Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2024:2876-1
Rating:	important
References:	bsc#1226316 bsc#1228648
Cross-References:	CVE-2024-6600 CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-6605 CVE-2024-6606 CVE-2024-6607 CVE-2024-6608 CVE-2024-6609 CVE-2024-6610 CVE-2024-6611 CVE-2024-6612 CVE-2024-6613 CVE-2024-6614 CVE-2024-6615 CVE-2024-7518 CVE-2024-7519 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7524 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7528 CVE-2024-7529 CVE-2024-7531
CVSS scores:	CVE-2024-6600 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2024-6601 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2024-6602 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L CVE-2024-6603 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVE-2024-6604 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-6605 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2024-6606 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L CVE-2024-6607 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2024-6608 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2024-6609 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L CVE-2024-6610 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L CVE-2024-6611 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-6612 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2024-6614 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2024-6615 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7518 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2024-7519 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7520 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7521 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7522 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L CVE-2024-7524 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7525 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2024-7526 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L CVE-2024-7527 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7528 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-7529 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2024-7531 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5

An update that solves 28 vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

Update to Firefox Extended Support Release 128.1.0 ESR (MFSA 2024-35, bsc#1228648)

• CVE-2024-7518: Fullscreen notification dialog can be obscured by document
• CVE-2024-7519: Out of bounds memory access in graphics shared memory handling
• CVE-2024-7520: Type confusion in WebAssembly
• CVE-2024-7521: Incomplete WebAssembly exception handing
• CVE-2024-7522: Out of bounds read in editor component
• CVE-2024-7524: CSP strict-dynamic bypass using web-compatibility shims
• CVE-2024-7525: Missing permission check when creating a StreamFilter
• CVE-2024-7526: Uninitialized memory used by WebGL
• CVE-2024-7527: Use-after-free in JavaScript garbage collection
• CVE-2024-7528: Use-after-free in IndexedDB
• CVE-2024-7529: Document content could partially obscure security prompts
• CVE-2024-7531: PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-2876=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2876=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2876=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-2876=1

Package List:

• SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-debugsource-128.1.0-112.221.1
  • MozillaFirefox-debuginfo-128.1.0-112.221.1
• SUSE Linux Enterprise Software Development Kit 12 SP5 (noarch)
  • MozillaFirefox-devel-128.1.0-112.221.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • MozillaFirefox-translations-common-128.1.0-112.221.1
  • MozillaFirefox-debugsource-128.1.0-112.221.1
  • MozillaFirefox-debuginfo-128.1.0-112.221.1
  • MozillaFirefox-128.1.0-112.221.1
  • MozillaFirefox-branding-SLE-128-35.15.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch)
  • MozillaFirefox-devel-128.1.0-112.221.1
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-translations-common-128.1.0-112.221.1
  • MozillaFirefox-debugsource-128.1.0-112.221.1
  • MozillaFirefox-debuginfo-128.1.0-112.221.1
  • MozillaFirefox-128.1.0-112.221.1
  • MozillaFirefox-branding-SLE-128-35.15.1
• SUSE Linux Enterprise Server 12 SP5 (noarch)
  • MozillaFirefox-devel-128.1.0-112.221.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • MozillaFirefox-translations-common-128.1.0-112.221.1
  • MozillaFirefox-debugsource-128.1.0-112.221.1
  • MozillaFirefox-debuginfo-128.1.0-112.221.1
  • MozillaFirefox-128.1.0-112.221.1
  • MozillaFirefox-branding-SLE-128-35.15.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch)
  • MozillaFirefox-devel-128.1.0-112.221.1

References:

• https://www.suse.com/security/cve/CVE-2024-6600.html
• https://www.suse.com/security/cve/CVE-2024-6601.html
• https://www.suse.com/security/cve/CVE-2024-6602.html
• https://www.suse.com/security/cve/CVE-2024-6603.html
• https://www.suse.com/security/cve/CVE-2024-6604.html
• https://www.suse.com/security/cve/CVE-2024-6605.html
• https://www.suse.com/security/cve/CVE-2024-6606.html
• https://www.suse.com/security/cve/CVE-2024-6607.html
• https://www.suse.com/security/cve/CVE-2024-6608.html
• https://www.suse.com/security/cve/CVE-2024-6609.html
• https://www.suse.com/security/cve/CVE-2024-6610.html
• https://www.suse.com/security/cve/CVE-2024-6611.html
• https://www.suse.com/security/cve/CVE-2024-6612.html
• https://www.suse.com/security/cve/CVE-2024-6613.html
• https://www.suse.com/security/cve/CVE-2024-6614.html
• https://www.suse.com/security/cve/CVE-2024-6615.html
• https://www.suse.com/security/cve/CVE-2024-7518.html
• https://www.suse.com/security/cve/CVE-2024-7519.html
• https://www.suse.com/security/cve/CVE-2024-7520.html
• https://www.suse.com/security/cve/CVE-2024-7521.html
• https://www.suse.com/security/cve/CVE-2024-7522.html
• https://www.suse.com/security/cve/CVE-2024-7524.html
• https://www.suse.com/security/cve/CVE-2024-7525.html
• https://www.suse.com/security/cve/CVE-2024-7526.html
• https://www.suse.com/security/cve/CVE-2024-7527.html
• https://www.suse.com/security/cve/CVE-2024-7528.html
• https://www.suse.com/security/cve/CVE-2024-7529.html
• https://www.suse.com/security/cve/CVE-2024-7531.html
• https://bugzilla.suse.com/show_bug.cgi?id=1226316
• https://bugzilla.suse.com/show_bug.cgi?id=1228648