Security update for MozillaFirefox

SUSE Security Update: Security update for MozillaFirefox
Announcement ID: SUSE-SU-2018:3476-1
Rating: important
References: #1094767 #1107343 #1109363 #1109465 #1110506 #1110507
Cross-References: CVE-2018-12383 CVE-2018-12385 CVE-2018-12386 CVE-2018-12387
Affected Products:
  • SUSE Linux Enterprise Module for Desktop Applications 15

An update that solves four vulnerabilities and has two fixes is now available.


This update for MozillaFirefox to 60.2.2ESR fixes the following issues:
Security issues fixed:
MFSA 2018-24:

  • CVE-2018-12386: A Type confusion in JavaScript allowed remote code execution (bsc#1110506)
  • CVE-2018-12387: Array.prototype.push stack pointer vulnerability may have enabled exploits in the sandboxed content process (bsc#1110507)

MFSA 2018-23:
  • CVE-2018-12385: Fixed a crash in TransportSecurityInfo due to cached data (bsc#1109363)
  • CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)

Non security issues fixed:
  • Avoid undefined behavior in IPC fd-passing code (bsc#1094767)
  • Fixed a startup crash affecting users migrating from older ESR releases
  • Clean up old NSS DB files after upgrading
  • Fixed an endianness problem in bindgen's handling of bitfields, which was causing Firefox to crash on startup on big-endian machines. Also, updates the cc crate, which was buggy in the version that was originally vendored in. (bsc#1109465)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for Desktop Applications 15:
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2482=1

Package List:

  • SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):
    • MozillaFirefox-60.2.2-3.13.3
    • MozillaFirefox-branding-SLE-60-4.5.3
    • MozillaFirefox-debuginfo-60.2.2-3.13.3
    • MozillaFirefox-debugsource-60.2.2-3.13.3
    • MozillaFirefox-translations-common-60.2.2-3.13.3
    • MozillaFirefox-translations-other-60.2.2-3.13.3
  • SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le x86_64):
    • MozillaFirefox-devel-60.2.2-3.13.3