Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2019:1405-1
Rating:	important
References:	bsc#1135824
Cross-References:	CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11694 CVE-2019-11698 CVE-2019-7317 CVE-2019-9800 CVE-2019-9815 CVE-2019-9816 CVE-2019-9817 CVE-2019-9818 CVE-2019-9819 CVE-2019-9820
CVSS scores:	CVE-2019-11691 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11691 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11692 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11692 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11693 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11693 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11694 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-11694 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-11698 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-11698 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-7317 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-7317 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-7317 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-9800 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-9800 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-9815 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-9816 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-9816 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-9817 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-9817 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-9818 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-9818 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-9819 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-9819 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-9820 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-9820 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Desktop Applications Module 15-SP1 Desktop Applications Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves 13 vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

Security issues fixed:

• CVE-2019-11691: Use-after-free in XMLHttpRequest
• CVE-2019-11692: Use-after-free removing listeners in the event listener manager
• CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
• CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
• CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
• CVE-2019-7317: Use-after-free in png_image_free of libpng library
• CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
• CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
• CVE-2019-9816: Type confusion with object groups and UnboxedObjects
• CVE-2019-9817: Stealing of cross-domain images using canvas
• CVE-2019-9818: Use-after-free in crash generation server
• CVE-2019-9819: Compartment mismatch with fetch API
• CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell

Non-security issues fixed:

• Font and date adjustments to accommodate the new Reiwa era in Japan
• Update to Firefox ESR 60.7 (bsc#1135824)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-1405=1
• Desktop Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-1405=1

Package List:

• Desktop Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-devel-60.7.0-3.40.6
  • MozillaFirefox-60.7.0-3.40.6
  • MozillaFirefox-debuginfo-60.7.0-3.40.6
  • MozillaFirefox-debugsource-60.7.0-3.40.6
  • MozillaFirefox-translations-common-60.7.0-3.40.6
  • MozillaFirefox-translations-other-60.7.0-3.40.6
• Desktop Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-60.7.0-3.40.6
  • MozillaFirefox-debuginfo-60.7.0-3.40.6
  • MozillaFirefox-debugsource-60.7.0-3.40.6
  • MozillaFirefox-translations-common-60.7.0-3.40.6
  • MozillaFirefox-translations-other-60.7.0-3.40.6
• Desktop Applications Module 15-SP1 (aarch64 ppc64le x86_64)
  • MozillaFirefox-devel-60.7.0-3.40.6

References:

• https://www.suse.com/security/cve/CVE-2019-11691.html
• https://www.suse.com/security/cve/CVE-2019-11692.html
• https://www.suse.com/security/cve/CVE-2019-11693.html
• https://www.suse.com/security/cve/CVE-2019-11694.html
• https://www.suse.com/security/cve/CVE-2019-11698.html
• https://www.suse.com/security/cve/CVE-2019-7317.html
• https://www.suse.com/security/cve/CVE-2019-9800.html
• https://www.suse.com/security/cve/CVE-2019-9815.html
• https://www.suse.com/security/cve/CVE-2019-9816.html
• https://www.suse.com/security/cve/CVE-2019-9817.html
• https://www.suse.com/security/cve/CVE-2019-9818.html
• https://www.suse.com/security/cve/CVE-2019-9819.html
• https://www.suse.com/security/cve/CVE-2019-9820.html
• https://bugzilla.suse.com/show_bug.cgi?id=1135824