SUSE-SU-2022:3273-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:3273-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2022:3273-1
- Related
- Published
- 2022-09-14T04:48:57Z
- Modified
- 2022-09-14T04:48:57Z
- Summary
- Security update for MozillaFirefox
- Details
-
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 102.2.0esr ESR:
Fixed: Various stability, functionality, and security fixes.
MFSA 2022-34 (bsc#1202645)
- CVE-2022-38472 (bmo#1769155) Address bar spoofing via XSLT error handling
- CVE-2022-38473 (bmo#1771685) Cross-origin XSLT Documents would have inherited the parent's permissions
- CVE-2022-38476 (bmo#1760998) Data race and potential use-after-free in PK11_ChangePW
- CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159, bmo#1773363) Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
- CVE-2022-38478 (bmo#1770630, bmo#1776658) Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13
Firefox Extended Support Release 102.1 ESR
Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-30 (bsc#1201758)
CVE-2022-36319 (bmo#1737722) Mouse Position spoofing with CSS transforms
- CVE-2022-36318 (bmo#1771774) Directory indexes for bundled resources reflected URL parameters
- CVE-2022-36314 (bmo#1773894) Opening local <code>.lnk</code> files could cause unexpected network loads
CVE-2022-2505 (bmo#1769739, bmo#1772824) Memory safety bugs fixed in Firefox 103 and 102.1
- Firefox Extended Support Release 102.0.1 ESR
Fixed: Fixed bookmark shortcut creation by dragging to Windows File Explorer and dropping partially broken (bmo#1774683)
- Fixed: Fixed bookmarks sidebar flashing white when opened in dark mode (bmo#1776157)
- Fixed: Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bmo#1773802)
- Fixed: Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bmo#1776262)
- Fixed: Fixed Delete cookies and site data when Firefox is closed checkbox getting disabled on startup (bmo#1777419)
- Fixed: Various stability fixes
Firefox 102.0 ESR:
New:
- We now provide more secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers.
- For added viewing pleasure, full-range color levels are now supported for video playback on many systems.
- Find it easier now! Mac users can now access the macOS share options from the Firefox File menu.
- Voilà! Support for images containing ICC v4 profiles is enabled on macOS.
- Firefox now supports the new AVIF image format, which is based on the modern and royalty-free AV1 video codec. It offers significant bandwidth savings for sites compared to existing image formats. It also supports transparency and other advanced features.
- Firefox PDF viewer now supports filling more forms (e.g., XFA-based forms, used by multiple governments and banks). Learn more.
- When available system memory is critically low, Firefox on Windows will automatically unload tabs based on their last access time, memory usage, and other attributes. This helps to reduce Firefox out-of-memory crashes. Forgot something? Switching to an unloaded tab automatically reloads it.
- To prevent session loss for macOS users who are running Firefox from a mounted .dmg file, they’ll now be prompted to finish installation. Bear in mind, this permission prompt only appears the first time these users run Firefox on their computer.
- For your safety, Firefox now blocks downloads that rely on insecure connections, protecting against potentially malicious or unsafe downloads. Learn more and see where to find downloads in Firefox.
- Improved web compatibility for privacy protections with SmartBlock 3.0: In Private Browsing and Strict Tracking Protection, Firefox goes to great lengths to protect your web browsing activity from trackers. As part of this, the built- in content blocking will automatically block third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. Learn more.
- Introducing a new referrer tracking protection in Strict Tracking Protection and Private Browsing. This feature prevents sites from unknowingly leaking private information to trackers. Learn more.
- Introducing Firefox Suggest, a feature that provides website suggestions as you type into the address bar. Learn more about this faster way to navigate the web and locale- specific features.
- Firefox macOS now uses Apple's low-power mode for fullscreen video on sites such as YouTube and Twitch. This meaningfully extends battery life in long viewing sessions. Now your kids can find out what the fox says on a loop without you ever missing a beat…
- With this release, power users can use about:unloads to release system resources by manually unloading tabs without closing them.
- On Windows, there will now be fewer interruptions because Firefox won’t prompt you for updates. Instead, a background agent will download and install updates even if Firefox is closed.
- On Linux, we’ve improved WebGL performance and reduced power consumption for many users.
- To better protect all Firefox users against side-channel attacks, such as Spectre, we introduced Site Isolation.
- Firefox no longer warns you by default when you exit the browser or close a window using a menu, button, or three-key command. This should cut back on unwelcome notifications, which is always nice—however, if you prefer a bit of notice, you’ll still have full control over the quit/close modal behavior. All warnings can be managed within Firefox Settings. No worries! More details here.
- Firefox supports the new Snap Layouts menus when running on Windows 11.
- RLBox—a new technology that hardens Firefox against potential security vulnerabilities in third-party libraries—is now enabled on all platforms.
- We’ve reduced CPU usage on macOS in Firefox and WindowServer during event processing.
- We’ve also reduced the power usage of software decoded video on macOS, especially in fullscreen. This includes streaming sites such as Netflix and Amazon Prime Video.
- You can now move the Picture-in-Picture toggle button to the opposite side of the video. Simply look for the new context menu option Move Picture-in-Picture Toggle to Left (Right) Side.
- We’ve made significant improvements in noise suppression and auto-gain-control, as well as slight improvements in echo-cancellation to provide you with a better overall experience.
- We’ve also significantly reduced main-thread load.
- When printing, you can now choose to print only the odd/even pages.
- Firefox now supports and displays the new style of scrollbars on Windows 11.
- Firefox has a new optimized download flow. Instead of prompting every time, files will download automatically. However, they can still be opened from the downloads panel with just one click. Easy! More information
- Firefox no longer asks what to do for each file by default.
You won’t be prompted to choose a helper application or save
to disk before downloading a file unless you have changed
your download action setting for that type of file.
- Any files you download will be immediately saved on your disk. Depending on the current configuration, they’ll be saved in your preferred download folder, or you’ll be asked to select a location for each download. Windows and Linux users will find their downloaded files in the destination folder. They’ll no longer be put in the Temp folder.
- Firefox allows users to choose from a number of built-in search engines to set as their default. In this release, some users who had previously configured a default engine might notice their default search engine has changed since Mozilla was unable to secure formal permission to continue including certain search engines in Firefox.
- You can now toggle Narrate in ReaderMode with the keyboard shortcut 'n.'
- You can find added support for search—with or without diacritics—in the PDF viewer.
- The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11).
- Firefox now supports credit card autofill and capture in Germany, France, and the United Kingdom.
- We now support captions/subtitles display on YouTube, Prime Video, and Netflix videos you watch in Picture-in-Picture. Just turn on the subtitles on the in-page video player, and they will appear in PiP.
- Picture-in-Picture now also supports video captions on websites that use Web Video Text Track (WebVTT) format (e.g., Coursera.org, Canadian Broadcasting Corporation, and many more).
- On the first run after install, Firefox detects when its language does not match the operating system language and offers the user a choice between the two languages.
- Firefox spell checking now checks spelling in multiple languages. To enable additional languages, select them in the text field’s context menu.
- HDR video is now supported in Firefox on Mac—starting with YouTube! Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy higher-fidelity video content. No need to manually flip any preferences to turn HDR video support on—just make sure battery preferences are NOT set to “optimize video streaming while on battery”.
- Hardware-accelerated AV1 video decoding is enabled on Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce 30). Installing the AV1 Video Extension from the Microsoft Store may also be required.
- Video overlay is enabled on Windows for Intel GPUs, reducing power usage during video playback.
- Improved fairness between painting and handling other events. This noticeably improves the performance of the volume slider on Twitch.
- Scrollbars on Linux and Windows 11 won't take space by default. On Linux, users can change this in Settings. On Windows, Firefox follows the system setting (System Settings > Accessibility > Visual Effects > Always show scrollbars).
- Firefox now ignores less restricted referrer policies—including unsafe-url, no-referrer-when-downgrade, and origin-when-cross-origin—for cross-site subresource/iframe requests to prevent privacy leaks from the referrer.
- Reading is now easier with the prefers-contrast media query, which allows sites to detect if the user has requested that web content is presented with a higher (or lower) contrast.
- All non-configured MIME types can now be assigned a custom action upon download completion.
- Firefox now allows users to use as many microphones as they want, at the same time, during video conferencing. The most exciting benefit is that you can easily switch your microphones at any time (if your conferencing service provider enables this flexibility).
Print preview has been updated.
Fixed: Various security fixes.
MFSA 2022-24 (bsc#1200793)
- CVE-2022-34479 (bmo#1745595) A popup window could be resized in a way to overlay the address bar with web content
- CVE-2022-34470 (bmo#1765951) Use-after-free in nsSHistory
- CVE-2022-34468 (bmo#1768537)
CSP sandbox header without
allow-scriptscan be bypassed via retargeted javascript: URI - CVE-2022-34482 (bmo#845880) Drag and drop of malicious image could have led to malicious executable and potential code execution
- CVE-2022-34483 (bmo#1335845) Drag and drop of malicious image could have led to malicious executable and potential code execution
- CVE-2022-34476 (bmo#1387919) ASN.1 parser could have been tricked into accepting malformed ASN.1
- CVE-2022-34481 (bmo#1483699, bmo#1497246) Potential integer overflow in ReplaceElementsAt
- CVE-2022-34474 (bmo#1677138) Sandboxed iframes could redirect to external schemes
- CVE-2022-34469 (bmo#1721220) TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android
- CVE-2022-34471 (bmo#1766047) Compromised server could trick a browser into an addon downgrade
- CVE-2022-34472 (bmo#1770123) Unavailable PAC file resulted in OCSP requests being blocked
- CVE-2022-34478 (bmo#1773717) Microsoft protocols can be attacked if a user accepts a prompt
- CVE-2022-2200 (bmo#1771381) Undesired attributes could be set as part of prototype pollution
- CVE-2022-34480 (bmo#1454072) Free of uninitialized pointer in lg_init
- CVE-2022-34477 (bmo#1731614) MediaError message property leaked information on cross- origin same-site pages
- CVE-2022-34475 (bmo#1757210) HTML Sanitizer could have been bypassed via same-origin script via use tags
- CVE-2022-34473 (bmo#1770888) HTML Sanitizer could have been bypassed via use tags
- CVE-2022-34484 (bmo#1763634, bmo#1772651) Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
- CVE-2022-34485 (bmo#1768409, bmo#1768578) Memory safety bugs fixed in Firefox 102
- References
-
- https://www.suse.com/support/update/announcement/2022/suse-su-20223273-1/
- https://bugzilla.suse.com/1200793
- https://bugzilla.suse.com/1201758
- https://bugzilla.suse.com/1202645
- https://www.suse.com/security/cve/CVE-2022-2200
- https://www.suse.com/security/cve/CVE-2022-2505
- https://www.suse.com/security/cve/CVE-2022-34468
- https://www.suse.com/security/cve/CVE-2022-34469
- https://www.suse.com/security/cve/CVE-2022-34470
- https://www.suse.com/security/cve/CVE-2022-34471
- https://www.suse.com/security/cve/CVE-2022-34472
- https://www.suse.com/security/cve/CVE-2022-34473
- https://www.suse.com/security/cve/CVE-2022-34474
- https://www.suse.com/security/cve/CVE-2022-34475
- https://www.suse.com/security/cve/CVE-2022-34476
- https://www.suse.com/security/cve/CVE-2022-34477
- https://www.suse.com/security/cve/CVE-2022-34478
- https://www.suse.com/security/cve/CVE-2022-34479
- https://www.suse.com/security/cve/CVE-2022-34480
- https://www.suse.com/security/cve/CVE-2022-34481
- https://www.suse.com/security/cve/CVE-2022-34482
- https://www.suse.com/security/cve/CVE-2022-34483
- https://www.suse.com/security/cve/CVE-2022-34484
- https://www.suse.com/security/cve/CVE-2022-34485
- https://www.suse.com/security/cve/CVE-2022-36314
- https://www.suse.com/security/cve/CVE-2022-36318
- https://www.suse.com/security/cve/CVE-2022-36319
- https://www.suse.com/security/cve/CVE-2022-38472
- https://www.suse.com/security/cve/CVE-2022-38473
- https://www.suse.com/security/cve/CVE-2022-38476
- https://www.suse.com/security/cve/CVE-2022-38477
- https://www.suse.com/security/cve/CVE-2022-38478
Affected packages
SUSE:OpenStack Cloud 9 / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%209
SUSE:OpenStack Cloud 9 / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20OpenStack%20Cloud%209
SUSE:OpenStack Cloud Crowbar 9 / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
SUSE:OpenStack Cloud Crowbar 9 / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
SUSE:Linux Enterprise Server for SAP Applications 12 SP4 / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4
SUSE:Linux Enterprise Server for SAP Applications 12 SP4 / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4
SUSE:Linux Enterprise Software Development Kit 12 SP5 / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
SUSE:Linux Enterprise Server 12 SP2-BCL / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL
SUSE:Linux Enterprise Server 12 SP2-BCL / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL
SUSE:Linux Enterprise Server 12 SP3-BCL / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL
SUSE:Linux Enterprise Server 12 SP3-BCL / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL
SUSE:Linux Enterprise Server 12 SP4-LTSS / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS
SUSE:Linux Enterprise Server 12 SP4-LTSS / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS
SUSE:Linux Enterprise Server 12 SP5 / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5
SUSE:Linux Enterprise Server 12 SP5 / MozillaFirefox-branding-SLE
Package
- Name
- MozillaFirefox-branding-SLE
- Purl
- purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5
SUSE:Linux Enterprise Server for SAP Applications 12 SP5 / MozillaFirefox
Package
- Name
- MozillaFirefox
- Purl
- purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5