Описание
Security update for MozillaFirefox
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 115.7.0 ESR (MFSA 2024-02) (bsc#1218955):
- CVE-2024-0741: Out of bounds write in ANGLE
- CVE-2024-0742: Failure to update user input timestamp
- CVE-2024-0746: Crash when listing printers on Linux
- CVE-2024-0747: Bypass of Content Security Policy when directive unsafe-inline was set
- CVE-2024-0749: Phishing site popup could show local origin in address bar
- CVE-2024-0750: Potential permissions request bypass via clickjacking
- CVE-2024-0751: Privilege escalation through devtools
- CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain
- CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
SUSE Linux Enterprise Server 15 SP1-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP1
Ссылки
- Link for SUSE-SU-2024:0228-1
- E-Mail link for SUSE-SU-2024:0228-1
- SUSE Security Ratings
- SUSE Bug 1218955
- SUSE CVE CVE-2024-0741 page
- SUSE CVE CVE-2024-0742 page
- SUSE CVE CVE-2024-0746 page
- SUSE CVE CVE-2024-0747 page
- SUSE CVE CVE-2024-0749 page
- SUSE CVE CVE-2024-0750 page
- SUSE CVE CVE-2024-0751 page
- SUSE CVE CVE-2024-0753 page
- SUSE CVE CVE-2024-0755 page
Описание
An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0741
- SUSE Bug 1218955
Описание
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0742
- SUSE Bug 1218955
Описание
A Linux user opening the print preview dialog could have caused the browser to crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0746
- SUSE Bug 1218955
Описание
When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0747
- SUSE Bug 1218955
Описание
A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0749
- SUSE Bug 1218955
Описание
A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0750
- SUSE Bug 1218955
Описание
A malicious devtools extension could have been used to escalate privileges. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0751
- SUSE Bug 1218955
Описание
In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0753
- SUSE Bug 1218955
Описание
Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
Затронутые продукты
Ссылки
- CVE-2024-0755
- SUSE Bug 1218955