SUSE-SU-2018:2890-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2018/suse-su-20182890-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:2890-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:2890-1
Related
Published
2018-09-27T10:04:13Z
Modified
2018-09-27T10:04:13Z
Summary
Security update for MozillaFirefox
Details

This update for MozillaFirefox to ESR 60.2 fixes several issues.

These general changes are part of the version 60 release.

  • New browser engine with speed improvements
  • Redesigned graphical user interface elements
  • Unified address and search bar for new installations
  • New tab page listing top visited, recently visited and recommended pages
  • Support for configuration policies in enterprise deployments via JSON files
  • Support for Web Authentication, allowing the use of USB tokens for authentication to web sites

The following changes affect compatibility:

  • Now exclusively supports extensions built using the WebExtension API.
  • Unsupported legacy extensions will no longer work in Firefox 60 ESR
  • TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted The 'security.pki.distrustcapolicy' preference can be set to 0 to reinstate trust in those certificates

The following issues affect performance:

  • new format for storing private keys, certificates and certificate trust If the user home or data directory is on a network file system, it is recommended that users set the following environment variable to avoid slowdowns: NSSSDBUSE_CACHE=yes This setting is not recommended for local, fast file systems.

These security issues were fixed:

  • CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
  • CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
  • CVE-2018-12376: Various memory safety bugs (bsc#1107343).
  • CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
  • CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
  • CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
References

Affected packages

SUSE:Linux Enterprise Module for Desktop Applications 15 / MozillaFirefox

Package

Name
MozillaFirefox
Purl
purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
60.2.0-3.10.1

Ecosystem specific 

{
    "binaries": [
        {
            "MozillaFirefox": "60.2.0-3.10.1",
            "MozillaFirefox-translations-common": "60.2.0-3.10.1",
            "MozillaFirefox-devel": "60.2.0-3.10.1",
            "MozillaFirefox-translations-other": "60.2.0-3.10.1",
            "MozillaFirefox-branding-SLE": "60-4.3.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Desktop Applications 15 / MozillaFirefox-branding-SLE

Package

Name
MozillaFirefox-branding-SLE
Purl
purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
60-4.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "MozillaFirefox": "60.2.0-3.10.1",
            "MozillaFirefox-translations-common": "60.2.0-3.10.1",
            "MozillaFirefox-devel": "60.2.0-3.10.1",
            "MozillaFirefox-translations-other": "60.2.0-3.10.1",
            "MozillaFirefox-branding-SLE": "60-4.3.1"
        }
    ]
}