * MozillaFirefox-devel-115.0-150000.150.91.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x
    x86_64)
    * MozillaFirefox-debuginfo-115.0-150000.150.91.1
    * MozillaFirefox-115.0-150000.150.91.1
    * MozillaFirefox-debugsource-115.0-150000.150.91.1
    * MozillaFirefox-translations-other-115.0-150000.150.91.1
    * MozillaFirefox-translations-common-115.0-150000.150.91.1
    * MozillaFirefox-branding-SLE-115-150000.4.25.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch)
    * MozillaFirefox-devel-115.0-150000.150.91.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
    * MozillaFirefox-debuginfo-115.0-150000.150.91.1
    * MozillaFirefox-115.0-150000.150.91.1
    * MozillaFirefox-debugsource-115.0-150000.150.91.1
    * MozillaFirefox-translations-other-115.0-150000.150.91.1
    * MozillaFirefox-translations-common-115.0-150000.150.91.1
    * MozillaFirefox-branding-SLE-115-150000.4.25.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch)
    * MozillaFirefox-devel-115.0-150000.150.91.1
  * SUSE CaaS Platform 4.0 (x86_64)
    * MozillaFirefox-debuginfo-115.0-150000.150.91.1
    * MozillaFirefox-115.0-150000.150.91.1
    * MozillaFirefox-debugsource-115.0-150000.150.91.1
    * MozillaFirefox-translations-other-115.0-150000.150.91.1
    * MozillaFirefox-translations-common-115.0-150000.150.91.1
    * MozillaFirefox-branding-SLE-115-150000.4.25.1
  * SUSE CaaS Platform 4.0 (noarch)
    * MozillaFirefox-devel-115.0-150000.150.91.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-3482.html
  * https://www.suse.com/security/cve/CVE-2023-37201.html
  * https://www.suse.com/security/cve/CVE-2023-37202.html
  * https://www.suse.com/security/cve/CVE-2023-37203.html
  * https://www.suse.com/security/cve/CVE-2023-37204.html
  * https://www.suse.com/security/cve/CVE-2023-37205.html
  * https://www.suse.com/security/cve/CVE-2023-37206.html
  * https://www.suse.com/security/cve/CVE-2023-37207.html
  * https://www.suse.com/security/cve/CVE-2023-37208.html
  * https://www.suse.com/security/cve/CVE-2023-37209.html
  * https://www.suse.com/security/cve/CVE-2023-37210.html
  * https://www.suse.com/security/cve/CVE-2023-37211.html
  * https://www.suse.com/security/cve/CVE-2023-37212.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1212101
  * https://bugzilla.suse.com/show_bug.cgi?id=1212438

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230717/3f3eede3/attachment.htm>


More information about the sle-updates mailing list