Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2020:0383-1
Rating:	important
References:	bsc#1163368
Cross-References:	CVE-2020-6796 CVE-2020-6797 CVE-2020-6798 CVE-2020-6799 CVE-2020-6800
CVSS scores:	CVE-2020-6796 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6796 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6797 ( SUSE ): 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2020-6797 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-6798 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2020-6798 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-6799 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6799 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6800 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-6800 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	Desktop Applications Module 15-SP1 Desktop Applications Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves five vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

• Firefox Extended Support Release 68.5.0 ESR
• Fixed: Various stability and security fixes
• Mozilla Firefox ESR68.5 MFSA 2020-06 (bsc#1163368)
• CVE-2020-6796 (bmo#1610426) Missing bounds check on shared memory read in the parent process
• CVE-2020-6797 (bmo#1596668) Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
• CVE-2020-6798 (bmo#1602944) Incorrect parsing of template tag could result in JavaScript injection
• CVE-2020-6799 (bmo#1606596) Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
• CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543, bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785) Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-383=1
• Desktop Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-383=1

Package List:

• Desktop Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-devel-68.5.0-3.72.1
  • MozillaFirefox-68.5.0-3.72.1
  • MozillaFirefox-translations-other-68.5.0-3.72.1
  • MozillaFirefox-debugsource-68.5.0-3.72.1
  • MozillaFirefox-translations-common-68.5.0-3.72.1
  • MozillaFirefox-debuginfo-68.5.0-3.72.1
• Desktop Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-68.5.0-3.72.1
  • MozillaFirefox-translations-other-68.5.0-3.72.1
  • MozillaFirefox-debugsource-68.5.0-3.72.1
  • MozillaFirefox-translations-common-68.5.0-3.72.1
  • MozillaFirefox-debuginfo-68.5.0-3.72.1
• Desktop Applications Module 15-SP1 (aarch64 ppc64le x86_64)
  • MozillaFirefox-devel-68.5.0-3.72.1

References:

• https://www.suse.com/security/cve/CVE-2020-6796.html
• https://www.suse.com/security/cve/CVE-2020-6797.html
• https://www.suse.com/security/cve/CVE-2020-6798.html
• https://www.suse.com/security/cve/CVE-2020-6799.html
• https://www.suse.com/security/cve/CVE-2020-6800.html
• https://bugzilla.suse.com/show_bug.cgi?id=1163368