openSUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:0203-1 Rating: important References: #1077291 Cross-References: CVE-2018-5089 CVE-2018-5091 CVE-2018-5095 CVE-2018-5096 CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102 CVE-2018-5103 CVE-2018-5104 CVE-2018-5117 Affected Products: openSUSE Leap 42.3 openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - update to Firefox 52.6esr (boo#1077291) MFSA 2018-01 * Speculative execution side-channel attack ("Spectre") MFSA 2018-03 * CVE-2018-5091 (bmo#1423086) Use-after-free with DTMF timers * CVE-2018-5095 (bmo#1418447) Integer overflow in Skia library during edge builder allocation * CVE-2018-5096 (bmo#1418922) Use-after-free while editing form elements * CVE-2018-5097 (bmo#1387427) Use-after-free when source document is manipulated during XSLT * CVE-2018-5098 (bmo#1399400) Use-after-free while manipulating form input elements * CVE-2018-5099 (bmo#1416878) Use-after-free with widget listener * CVE-2018-5102 (bmo#1419363) Use-after-free in HTML media elements * CVE-2018-5103 (bmo#1423159) Use-after-free during mouse event handling * CVE-2018-5104 (bmo#1425000) Use-after-free during font face manipulation * CVE-2018-5117 (bmo#1395508) URL spoofing with right-to-left text aligned left-to-right * CVE-2018-5089 Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6 - Added additional patches and configurations to fix builds on s390 and PowerPC. * Added firefox-glibc-getrandom.patch effecting builds on s390 and PowerPC * Added mozilla-s390-bigendian.patch along with icudt58b.dat bigendian ICU data file for running Firefox on bigendian architectures (bmo#1322212 and bmo#1264836) * Added mozilla-s390-nojit.patch to enable atomic operations used by the JS engine when JIT is disabled on s390 * Build configuration options specific to s390 * Requires NSS >= 3.29.5 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-85=1 - openSUSE Leap 42.2: zypper in -t patch openSUSE-2018-85=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (x86_64): MozillaFirefox-52.6-75.1 MozillaFirefox-branding-upstream-52.6-75.1 MozillaFirefox-buildsymbols-52.6-75.1 MozillaFirefox-debuginfo-52.6-75.1 MozillaFirefox-debugsource-52.6-75.1 MozillaFirefox-devel-52.6-75.1 MozillaFirefox-translations-common-52.6-75.1 MozillaFirefox-translations-other-52.6-75.1 - openSUSE Leap 42.2 (x86_64): MozillaFirefox-52.6-57.30.1 MozillaFirefox-branding-upstream-52.6-57.30.1 MozillaFirefox-buildsymbols-52.6-57.30.1 MozillaFirefox-debuginfo-52.6-57.30.1 MozillaFirefox-debugsource-52.6-57.30.1 MozillaFirefox-devel-52.6-57.30.1 MozillaFirefox-translations-common-52.6-57.30.1 MozillaFirefox-translations-other-52.6-57.30.1 References: https://www.suse.com/security/cve/CVE-2018-5089.html https://www.suse.com/security/cve/CVE-2018-5091.html https://www.suse.com/security/cve/CVE-2018-5095.html https://www.suse.com/security/cve/CVE-2018-5096.html https://www.suse.com/security/cve/CVE-2018-5097.html https://www.suse.com/security/cve/CVE-2018-5098.html https://www.suse.com/security/cve/CVE-2018-5099.html https://www.suse.com/security/cve/CVE-2018-5102.html https://www.suse.com/security/cve/CVE-2018-5103.html https://www.suse.com/security/cve/CVE-2018-5104.html https://www.suse.com/security/cve/CVE-2018-5117.html https://bugzilla.suse.com/1077291 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org