SUSE-SU-2025:21170-1

Update to version 128.14.0 (bsc#1248162):
- CVE-2025-9179: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
- CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component
- CVE-2025-9181: Uninitialized memory in the JavaScript Engine component
- CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
Update to version 128.13.0:
- CVE-2025-8027: JavaScript engine only wrote partial return value to stack
- CVE-2025-8028: Large branch table could lead to truncated instruction
- CVE-2025-8029: javascript: URLs executed on object and embed tags
- CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command
- CVE-2025-8031: Incorrect URL stripping in CSP reports
- CVE-2025-8032: XSLT documents could bypass CSP
- CVE-2025-8033: Incorrect JavaScript state machine for generators
- CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
- CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
Update to version 128.12.0:
- CVE-2025-6424: Use-after-free in FontFaceSet
- CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID
- CVE-2025-6426: No warning when opening executable terminal files on macOS
- CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com
- CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag
Update to version 128.11.0:
- CVE-2025-5283: Double-free in libvpx encoder
- CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content
- CVE-2025-5264: Potential local code execution in “Copy as cURL” command
- CVE-2025-5265: Potential local code execution in “Copy as cURL” command
- CVE-2025-5266: Script element events leaked cross-origin resource status
- CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details
- CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11
- CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11

References

Affected packages

SUSE:Linux Enterprise Server 16.0 / mozjs128

Package

Name: mozjs128
Purl: pkg:rpm/suse/mozjs128&distro=SUSE%20Linux%20Enterprise%20Server%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

128.14.0-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "libmozjs-128-0": "128.14.0-160000.1.1",
            "mozjs128": "128.14.0-160000.1.1",
            "mozjs128-devel": "128.14.0-160000.1.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:21170-1.json"

SUSE:Linux Enterprise Server for SAP applications 16.0 / mozjs128

Package

Name: mozjs128
Purl: pkg:rpm/suse/mozjs128&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

128.14.0-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "libmozjs-128-0": "128.14.0-160000.1.1",
            "mozjs128": "128.14.0-160000.1.1",
            "mozjs128-devel": "128.14.0-160000.1.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:21170-1.json"