Security update for MozillaFirefox SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2674-1 Final 1 1 2018-09-08T07:21:24Z current 2018-09-08T07:21:24Z 2018-09-08T07:21:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox This update to Mozilla Firefox 60.2.0esr fixes the following issues: Security issues fixed (MFSA 2018-21, boo#1107343): - CVE-2018-12377: Use-after-free in refresh driver timers - CVE-2018-12378: Use-after-free in IndexedDB - CVE-2017-16541: Proxy bypass using automount and autofs (boo#1066489) - CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00020.html E-Mail link for openSUSE-SU-2018:2674-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 MozillaFirefox-60.2.0-109.1 MozillaFirefox-branding-upstream-60.2.0-109.1 MozillaFirefox-buildsymbols-60.2.0-109.1 MozillaFirefox-devel-60.2.0-109.1 MozillaFirefox-translations-common-60.2.0-109.1 MozillaFirefox-translations-other-60.2.0-109.1 MozillaFirefox-60.2.0-109.1 as a component of openSUSE Leap 42.3 MozillaFirefox-branding-upstream-60.2.0-109.1 as a component of openSUSE Leap 42.3 MozillaFirefox-buildsymbols-60.2.0-109.1 as a component of openSUSE Leap 42.3 MozillaFirefox-devel-60.2.0-109.1 as a component of openSUSE Leap 42.3 MozillaFirefox-translations-common-60.2.0-109.1 as a component of openSUSE Leap 42.3 MozillaFirefox-translations-other-60.2.0-109.1 as a component of openSUSE Leap 42.3 Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected. CVE-2017-16541 openSUSE Leap 42.3:MozillaFirefox-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-devel-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-60.2.0-109.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00020.html https://www.suse.com/security/cve/CVE-2017-16541.html CVE-2017-16541 https://bugzilla.suse.com/1066489 SUSE Bug 1066489 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 Memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. CVE-2018-12376 openSUSE Leap 42.3:MozillaFirefox-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-devel-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-60.2.0-109.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00020.html https://www.suse.com/security/cve/CVE-2018-12376.html CVE-2018-12376 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. CVE-2018-12377 openSUSE Leap 42.3:MozillaFirefox-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-devel-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-60.2.0-109.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00020.html https://www.suse.com/security/cve/CVE-2018-12377.html CVE-2018-12377 https://bugzilla.suse.com/1107343 SUSE Bug 1107343 A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1. CVE-2018-12378 openSUSE Leap 42.3:MozillaFirefox-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-branding-upstream-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-buildsymbols-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-devel-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-common-60.2.0-109.1 openSUSE Leap 42.3:MozillaFirefox-translations-other-60.2.0-109.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00020.html https://www.suse.com/security/cve/CVE-2018-12378.html CVE-2018-12378 https://bugzilla.suse.com/1107343 SUSE Bug 1107343