SUSE-SU-2025:21021-1

Fixed: Various security fixes (MFSA 2025-88 bsc#1253188):
- CVE-2025-13012 Race condition in the Graphics component
- CVE-2025-13016 Incorrect boundary conditions in the JavaScript: WebAssembly component
- CVE-2025-13017 Same-origin policy bypass in the DOM: Notifications component
- CVE-2025-13018 Mitigation bypass in the DOM: Security component
- CVE-2025-13019 Same-origin policy bypass in the DOM: Workers component
- CVE-2025-13013 Mitigation bypass in the DOM: Core & HTML component
- CVE-2025-13020 Use-after-free in the WebRTC: Audio/Video component
- CVE-2025-13014 Use-after-free in the Audio/Video component
- CVE-2025-13015 Spoofing issue in Firefox
Firefox Extended Support Release 140.4.0 ESR
- Fixed: Various security fixes. MFSA 2025-83 (bsc#1251263)
- CVE-2025-11708 Use-after-free in MediaTrackGraphImpl::GetInstance()
- CVE-2025-11709 Out of bounds read/write in a privileged process triggered by WebGL textures
- CVE-2025-11710 Cross-process information leaked due to malicious IPC messages
- CVE-2025-11711 Some non-writable Object properties could be modified
- CVE-2025-11712 An OBJECT tag type attribute overrode browser behavior on web resources without a content-type
- CVE-2025-11713 Potential user-assisted code execution in “Copy as cURL” command
- CVE-2025-11714 Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
- CVE-2025-11715 Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144
Firefox Extended Support Release 140.3.1 ESR (bsc#1250452)
- Fixed: Improved reliability when HTTP/3 connections fail: Firefox no longer forces HTTP/2 during fallback, allowing the server to choose the protocol and preventing stalls on some sites.

Firefox Extended Support Release 140.3.0 ESR

Fixed: Various security fixes (MFSA 2025-75 bsc#1249391)
- CVE-2025-10527 Sandbox escape due to use-after-free in the Graphics: Canvas2D component
- CVE-2025-10528 Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component
- CVE-2025-10529 Same-origin policy bypass in the Layout component
- CVE-2025-10532 Incorrect boundary conditions in the JavaScript: GC component
- CVE-2025-10533 Integer overflow in the SVG component
- CVE-2025-10536 Information disclosure in the Networking: Cache component
- CVE-2025-10537 Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

References

Affected packages

SUSE:Linux Enterprise Server 16.0 / MozillaFirefox

Package

Name: MozillaFirefox
Purl: pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

140.5.0-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox-translations-common": "140.5.0-160000.1.1",
            "MozillaFirefox": "140.5.0-160000.1.1",
            "MozillaFirefox-devel": "140.5.0-160000.1.1",
            "MozillaFirefox-translations-other": "140.5.0-160000.1.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:21021-1.json"

SUSE:Linux Enterprise Server for SAP applications 16.0 / MozillaFirefox

Package

Name: MozillaFirefox
Purl: pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

140.5.0-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox-translations-common": "140.5.0-160000.1.1",
            "MozillaFirefox": "140.5.0-160000.1.1",
            "MozillaFirefox-devel": "140.5.0-160000.1.1",
            "MozillaFirefox-translations-other": "140.5.0-160000.1.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:21021-1.json"