Security update for MozillaFirefox

Announcement ID: SUSE-SU-2019:0852-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-18335 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-18335 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-18356 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-18356 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-18506 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
  • CVE-2018-18506 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2018-18506 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-5785 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2019-5785 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2019-9788 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9788 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9788 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9790 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9790 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9791 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9791 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9791 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9792 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2019-9792 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9792 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9793 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9793 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-9794 ( SUSE ): 5.0 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
  • CVE-2019-9794 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9795 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9795 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9796 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9796 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9801 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2019-9810 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9810 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9810 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9813 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2019-9813 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Enterprise Storage 4
  • SUSE Linux Enterprise Desktop 12 SP3
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 LTSS 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Software Development Kit 12 SP3
  • SUSE Linux Enterprise Software Development Kit 12 SP4
  • SUSE OpenStack Cloud 7

An update that solves 15 vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

Security issuess addressed:

  • update to Firefox ESR 60.6.1 (bsc#1130262):

  • CVE-2019-9813: Fixed Ionmonkey type confusion with proto mutations

  • CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information

  • Update to Firefox ESR 60.6 (bsc#1129821):

  • CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file

  • CVE-2019-9801: Fixed an issue which could allow Windows programs to be exposed to web content
  • CVE-2019-9788: Fixed multiple memory safety bugs
  • CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use DOM elements
  • CVE-2019-9791: Fixed an incorrect Type inference for constructors entered through on-stack replacement with IonMonkey
  • CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
  • CVE-2019-9793: Fixed multiple improper bounds checks when Spectre mitigations are disabled
  • CVE-2019-9794: Fixed an issue where command line arguments not discarded during execution
  • CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT compiler
  • CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation controller

  • Update to Firefox ESR 60.5.1 (bsc#1125330):

  • CVE-2018-18356: Fixed a use-after-free vulnerability in the Skia library which can occur when creating a path, leading to a potentially exploitable crash.

  • CVE-2019-5785: Fixed an integer overflow vulnerability in the Skia library which can occur after specific transform operations, leading to a potentially exploitable crash.
  • CVE-2018-18335: Fixed a buffer overflow vulnerability in the Skia library which can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default.

Other issue addressed:

  • Fixed an issue with MozillaFirefox-translations-common which was causing error on update (bsc#1127987).

Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/ Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/ Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud 7
    zypper in -t patch SUSE-OpenStack-Cloud-7-2019-852=1
  • SUSE Linux Enterprise Desktop 12 SP3
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2019-852=1
  • SUSE Linux Enterprise Desktop 12 SP4
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-852=1
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
    zypper in -t patch SUSE-SLE-POS-12-SP2-CLIENT-2019-852=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-852=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-852=1
  • SUSE Linux Enterprise Software Development Kit 12 SP3
    zypper in -t patch SUSE-SLE-SDK-12-SP3-2019-852=1
  • SUSE Linux Enterprise Software Development Kit 12 SP4
    zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-852=1
  • SUSE Linux Enterprise Server 12 LTSS 12
    zypper in -t patch SUSE-SLE-SERVER-12-2019-852=1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-852=1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-852=1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2019-852=1
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-852=1
  • SUSE Linux Enterprise Server 12 SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-852=1
  • SUSE Linux Enterprise High Performance Computing 12 SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-852=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-852=1
  • SUSE Linux Enterprise High Performance Computing 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-852=1
  • SUSE Linux Enterprise Server 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-852=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-852=1
  • SUSE Enterprise Storage 4
    zypper in -t patch SUSE-Storage-4-2019-852=1

Package List:

  • SUSE OpenStack Cloud 7 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Desktop 12 SP3 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Desktop 12 SP4 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Software Development Kit 12 SP3 (aarch64 ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Software Development Kit 12 SP4 (aarch64 ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 SP3 (aarch64 ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise High Performance Computing 12 SP3 (aarch64 x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise High Performance Computing 12 SP4 (aarch64 x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server 12 SP4 (aarch64 ppc64le s390x x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2
  • SUSE Enterprise Storage 4 (x86_64)
    • MozillaFirefox-debugsource-60.6.1esr-109.63.2
    • MozillaFirefox-devel-60.6.1esr-109.63.2
    • MozillaFirefox-translations-common-60.6.1esr-109.63.2
    • MozillaFirefox-debuginfo-60.6.1esr-109.63.2
    • MozillaFirefox-60.6.1esr-109.63.2

References: