Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2025:02531-1
Release Date:	2025-07-28T06:04:37Z
Rating:	important
References:	bsc#1246664
Cross-References:	CVE-2025-8027 CVE-2025-8028 CVE-2025-8029 CVE-2025-8030 CVE-2025-8031 CVE-2025-8032 CVE-2025-8033 CVE-2025-8034 CVE-2025-8035 CVE-2025-8036 CVE-2025-8037 CVE-2025-8038 CVE-2025-8039 CVE-2025-8040
CVSS scores:	CVE-2025-8027 ( SUSE ): 7.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-8027 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L CVE-2025-8027 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-8028 ( SUSE ): 7.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-8028 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L CVE-2025-8028 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-8029 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-8029 ( SUSE ): 5.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2025-8029 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-8030 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-8030 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2025-8030 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-8031 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-8031 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-8031 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-8032 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-8032 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2025-8032 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-8033 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-8033 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-8033 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-8034 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-8034 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-8034 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-8035 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-8035 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-8035 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-8036 ( SUSE ): 7.4 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-8036 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-8036 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-8037 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-8037 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-8037 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-8038 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-8038 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2025-8038 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-8039 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-8039 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2025-8039 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-8040 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-8040 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-8040 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves 14 vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

• Firefox Extended Support Release 140.1.0 ESR
• MFSA-RESERVE-2025-1968423 (bmo#1968423) JavaScript engine only wrote partial return value to stack
• MFSA-RESERVE-2025-1971581 (bmo#1971581) Large branch table could lead to truncated instruction
• MFSA-RESERVE-2025-1928021 (bmo#1928021) CSP does not block javascript: URLs on object and embed tags
• MFSA-RESERVE-2025-1960834 (bmo#1960834) DNS rebinding circumvents CORS
• MFSA-RESERVE-2025-1964767 (bmo#1964767) Nameless cookies shadow secure cookies
• MFSA-RESERVE-2025-1968414 (bmo#1968414) Potential user-assisted code execution in “Copy as cURL” command
• MFSA-RESERVE-2025-1971719 (bmo#1971719) Incorrect URL stripping in CSP reports
• MFSA-RESERVE-2025-1974407 (bmo#1974407) XSLT documents could by-pass CSP
• MFSA-RESERVE-2025-1808979 (bmo#1808979) CSP frame-src was not correctly enforced for paths
• MFSA-RESERVE-2025-1970997 (bmo#1970997) Search terms persist in URL bar
• MFSA-RESERVE-2025-1973990 (bmo#1973990) Incorrect JavaScript state machine for generators
• MFSA-RESERVE-2025-1 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422) Memory safety bugs fixed in Firefox ESR 115.26, Thunderbird ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
• MFSA-RESERVE-2025-2 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998) Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
• MFSA-RESERVE-2025-3 (bmo#1975961, bmo#1975961, bmo#1975961) Memory safety bugs fixed in Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Various security fixes MFSA 2025-59 (bsc#1246664): - CVE-2025-8027: JavaScript engine only wrote partial return value to stack - CVE-2025-8028: Large branch table could lead to truncated instruction - CVE-2025-8029: javascript: URLs executed on object and embed tags - CVE-2025-8036: DNS rebinding circumvents CORS - CVE-2025-8037: Nameless cookies shadow secure cookies - CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command - CVE-2025-8031: Incorrect URL stripping in CSP reports - CVE-2025-8032: XSLT documents could bypass CSP - CVE-2025-8038: CSP frame-src was not correctly enforced for paths - CVE-2025-8039: Search terms persisted in URL bar - CVE-2025-8033: Incorrect JavaScript state machine for generators - CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2531=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2531=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-debugsource-140.1.0-112.273.1
  • MozillaFirefox-translations-common-140.1.0-112.273.1
  • MozillaFirefox-debuginfo-140.1.0-112.273.1
  • MozillaFirefox-140.1.0-112.273.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
  • MozillaFirefox-devel-140.1.0-112.273.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • MozillaFirefox-debugsource-140.1.0-112.273.1
  • MozillaFirefox-translations-common-140.1.0-112.273.1
  • MozillaFirefox-debuginfo-140.1.0-112.273.1
  • MozillaFirefox-140.1.0-112.273.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • MozillaFirefox-devel-140.1.0-112.273.1

References:

• https://www.suse.com/security/cve/CVE-2025-8027.html
• https://www.suse.com/security/cve/CVE-2025-8028.html
• https://www.suse.com/security/cve/CVE-2025-8029.html
• https://www.suse.com/security/cve/CVE-2025-8030.html
• https://www.suse.com/security/cve/CVE-2025-8031.html
• https://www.suse.com/security/cve/CVE-2025-8032.html
• https://www.suse.com/security/cve/CVE-2025-8033.html
• https://www.suse.com/security/cve/CVE-2025-8034.html
• https://www.suse.com/security/cve/CVE-2025-8035.html
• https://www.suse.com/security/cve/CVE-2025-8036.html
• https://www.suse.com/security/cve/CVE-2025-8037.html
• https://www.suse.com/security/cve/CVE-2025-8038.html
• https://www.suse.com/security/cve/CVE-2025-8039.html
• https://www.suse.com/security/cve/CVE-2025-8040.html
• https://bugzilla.suse.com/show_bug.cgi?id=1246664