SUSE-SU-2023:2849-1

Source
https://www.suse.com/support/update/announcement/2023/suse-su-20232849-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2023:2849-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2023:2849-1
Related
Published
2023-07-17T07:49:44Z
Modified
2023-07-17T07:49:44Z
Summary
Security update for MozillaFirefox, MozillaFirefox-branding-SLE
Details

This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following issues:

Changes in MozillaFirefox and MozillaFirefox-branding-SLE:

This update provides Firefox Extended Support Release 115.0 ESR

  • New:

    • Required fields are now highlighted in PDF forms.
    • Improved performance on high-refresh rate monitors (120Hz+).
    • Buttons in the Tabs toolbar can now be reached with Tab, Shift+Tab, and Arrow keys. View this article for additional details.
    • Windows' 'Make text bigger' accessibility setting now affects all the UI and content pages, rather than only applying to system font sizes.
    • Non-breaking spaces are now preserved—preventing automatic line breaks—when copying text from a form control.
    • Fixed WebGL performance issues on NVIDIA binary drivers via DMA-Buf on Linux.
    • Fixed an issue in which Firefox startup could be significantly slowed down by the processing of Web content local storage. This had the greatest impact on users with platter hard drives and significant local storage.
    • Removed a configuration option to allow SHA-1 signatures in certificates: SHA-1 signatures in certificates—long since determined to no longer be secure enough—are now not supported.
    • Highlight color is preserved correctly after typing Enter in the mail composer of Yahoo Mail and Outlook. After bypassing the https only error page navigating back would take you to the error page that was previously dismissed. Back now takes you to the previous site that was visited.
    • Paste unformatted shortcut (shift+ctrl/cmd+v) now works in plain text contexts, such as input and text area.
    • Added an option to print only the current page from the print preview dialog.
    • Swipe to navigate (two fingers on a touchpad swiped left or right to perform history back or forward) on Windows is now enabled.
    • Stability on Windows is significantly improved as Firefox handles low-memory situations much better.
    • Touchpad scrolling on macOS was made more accessible by reducing unintended diagonal scrolling opposite of the intended scroll axis.
    • Firefox is less likely to run out of memory on Linux and performs more efficiently for the rest of the system when memory runs low.
    • It is now possible to edit PDFs: including writing text, drawing, and adding signatures.
    • Setting Firefox as your default browser now also makes it the default PDF application on Windows systems.
    • Swipe-to-navigate (two fingers on a touchpad swiped left or right to perform history back or forward) now works for Linux users on Wayland.
    • Text Recognition in images allows users on macOS 10.15 and higher to extract text from the selected image (such as a meme or screenshot).
    • Firefox View helps you get back to content you previously discovered. A pinned tab allows you to find and open recently closed tabs on your current device and access tabs from other devices (via our “Tab Pickup” feature).
    • Import maps, which allow web pages to control the behavior of JavaScript imports, are now enabled by default.
    • Processes used for background tabs now use efficiency mode on Windows 11 to limit resource use.
    • The shift+esc keyboard shortcut now opens the Process Manager, offering a way to quickly identify processes that are using too many resources.
    • Firefox now supports properly color correcting images tagged with ICCv4 profiles.
    • Support for non-English characters when saving and printing PDF forms.
    • The bookmarks toolbar's default 'Only show on New Tab' state works correctly for blank new tabs. As before, you can change the bookmark toolbar's behavior using the toolbar context menu.
    • Manifest Version 3 (MV3) extension support is now enabled by default (MV2 remains enabled/supported). This major update also ushers an exciting user interface change in the form of the new extensions button.
    • The Arbitrary Code Guard exploit protection has been enabled in the media playback utility processes, improving security for Windows users.
    • The native HTML date picker for date and datetime inputs can now be used with a keyboard alone, improving its accessibility for screen reader users. Users with limited mobility can also now use common keyboard shortcuts to navigate the calendar grid and month selection spinners.
    • Firefox builds in the Spanish from Spain (es-ES) and Spanish from Argentina (es-AR) locales now come with a built- in dictionary for the Firefox spellchecker.
    • On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls the page instead of zooming. This avoids accidental zooming and matches the behavior of other web browsers on macOS.
    • It's now possible to import bookmarks, history and passwords not only from Edge, Chrome or Safari but also from Opera, Opera GX, and Vivaldi.
    • GPU sandboxing has been enabled on Windows.
    • On Windows, third-party modules can now be blocked from injecting themselves into Firefox, which can be helpful if they are causing crashes or other undesirable behavior.
    • Date, time, and datetime-local input fields can now be cleared with Cmd+Backspace and Cmd+Delete shortcut on macOS and Ctrl+Backspace and Ctrl+Delete on Windows and Linux.
    • GPU-accelerated Canvas2D is enabled by default on macOS and Linux.
    • WebGL performance improvement on Windows, MacOS and Linux.
    • Enables overlay of hardware-decoded video with non-Intel GPUs on Windows 10/11, improving video playback performance and video scaling quality.
    • Windows native notifications are now enabled.
    • Firefox Relay users can now opt-in to create Relay email masks directly from the Firefox credential manager. You must be signed in with your Firefox Account.
    • We’ve added two new locales: Silhe Friulian (fur) and Sardinian (sc).
    • Right-clicking on password fields now shows an option to reveal the password.
    • Private windows and ETP set to strict will now include email tracking protection. This will make it harder for email trackers to learn the browsing habits of Firefox users. You can check the Tracking Content in the sub-panel on the shield icon panel.
    • The deprecated U2F Javascript API is now disabled by default. The U2F protocol remains usable through the WebAuthn API. The U2F API can be re-enabled using the security.webauth.u2f preference.
    • Say hello to enhanced Picture-in-Picture! Rewind, check video duration, and effortlessly switch to full-screen mode on the web's most popular video websites.
    • Firefox's address bar is already a great place to search for what you're looking for. Now you'll always be able to see your web search terms and refine them while viewing your search's results - no additional scrolling needed! Also, a new result menu has been added making it easier to remove history results and dismiss sponsored Firefox Suggest entries.
    • Private windows now protect users even better by blocking third-party cookies and storage of content trackers.
    • Passwords automatically generated by Firefox now include special characters, giving users more secure passwords by default.
    • Firefox 115 introduces a redesigned accessibility engine which significantly improves the speed, responsiveness, and stability of Firefox when used with:

      • Screen readers, as well as certain other accessibility software;
      • East Asian input methods;
      • Enterprise single sign-on software; and
      • Other applications which use accessibility frameworks to access information.
    • Firefox 115 now supports AV1 Image Format files containing animations (AVIS), improving support for AVIF images across the web.

    • The Windows GPU sandbox first shipped in the Firefox 110 release has been tightened to enhance the security benefits it provides.
    • A 13-year-old feature request was fulfilled and Firefox now supports files being drag-and-dropped directly from Microsoft Outlook. A special thanks to volunteer contributor Marco Spiess for helping to get this across the finish line!
    • Users on macOS can now access the Services sub-menu directly from Firefox context menus.
    • On Windows, the elastic overscroll effect has been enabled by default. When two-finger scrolling on the touchpad or scrolling on the touchscreen, you will now see a bouncing animation when scrolling past the edge of a scroll container.
    • Firefox is now available in the Tajik (tg) language.
    • Added UI to manage the DNS over HTTPS exception list.
    • Bookmarks can now be searched from the Bookmarks menu. The Bookmarks menu is accessible by adding the Bookmarks menu button to the toolbar.
    • Restrict searches to your local browsing history by selecting Search history from the History, Library or Application menu buttons.
    • Mac users can now capture video from their cameras in all supported native resolutions. This enables resolutions higher than 1280x720.
    • It is now possible to reorder the extensions listed in the extensions panel.
    • Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn authenticators over USB. Some advanced features, such as fully passwordless logins, require a PIN to be set on the authenticator.
    • Pocket Recommended content can now be seen in France, Italy, and Spain.
    • DNS over HTTPS settings are now part of the Privacy & Security section of the Settings page and allow the user to choose from all the supported modes.
    • Migrating from another browser? Now you can bring over payment methods you've saved in Chrome-based browsers to Firefox.
    • Hardware video decoding enabled for Intel GPUs on Linux.
    • The Tab Manager dropdown now features close buttons, so you can close tabs more quickly.
    • Windows Magnifier now follows the text cursor correctly when the Firefox title bar is visible.
    • Undo and redo are now available in Password fields. [1]:https://support.mozilla.org/kb/access-toolbar-functions- using-keyboard?gl=1*16it7nj*gaMTEzNjg4MjY5NC4xNjQ1MjAxMDU3 *_ga_MQ7767QQQWMTY1Njk2MzExMS43LjEuMTY1Njk2MzIzMy4w [2]:https://support.mozilla.org/kb/how-set-tab-pickup-firefox-view [3]:https://support.mozilla.org/kb/task-manager-tabs-or-extensions-are-slowing-firefox [4]:https://blog.mozilla.org/addons/2022/11/17/manifest-v3-signing-available-november-21-on-firefox-nightly/ [5]:https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/ [6]:https://support.mozilla.org/kb/unified-extensions [7]:https://support.mozilla.org/kb/import-data-another-browser [8]:https://support.mozilla.org/kb/identify-problems-third-party-modules-firefox-windows [9]:https://support.mozilla.org/kb/how-generate-secure-password-firefox [10]:https://blog.mozilla.org/accessibility/firefox-113-accessibility-performance/
  • Fixed: Various security fixes. MFSA 2023-22 (bsc#1212438)

    • CVE-2023-3482 (bmo#1839464) Block all cookies bypass for localstorage
    • CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation
    • CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey
    • CVE-2023-37203 (bmo#291640) Drag and Drop API may provide access to local system files
    • CVE-2023-37204 (bmo#1832195) Fullscreen notification obscured via option element
    • CVE-2023-37205 (bmo#1704420) URL spoofing in address bar using RTL characters
    • CVE-2023-37206 (bmo#1813299) Insufficient validation of symlinks in the FileSystem API
    • CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured
    • CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files
    • CVE-2023-37209 (bmo#1837993) Use-after-free in NotifyOnHistoryReload
    • CVE-2023-37210 (bmo#1821886) Full-screen mode exit prevention
    • CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13
    • CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206, bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710, bmo#1838587) Memory safety bugs fixed in Firefox 115
  • Fixed potential SIGILL on older CPUs (bsc#1212101)

  • Fixed: Various security fixes and other quality

References

Affected packages

SUSE:Linux Enterprise High Performance Computing 15 SP1-LTSS / MozillaFirefox

Package

Name
MozillaFirefox
Purl
purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115.0-150000.150.91.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-common": "115.0-150000.150.91.1",
            "MozillaFirefox-devel": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-other": "115.0-150000.150.91.1",
            "MozillaFirefox-branding-SLE": "115-150000.4.25.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP1-LTSS / MozillaFirefox-branding-SLE

Package

Name
MozillaFirefox-branding-SLE
Purl
purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115-150000.4.25.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-common": "115.0-150000.150.91.1",
            "MozillaFirefox-devel": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-other": "115.0-150000.150.91.1",
            "MozillaFirefox-branding-SLE": "115-150000.4.25.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP1-LTSS / MozillaFirefox

Package

Name
MozillaFirefox
Purl
purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115.0-150000.150.91.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-common": "115.0-150000.150.91.1",
            "MozillaFirefox-devel": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-other": "115.0-150000.150.91.1",
            "MozillaFirefox-branding-SLE": "115-150000.4.25.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP1-LTSS / MozillaFirefox-branding-SLE

Package

Name
MozillaFirefox-branding-SLE
Purl
purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115-150000.4.25.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-common": "115.0-150000.150.91.1",
            "MozillaFirefox-devel": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-other": "115.0-150000.150.91.1",
            "MozillaFirefox-branding-SLE": "115-150000.4.25.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP1 / MozillaFirefox

Package

Name
MozillaFirefox
Purl
purl:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115.0-150000.150.91.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-common": "115.0-150000.150.91.1",
            "MozillaFirefox-devel": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-other": "115.0-150000.150.91.1",
            "MozillaFirefox-branding-SLE": "115-150000.4.25.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP1 / MozillaFirefox-branding-SLE

Package

Name
MozillaFirefox-branding-SLE
Purl
purl:rpm/suse/MozillaFirefox-branding-SLE&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
115-150000.4.25.1

Ecosystem specific

{
    "binaries": [
        {
            "MozillaFirefox": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-common": "115.0-150000.150.91.1",
            "MozillaFirefox-devel": "115.0-150000.150.91.1",
            "MozillaFirefox-translations-other": "115.0-150000.150.91.1",
            "MozillaFirefox-branding-SLE": "115-150000.4.25.1"
        }
    ]
}