Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2020:3901-1
Rating:	critical
References:	bsc#1180039
Cross-References:	CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35112 CVE-2020-35113
CVSS scores:	CVE-2020-16042 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-16042 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2020-26971 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26971 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26973 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26973 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26974 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26974 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26978 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-26978 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-35111 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-35111 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-35112 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-35112 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-35113 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-35113 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	Desktop Applications Module 15-SP2 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves eight vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

• Firefox Extended Support Release 78.6.0 ESR
• Fixed: Various stability, functionality, and security fixes MFSA 2020-55 (bsc#1180039)
• CVE-2020-16042 (bmo#1679003) Operations on a BigInt could have caused uninitialized memory to be exposed
• CVE-2020-26971 (bmo#1663466) Heap buffer overflow in WebGL
• CVE-2020-26973 (bmo#1680084) CSS Sanitizer performed incorrect sanitization
• CVE-2020-26974 (bmo#1681022) Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free
• CVE-2020-26978 (bmo#1677047) Internal network hosts could have been probed by a malicious webpage
• CVE-2020-35111 (bmo#1657916) The proxy.onRequest API did not catch view-source URLs
• CVE-2020-35112 (bmo#1661365) Opening an extension-less download may have inadvertently launched an executable instead
• CVE-2020-35113 (bmo#1664831, bmo#1673589) Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-3901=1

Package List:

• Desktop Applications Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-debugsource-78.6.0-8.20.2
  • MozillaFirefox-translations-common-78.6.0-8.20.2
  • MozillaFirefox-78.6.0-8.20.2
  • MozillaFirefox-debuginfo-78.6.0-8.20.2
  • MozillaFirefox-translations-other-78.6.0-8.20.2
  • MozillaFirefox-devel-78.6.0-8.20.2

References:

• https://www.suse.com/security/cve/CVE-2020-16042.html
• https://www.suse.com/security/cve/CVE-2020-26971.html
• https://www.suse.com/security/cve/CVE-2020-26973.html
• https://www.suse.com/security/cve/CVE-2020-26974.html
• https://www.suse.com/security/cve/CVE-2020-26978.html
• https://www.suse.com/security/cve/CVE-2020-35111.html
• https://www.suse.com/security/cve/CVE-2020-35112.html
• https://www.suse.com/security/cve/CVE-2020-35113.html
• https://bugzilla.suse.com/show_bug.cgi?id=1180039