Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2018:3476-1
Rating:	important
References:	bsc#1094767 bsc#1107343 bsc#1109363 bsc#1109465 bsc#1110506 bsc#1110507
Cross-References:	CVE-2018-12383 CVE-2018-12385 CVE-2018-12386 CVE-2018-12387
CVSS scores:	CVE-2018-12383 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-12385 ( SUSE ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-12385 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-12386 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12386 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-12387 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-12387 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Affected Products:	Desktop Applications Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves four vulnerabilities and has two security fixes can now be installed.

Description:

This update for MozillaFirefox to 60.2.2ESR fixes the following issues:

Security issues fixed:

MFSA 2018-24:

• CVE-2018-12386: A Type confusion in JavaScript allowed remote code execution (bsc#1110506)
• CVE-2018-12387: Array.prototype.push stack pointer vulnerability may have enabled exploits in the sandboxed content process (bsc#1110507)

MFSA 2018-23:

• CVE-2018-12385: Fixed a crash in TransportSecurityInfo due to cached data (bsc#1109363)
• CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)

Non security issues fixed:

• Avoid undefined behavior in IPC fd-passing code (bsc#1094767)
• Fixed a startup crash affecting users migrating from older ESR releases
• Clean up old NSS DB files after upgrading
• Fixed an endianness problem in bindgen's handling of bitfields, which was causing Firefox to crash on startup on big-endian machines. Also, updates the cc crate, which was buggy in the version that was originally vendored in. (bsc#1109465)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2018-2482=1

Package List:

• Desktop Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-translations-common-60.2.2-3.13.3
  • MozillaFirefox-debuginfo-60.2.2-3.13.3
  • MozillaFirefox-60.2.2-3.13.3
  • MozillaFirefox-debugsource-60.2.2-3.13.3
  • MozillaFirefox-branding-SLE-60-4.5.3
  • MozillaFirefox-translations-other-60.2.2-3.13.3
• Desktop Applications Module 15 (aarch64 ppc64le x86_64)
  • MozillaFirefox-devel-60.2.2-3.13.3

References:

• https://www.suse.com/security/cve/CVE-2018-12383.html
• https://www.suse.com/security/cve/CVE-2018-12385.html
• https://www.suse.com/security/cve/CVE-2018-12386.html
• https://www.suse.com/security/cve/CVE-2018-12387.html
• https://bugzilla.suse.com/show_bug.cgi?id=1094767
• https://bugzilla.suse.com/show_bug.cgi?id=1107343
• https://bugzilla.suse.com/show_bug.cgi?id=1109363
• https://bugzilla.suse.com/show_bug.cgi?id=1109465
• https://bugzilla.suse.com/show_bug.cgi?id=1110506
• https://bugzilla.suse.com/show_bug.cgi?id=1110507