Security update for MozillaFirefox, MozillaFirefox-branding-SLE

Announcement ID:	SUSE-SU-2019:2871-1
Rating:	important
References:	bsc#1104841 bsc#1129528 bsc#1137990 bsc#1149429 bsc#1151186 bsc#1153423 bsc#1153869 bsc#1154738
Cross-References:	CVE-2019-11757 CVE-2019-11758 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903
CVSS scores:	CVE-2019-11757 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11758 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11759 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11760 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-11761 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2019-11762 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-11763 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-11764 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-15903 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15903 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15903 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Desktop Applications Module 15-SP1 Desktop Applications Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves nine vulnerabilities can now be installed.

Description:

This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following issues:

Changes in MozillaFirefox:

Security issues fixed:

• CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
• CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
• CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
• CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
• CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
• CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
• CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
• CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
• CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).

Non-security issues fixed:

• Added Provides-line for translations-common (bsc#1153423) .
• Moved some settings from branding-package here (bsc#1153869).
• Disabled DoH by default.

Changes in MozillaFirefox-branding-SLE:

• Moved extensions preferences to core package (bsc#1153869).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-2871=1
• Desktop Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2871=1

Package List:

• Desktop Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-translations-other-68.2.0-3.59.1
  • MozillaFirefox-debuginfo-68.2.0-3.59.1
  • MozillaFirefox-devel-68.2.0-3.59.1
  • MozillaFirefox-branding-SLE-68-4.11.2
  • MozillaFirefox-debugsource-68.2.0-3.59.1
  • MozillaFirefox-68.2.0-3.59.1
  • MozillaFirefox-translations-common-68.2.0-3.59.1
• Desktop Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-translations-other-68.2.0-3.59.1
  • MozillaFirefox-debuginfo-68.2.0-3.59.1
  • MozillaFirefox-branding-SLE-68-4.11.2
  • MozillaFirefox-debugsource-68.2.0-3.59.1
  • MozillaFirefox-68.2.0-3.59.1
  • MozillaFirefox-translations-common-68.2.0-3.59.1
• Desktop Applications Module 15-SP1 (aarch64 ppc64le x86_64)
  • MozillaFirefox-devel-68.2.0-3.59.1

References:

• https://www.suse.com/security/cve/CVE-2019-11757.html
• https://www.suse.com/security/cve/CVE-2019-11758.html
• https://www.suse.com/security/cve/CVE-2019-11759.html
• https://www.suse.com/security/cve/CVE-2019-11760.html
• https://www.suse.com/security/cve/CVE-2019-11761.html
• https://www.suse.com/security/cve/CVE-2019-11762.html
• https://www.suse.com/security/cve/CVE-2019-11763.html
• https://www.suse.com/security/cve/CVE-2019-11764.html
• https://www.suse.com/security/cve/CVE-2019-15903.html
• https://bugzilla.suse.com/show_bug.cgi?id=1104841
• https://bugzilla.suse.com/show_bug.cgi?id=1129528
• https://bugzilla.suse.com/show_bug.cgi?id=1137990
• https://bugzilla.suse.com/show_bug.cgi?id=1149429
• https://bugzilla.suse.com/show_bug.cgi?id=1151186
• https://bugzilla.suse.com/show_bug.cgi?id=1153423
• https://bugzilla.suse.com/show_bug.cgi?id=1153869
• https://bugzilla.suse.com/show_bug.cgi?id=1154738