Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2017:2589-1
Rating:	important
References:	bsc#1052829
Cross-References:	CVE-2017-7753 CVE-2017-7779 CVE-2017-7782 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792 CVE-2017-7798 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802 CVE-2017-7803 CVE-2017-7804 CVE-2017-7807
CVSS scores:	CVE-2017-7753 ( SUSE ): 6.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2017-7753 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2017-7779 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7779 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7782 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2017-7784 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7784 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7785 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7785 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7786 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7786 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7787 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2017-7787 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-7791 ( SUSE ): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2017-7791 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2017-7792 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7792 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7798 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7798 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7800 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7800 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7801 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7801 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7802 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7802 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-7803 ( SUSE ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-7803 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2017-7804 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2017-7807 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-7807 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected Products:	SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Linux Enterprise Software Development Kit 12 12-SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 SUSE OpenStack Cloud 6

An update that solves 16 vulnerabilities can now be installed.

Description:

This update for MozillaFirefox to ESR 52.3 fixes several issues.

These security issues were fixed:

• CVE-2017-7807 Domain hijacking through AppCache fallback (bsc#1052829)
• CVE-2017-7791 Spoofing following page navigation with data: protocol and modal alerts (bsc#1052829)
• CVE-2017-7792 Buffer overflow viewing certificates with an extremely long OID (bsc#1052829)
• CVE-2017-7782 WindowsDllDetourPatcher allocates memory without DEP protections (bsc#1052829)
• CVE-2017-7787 Same-origin policy bypass with iframes through page reloads (bsc#1052829)
• CVE-2017-7786 Buffer overflow while painting non-displayable SVG (bsc#1052829)
• CVE-2017-7785 Buffer overflow manipulating ARIA attributes in DOM (bsc#1052829)
• CVE-2017-7784 Use-after-free with image observers (bsc#1052829)
• CVE-2017-7753 Out-of-bounds read with cached style data and pseudo-elements (bsc#1052829)
• CVE-2017-7798 XUL injection in the style editor in devtools (bsc#1052829)
• CVE-2017-7804 Memory protection bypass through WindowsDllDetourPatcher (bsc#1052829)
• CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 (bsc#1052829)
• CVE-2017-7800 Use-after-free in WebSockets during disconnection (bsc#1052829)
• CVE-2017-7801 Use-after-free with marquee during window resizing (bsc#1052829)
• CVE-2017-7802 Use-after-free resizing image elements (bsc#1052829)
• CVE-2017-7803 CSP containing 'sandbox' improperly applied (bsc#1052829)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 6
  zypper in -t patch SUSE-OpenStack-Cloud-6-2017-1603=1
• SUSE Linux Enterprise Desktop 12 SP2
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1603=1
• SUSE Linux Enterprise Desktop 12 SP3
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-1603=1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1603=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1603=1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2
  zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-1603=1
• SUSE Linux Enterprise Software Development Kit 12 SP3
  zypper in -t patch SUSE-SLE-SDK-12-SP3-2017-1603=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-1603=1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1603=1
• SUSE Linux Enterprise High Performance Computing 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1603=1
• SUSE Linux Enterprise Server 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1603=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1603=1
• SUSE Linux Enterprise Server 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1603=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1603=1
• SUSE Linux Enterprise High Performance Computing 12 SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1603=1

Package List:

• SUSE OpenStack Cloud 6 (x86_64)
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-devel-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
• SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Desktop 12 SP3 (x86_64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-devel-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-devel-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Software Development Kit 12 SP3 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-devel-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-devel-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-devel-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server 12 SP3 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1
• SUSE Linux Enterprise High Performance Computing 12 SP3 (aarch64 x86_64)
  • MozillaFirefox-debuginfo-52.3.0esr-109.3.1
  • MozillaFirefox-translations-52.3.0esr-109.3.1
  • MozillaFirefox-52.3.0esr-109.3.1
  • MozillaFirefox-debugsource-52.3.0esr-109.3.1

References:

• https://www.suse.com/security/cve/CVE-2017-7753.html
• https://www.suse.com/security/cve/CVE-2017-7779.html
• https://www.suse.com/security/cve/CVE-2017-7782.html
• https://www.suse.com/security/cve/CVE-2017-7784.html
• https://www.suse.com/security/cve/CVE-2017-7785.html
• https://www.suse.com/security/cve/CVE-2017-7786.html
• https://www.suse.com/security/cve/CVE-2017-7787.html
• https://www.suse.com/security/cve/CVE-2017-7791.html
• https://www.suse.com/security/cve/CVE-2017-7792.html
• https://www.suse.com/security/cve/CVE-2017-7798.html
• https://www.suse.com/security/cve/CVE-2017-7800.html
• https://www.suse.com/security/cve/CVE-2017-7801.html
• https://www.suse.com/security/cve/CVE-2017-7802.html
• https://www.suse.com/security/cve/CVE-2017-7803.html
• https://www.suse.com/security/cve/CVE-2017-7804.html
• https://www.suse.com/security/cve/CVE-2017-7807.html
• https://bugzilla.suse.com/show_bug.cgi?id=1052829