SUSE-SU-2019:14173-1

Source
https://www.suse.com/support/update/announcement/2019/suse-su-201914173-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2019:14173-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2019:14173-1
Related
Published
2019-09-17T14:03:15Z
Modified
2019-09-17T14:03:15Z
Summary
Security update for MozillaFirefox, firefox-glib2, firefox-gtk3
Details

This update for MozillaFirefox, firefox-glib2, firefox-gtk3 fixes the following issues:

Mozilla Firefox was updated to the 60.9.0esr release:

Security Advisory MFSA 2019-27:

  • Use-after-free while manipulating video CVE-2019-11746 (bmo#1564449, bsc#1149297)
  • XSS by breaking out of title and textarea elements using innerHTML CVE-2019-11744 (bmo#1562033, bsc#1149297)
  • Same-origin policy violation with SVG filters and canvas to steal cross-origin images CVE-2019-11742 (bmo#1559715, bsc#1149303)
  • Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location CVE-2019-11753 (bmo#1574980, bsc#1149295)
  • Use-after-free while extracting a key value in IndexedDB CVE-2019-11752 (bmo#1501152, bsc#1149296)
  • Sandbox escape through Firefox Sync CVE-2019-9812 (bmo#1538008, bmo#1538015, bsc#1149294)
  • Cross-origin access to unload event attributes CVE-2019-11743 (bmo#1560495, bsc#1149298) Navigation-Timing Level 2 specification
  • Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 CVE-2019-11740 (bmo#1563133, bmo#1573160, bsc#1149299)

  • Rebuild glib2 schemas on SLE-11 (bsc#1145550)

Changes in firefox-glib2:

  • Fix the rpm macros %glib2gsettingsschema_* which were replaced with %nil in Factory because they're no longer needed, but we still need them in SLE11 (bsc#1145550)

Changes in firefox-gtk3:

  • Rebuild so %glib2gsettingsschemapost gets called with fixed rpm macros %glib2gsettingsschema* in firefox-glib2 package which were replaced with %nil in Factory because they're no longer needed, but we still need them in SLE11 (bsc#1145550)
References

Affected packages

SUSE:Linux Enterprise Server 11 SP4-LTSS / MozillaFirefox

Package

Name
MozillaFirefox
Purl
purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
60.9.0esr-78.46.2

Ecosystem specific

{
    "binaries": [
        {
            "libfirefox-gio-2_0-0": "2.54.3-2.11.1",
            "MozillaFirefox": "60.9.0esr-78.46.2",
            "firefox-gtk3-lang": "3.10.9-2.12.2",
            "firefox-gtk3-branding-upstream": "3.10.9-2.12.2",
            "MozillaFirefox-translations-common": "60.9.0esr-78.46.2",
            "firefox-glib2-lang": "2.54.3-2.11.1",
            "firefox-gtk3-immodule-xim": "3.10.9-2.12.2",
            "libfirefox-gmodule-2_0-0": "2.54.3-2.11.1",
            "firefox-gtk3-tools": "3.10.9-2.12.2",
            "libfirefox-gthread-2_0-0": "2.54.3-2.11.1",
            "firefox-gio-branding-upstream": "2.54.3-2.11.1",
            "MozillaFirefox-translations-other": "60.9.0esr-78.46.2",
            "firefox-gtk3-immodules-tigrigna": "3.10.9-2.12.2",
            "libfirefox-gobject-2_0-0": "2.54.3-2.11.1",
            "libfirefox-glib-2_0-0": "2.54.3-2.11.1",
            "firefox-gtk3-immodule-multipress": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-inuktitut": "3.10.9-2.12.2",
            "firefox-glib2-tools": "2.54.3-2.11.1",
            "firefox-gtk3-data": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-amharic": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-thai": "3.10.9-2.12.2",
            "firefox-libgtk-3-0": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-vietnamese": "3.10.9-2.12.2"
        }
    ]
}

SUSE:Linux Enterprise Server 11 SP4-LTSS / firefox-glib2

Package

Name
firefox-glib2
Purl
purl:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.54.3-2.11.1

Ecosystem specific

{
    "binaries": [
        {
            "libfirefox-gio-2_0-0": "2.54.3-2.11.1",
            "MozillaFirefox": "60.9.0esr-78.46.2",
            "firefox-gtk3-lang": "3.10.9-2.12.2",
            "firefox-gtk3-branding-upstream": "3.10.9-2.12.2",
            "MozillaFirefox-translations-common": "60.9.0esr-78.46.2",
            "firefox-glib2-lang": "2.54.3-2.11.1",
            "firefox-gtk3-immodule-xim": "3.10.9-2.12.2",
            "libfirefox-gmodule-2_0-0": "2.54.3-2.11.1",
            "firefox-gtk3-tools": "3.10.9-2.12.2",
            "libfirefox-gthread-2_0-0": "2.54.3-2.11.1",
            "firefox-gio-branding-upstream": "2.54.3-2.11.1",
            "MozillaFirefox-translations-other": "60.9.0esr-78.46.2",
            "firefox-gtk3-immodules-tigrigna": "3.10.9-2.12.2",
            "libfirefox-gobject-2_0-0": "2.54.3-2.11.1",
            "libfirefox-glib-2_0-0": "2.54.3-2.11.1",
            "firefox-gtk3-immodule-multipress": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-inuktitut": "3.10.9-2.12.2",
            "firefox-glib2-tools": "2.54.3-2.11.1",
            "firefox-gtk3-data": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-amharic": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-thai": "3.10.9-2.12.2",
            "firefox-libgtk-3-0": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-vietnamese": "3.10.9-2.12.2"
        }
    ]
}

SUSE:Linux Enterprise Server 11 SP4-LTSS / firefox-gtk3

Package

Name
firefox-gtk3
Purl
purl:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.10.9-2.12.2

Ecosystem specific

{
    "binaries": [
        {
            "libfirefox-gio-2_0-0": "2.54.3-2.11.1",
            "MozillaFirefox": "60.9.0esr-78.46.2",
            "firefox-gtk3-lang": "3.10.9-2.12.2",
            "firefox-gtk3-branding-upstream": "3.10.9-2.12.2",
            "MozillaFirefox-translations-common": "60.9.0esr-78.46.2",
            "firefox-glib2-lang": "2.54.3-2.11.1",
            "firefox-gtk3-immodule-xim": "3.10.9-2.12.2",
            "libfirefox-gmodule-2_0-0": "2.54.3-2.11.1",
            "firefox-gtk3-tools": "3.10.9-2.12.2",
            "libfirefox-gthread-2_0-0": "2.54.3-2.11.1",
            "firefox-gio-branding-upstream": "2.54.3-2.11.1",
            "MozillaFirefox-translations-other": "60.9.0esr-78.46.2",
            "firefox-gtk3-immodules-tigrigna": "3.10.9-2.12.2",
            "libfirefox-gobject-2_0-0": "2.54.3-2.11.1",
            "libfirefox-glib-2_0-0": "2.54.3-2.11.1",
            "firefox-gtk3-immodule-multipress": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-inuktitut": "3.10.9-2.12.2",
            "firefox-glib2-tools": "2.54.3-2.11.1",
            "firefox-gtk3-data": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-amharic": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-thai": "3.10.9-2.12.2",
            "firefox-libgtk-3-0": "3.10.9-2.12.2",
            "firefox-gtk3-immodule-vietnamese": "3.10.9-2.12.2"
        }
    ]
}