SUSE-SU-2025:02531-1

This update for MozillaFirefox fixes the following issues:

• Firefox Extended Support Release 140.1.0 ESR
  • MFSA-RESERVE-2025-1968423 (bmo#1968423) JavaScript engine only wrote partial return value to stack
  • MFSA-RESERVE-2025-1971581 (bmo#1971581) Large branch table could lead to truncated instruction
  • MFSA-RESERVE-2025-1928021 (bmo#1928021) CSP does not block javascript: URLs on object and embed tags
  • MFSA-RESERVE-2025-1960834 (bmo#1960834) DNS rebinding circumvents CORS
  • MFSA-RESERVE-2025-1964767 (bmo#1964767) Nameless cookies shadow secure cookies
  • MFSA-RESERVE-2025-1968414 (bmo#1968414) Potential user-assisted code execution in “Copy as cURL” command
  • MFSA-RESERVE-2025-1971719 (bmo#1971719) Incorrect URL stripping in CSP reports
  • MFSA-RESERVE-2025-1974407 (bmo#1974407) XSLT documents could by-pass CSP
  • MFSA-RESERVE-2025-1808979 (bmo#1808979) CSP frame-src was not correctly enforced for paths
  • MFSA-RESERVE-2025-1970997 (bmo#1970997) Search terms persist in URL bar
  • MFSA-RESERVE-2025-1973990 (bmo#1973990) Incorrect JavaScript state machine for generators
  • MFSA-RESERVE-2025-1 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422) Memory safety bugs fixed in Firefox ESR 115.26, Thunderbird ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  • MFSA-RESERVE-2025-2 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998) Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
  • MFSA-RESERVE-2025-3 (bmo#1975961, bmo#1975961, bmo#1975961) Memory safety bugs fixed in Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Various security fixes MFSA 2025-59 (bsc#1246664): - CVE-2025-8027: JavaScript engine only wrote partial return value to stack - CVE-2025-8028: Large branch table could lead to truncated instruction - CVE-2025-8029: javascript: URLs executed on object and embed tags - CVE-2025-8036: DNS rebinding circumvents CORS - CVE-2025-8037: Nameless cookies shadow secure cookies - CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command - CVE-2025-8031: Incorrect URL stripping in CSP reports - CVE-2025-8032: XSLT documents could bypass CSP - CVE-2025-8038: CSP frame-src was not correctly enforced for paths - CVE-2025-8039: Search terms persisted in URL bar - CVE-2025-8033: Incorrect JavaScript state machine for generators - CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141