Security update for MozillaFirefox SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0211-1 Final 1 1 2024-01-24T13:13:54Z current 2024-01-24T13:13:54Z 2024-01-24T13:13:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 115.7.0 ESR (MFSA 2024-02) (bsc#1218955): - CVE-2024-0741: Out of bounds write in ANGLE - CVE-2024-0742: Failure to update user input timestamp - CVE-2024-0746: Crash when listing printers on Linux - CVE-2024-0747: Bypass of Content Security Policy when directive unsafe-inline was set - CVE-2024-0749: Phishing site popup could show local origin in address bar - CVE-2024-0750: Potential permissions request bypass via clickjacking - CVE-2024-0751: Privilege escalation through devtools - CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain - CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2024-211,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2024-211,SUSE-2024-211,SUSE-SLE-SDK-12-SP5-2024-211,SUSE-SLE-SERVER-12-SP5-2024-211 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ Link for SUSE-SU-2024:0211-1 https://lists.suse.com/pipermail/sle-security-updates/2024-January/017748.html E-Mail link for SUSE-SU-2024:0211-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1218955 SUSE Bug 1218955 https://www.suse.com/security/cve/CVE-2024-0741/ SUSE CVE CVE-2024-0741 page https://www.suse.com/security/cve/CVE-2024-0742/ SUSE CVE CVE-2024-0742 page https://www.suse.com/security/cve/CVE-2024-0746/ SUSE CVE CVE-2024-0746 page https://www.suse.com/security/cve/CVE-2024-0747/ SUSE CVE CVE-2024-0747 page https://www.suse.com/security/cve/CVE-2024-0749/ SUSE CVE CVE-2024-0749 page https://www.suse.com/security/cve/CVE-2024-0750/ SUSE CVE CVE-2024-0750 page https://www.suse.com/security/cve/CVE-2024-0751/ SUSE CVE CVE-2024-0751 page https://www.suse.com/security/cve/CVE-2024-0753/ SUSE CVE CVE-2024-0753 page https://www.suse.com/security/cve/CVE-2024-0755/ SUSE CVE CVE-2024-0755 page Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 MozillaFirefox-115.7.0-112.197.1 MozillaFirefox-branding-upstream-115.7.0-112.197.1 MozillaFirefox-devel-115.7.0-112.197.1 MozillaFirefox-translations-common-115.7.0-112.197.1 MozillaFirefox-translations-other-115.7.0-112.197.1 MozillaFirefox-115.7.0-112.197.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production MozillaFirefox-115.7.0-112.197.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production MozillaFirefox-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Server 12 SP5 MozillaFirefox-devel-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Server 12 SP5 MozillaFirefox-translations-common-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Server 12 SP5 MozillaFirefox-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 MozillaFirefox-devel-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 MozillaFirefox-translations-common-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 MozillaFirefox-devel-115.7.0-112.197.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0741 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0741.html CVE-2024-0741 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0742 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0742.html CVE-2024-0742 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0746 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0746.html CVE-2024-0746 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0747 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0747.html CVE-2024-0747 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7. CVE-2024-0749 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0749.html CVE-2024-0749 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0750 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0750.html CVE-2024-0750 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0751 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0751.html CVE-2024-0751 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0753 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0753.html CVE-2024-0753 https://bugzilla.suse.com/1218955 SUSE Bug 1218955 Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. CVE-2024-0755 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox-translations-common-115.7.0-112.197.1 SUSE Linux Enterprise Software Development Kit 12 SP5:MozillaFirefox-devel-115.7.0-112.197.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240211-1/ https://www.suse.com/security/cve/CVE-2024-0755.html CVE-2024-0755 https://bugzilla.suse.com/1218955 SUSE Bug 1218955