Security update for MozillaFirefox SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3027-1 Final 1 1 2017-11-16T19:49:22Z current 2017-11-16T19:49:22Z 2017-11-16T19:49:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox MozillaFirefox was updated to 52.5.0esr (boo#1068101) MFSA 2017-25 * CVE-2017-7828: Fixed a use-after-free of PressShell while restyling layout * CVE-2017-7830: Cross-origin URL information leak through Resource Timing API * CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5 Also fixed: - Correct plugin directory for aarch64 (boo#1061207). The wrapper script was not detecting aarch64 as a 64 bit architecture, thus used /usr/lib/browser-plugins/. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00028.html E-Mail link for openSUSE-SU-2017:3027-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 MozillaFirefox-52.5.0-66.1 MozillaFirefox-branding-upstream-52.5.0-66.1 MozillaFirefox-buildsymbols-52.5.0-66.1 MozillaFirefox-devel-52.5.0-66.1 MozillaFirefox-translations-common-52.5.0-66.1 MozillaFirefox-translations-other-52.5.0-66.1 MozillaFirefox-52.5.0-66.1 as a component of openSUSE Leap 42.2 MozillaFirefox-branding-upstream-52.5.0-66.1 as a component of openSUSE Leap 42.2 MozillaFirefox-buildsymbols-52.5.0-66.1 as a component of openSUSE Leap 42.2 MozillaFirefox-devel-52.5.0-66.1 as a component of openSUSE Leap 42.2 MozillaFirefox-translations-common-52.5.0-66.1 as a component of openSUSE Leap 42.2 MozillaFirefox-translations-other-52.5.0-66.1 as a component of openSUSE Leap 42.2 MozillaFirefox-52.5.0-66.1 as a component of openSUSE Leap 42.3 MozillaFirefox-branding-upstream-52.5.0-66.1 as a component of openSUSE Leap 42.3 MozillaFirefox-buildsymbols-52.5.0-66.1 as a component of openSUSE Leap 42.3 MozillaFirefox-devel-52.5.0-66.1 as a component of openSUSE Leap 42.3 MozillaFirefox-translations-common-52.5.0-66.1 as a component of openSUSE Leap 42.3 MozillaFirefox-translations-other-52.5.0-66.1 as a component of openSUSE Leap 42.3 Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7826 openSUSE Leap 42.2:MozillaFirefox-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-branding-upstream-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-buildsymbols-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-devel-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-translations-common-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-translations-other-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-devel-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-52.5.0-66.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00028.html https://www.suse.com/security/cve/CVE-2017-7826.html CVE-2017-7826 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7828 openSUSE Leap 42.2:MozillaFirefox-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-branding-upstream-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-buildsymbols-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-devel-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-translations-common-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-translations-other-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-devel-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-52.5.0-66.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00028.html https://www.suse.com/security/cve/CVE-2017-7828.html CVE-2017-7828 https://bugzilla.suse.com/1068101 SUSE Bug 1068101 The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. CVE-2017-7830 openSUSE Leap 42.2:MozillaFirefox-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-branding-upstream-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-buildsymbols-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-devel-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-translations-common-52.5.0-66.1 openSUSE Leap 42.2:MozillaFirefox-translations-other-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-devel-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-52.5.0-66.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-52.5.0-66.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00028.html https://www.suse.com/security/cve/CVE-2017-7830.html CVE-2017-7830 https://bugzilla.suse.com/1068101 SUSE Bug 1068101