File _patchinfo of Package patchinfo.25825
<patchinfo incident="25825">
<issue tracker="bnc" id="1202645">VUL-0: MozillaFirefox / MozillaThunderbird: update to 104 and 102.2esr/91.13esr</issue>
<issue tracker="bnc" id="1201758">VUL-0: MozillaFirefox / MozillaThunderbird: update to 103 and 102.1esr/91.12esr</issue>
<issue tracker="bnc" id="1200793">VUL-0: MozillaFirefox / MozillaThunderbird: update to 102 and 91.11esr</issue>
<issue tracker="cve" id="2022-38478"/>
<issue tracker="cve" id="2022-38477"/>
<issue tracker="cve" id="2022-38476"/>
<issue tracker="cve" id="2022-38473"/>
<issue tracker="cve" id="2022-38472"/>
<issue tracker="cve" id="2022-36319"/>
<issue tracker="cve" id="2022-36318"/>
<issue tracker="cve" id="2022-36314"/>
<issue tracker="cve" id="2022-34485"/>
<issue tracker="cve" id="2022-34484"/>
<issue tracker="cve" id="2022-34483"/>
<issue tracker="cve" id="2022-34482"/>
<issue tracker="cve" id="2022-34481"/>
<issue tracker="cve" id="2022-34480"/>
<issue tracker="cve" id="2022-34479"/>
<issue tracker="cve" id="2022-34478"/>
<issue tracker="cve" id="2022-34477"/>
<issue tracker="cve" id="2022-34476"/>
<issue tracker="cve" id="2022-34475"/>
<issue tracker="cve" id="2022-34474"/>
<issue tracker="cve" id="2022-34473"/>
<issue tracker="cve" id="2022-34472"/>
<issue tracker="cve" id="2022-34471"/>
<issue tracker="cve" id="2022-34470"/>
<issue tracker="cve" id="2022-34469"/>
<issue tracker="cve" id="2022-34468"/>
<issue tracker="cve" id="2022-2505"/>
<issue tracker="cve" id="2022-2200"/>
<packager>MSirringhaus</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for MozillaFirefox</summary>
<description>This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 102.2.0esr ESR:
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-34 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159,
bmo#1773363)
Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
and Firefox ESR 91.13
Firefox Extended Support Release 102.1 ESR
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-30 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722)
Mouse Position spoofing with CSS transforms
* CVE-2022-36318 (bmo#1771774)
Directory indexes for bundled resources reflected URL
parameters
* CVE-2022-36314 (bmo#1773894)
Opening local <code>.lnk</code> files could cause unexpected
network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
Memory safety bugs fixed in Firefox 103 and 102.1
- Firefox Extended Support Release 102.0.1 ESR
* Fixed: Fixed bookmark shortcut creation by dragging to
Windows File Explorer and dropping partially broken
(bmo#1774683)
* Fixed: Fixed bookmarks sidebar flashing white when opened in
dark mode (bmo#1776157)
* Fixed: Fixed multilingual spell checking not working with
content in both English and a non-Latin alphabet
(bmo#1773802)
* Fixed: Developer tools: Fixed an issue where the console
output keep getting scrolled to the bottom when the last
visible message is an evaluation result (bmo#1776262)
* Fixed: Fixed *Delete cookies and site data when Firefox is
closed* checkbox getting disabled on startup (bmo#1777419)
* Fixed: Various stability fixes
Firefox 102.0 ESR:
* New:
- We now provide more secure connections: Firefox can
now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc
headers.
- For added viewing pleasure, full-range color levels are now
supported for video playback on many systems.
- Find it easier now! Mac users can now access the macOS
share options from the Firefox File menu.
- Voilà! Support for images containing ICC v4 profiles is
enabled on macOS.
- Firefox now supports the new AVIF image format, which is
based on the modern and royalty-free AV1 video codec. It
offers significant bandwidth savings for sites compared to
existing image formats. It also supports transparency and
other advanced features.
- Firefox PDF viewer now supports filling more forms (e.g.,
XFA-based forms, used by multiple governments and banks).
Learn more.
- When available system memory is critically low, Firefox on
Windows will automatically unload tabs based on their last
access time, memory usage, and other attributes. This helps
to reduce Firefox out-of-memory crashes. Forgot something?
Switching to an unloaded tab automatically reloads it.
- To prevent session loss for macOS users who are running
Firefox from a mounted .dmg file, they’ll now be prompted to
finish installation. Bear in mind, this permission prompt
only appears the first time these users run Firefox on their
computer.
- For your safety, Firefox now blocks downloads that rely on
insecure connections, protecting against potentially
malicious or unsafe downloads. Learn more and see where to
find downloads in Firefox.
- Improved web compatibility for privacy protections with
SmartBlock 3.0: In Private Browsing and Strict Tracking
Protection, Firefox goes to great lengths to protect your web
browsing activity from trackers. As part of this, the built-
in content blocking will automatically block third-party
scripts, images, and other content from being loaded from
cross-site tracking companies reported by Disconnect. Learn
more.
- Introducing a new referrer tracking protection in Strict
Tracking Protection and Private Browsing. This feature
prevents sites from unknowingly leaking private information
to trackers. Learn more.
- Introducing Firefox Suggest, a feature that provides
website suggestions as you type into the address bar. Learn
more about this faster way to navigate the web and locale-
specific features.
- Firefox macOS now uses Apple's low-power mode for
fullscreen video on sites such as YouTube and Twitch. This
meaningfully extends battery life in long viewing sessions.
Now your kids can find out what the fox says on a loop
without you ever missing a beat…
- With this release, power users can use about:unloads to
release system resources by manually unloading tabs without
closing them.
- On Windows, there will now be fewer interruptions because
Firefox won’t prompt you for updates. Instead, a background
agent will download and install updates even if Firefox is
closed.
- On Linux, we’ve improved WebGL performance and reduced
power consumption for many users.
- To better protect all Firefox users against side-channel
attacks, such as Spectre, we introduced Site Isolation.
- Firefox no longer warns you by default when you exit the
browser or close a window using a menu, button, or three-key
command. This should cut back on unwelcome notifications,
which is always nice—however, if you prefer a bit of notice,
you’ll still have full control over the quit/close modal
behavior. All warnings can be managed within Firefox
Settings. No worries! More details here.
- Firefox supports the new Snap Layouts menus when running on
Windows 11.
- RLBox—a new technology that hardens Firefox against
potential security vulnerabilities in third-party
libraries—is now enabled on all platforms.
- We’ve reduced CPU usage on macOS in Firefox and
WindowServer during event processing.
- We’ve also reduced the power usage of software decoded
video on macOS, especially in fullscreen. This includes
streaming sites such as Netflix and Amazon Prime Video.
- You can now move the Picture-in-Picture toggle button to
the opposite side of the video. Simply look for the new
context menu option Move Picture-in-Picture Toggle to Left
(Right) Side.
- We’ve made significant improvements in noise suppression
and auto-gain-control, as well as slight improvements in
echo-cancellation to provide you with a better overall
experience.
- We’ve also significantly reduced main-thread load.
- When printing, you can now choose to print only the
odd/even pages.
- Firefox now supports and displays the new style of
scrollbars on Windows 11.
- Firefox has a new optimized download flow. Instead of
prompting every time, files will download automatically.
However, they can still be opened from the downloads panel
with just one click. Easy! More information
- Firefox no longer asks what to do for each file by default.
You won’t be prompted to choose a helper application or save
to disk before downloading a file unless you have changed
your download action setting for that type of file.
- Any files you download will be immediately saved on your
disk. Depending on the current configuration, they’ll be
saved in your preferred download folder, or you’ll be asked
to select a location for each download. Windows and Linux
users will find their downloaded files in the destination
folder. They’ll no longer be put in the Temp folder.
- Firefox allows users to choose from a number of built-in
search engines to set as their default. In this release, some
users who had previously configured a default engine might
notice their default search engine has changed since Mozilla
was unable to secure formal permission to continue including
certain search engines in Firefox.
- You can now toggle Narrate in ReaderMode with the keyboard
shortcut "n."
- You can find added support for search—with or without
diacritics—in the PDF viewer.
- The Linux sandbox has been strengthened: processes exposed
to web content no longer have access to the X Window system
(X11).
- Firefox now supports credit card autofill and capture in
Germany, France, and the United Kingdom.
- We now support captions/subtitles display on YouTube, Prime
Video, and Netflix videos you watch in Picture-in-Picture.
Just turn on the subtitles on the in-page video player, and
they will appear in PiP.
- Picture-in-Picture now also supports video captions on
websites that use Web Video Text Track (WebVTT) format (e.g.,
Coursera.org, Canadian Broadcasting Corporation, and many
more).
- On the first run after install, Firefox detects when its
language does not match the operating system language and
offers the user a choice between the two languages.
- Firefox spell checking now checks spelling in multiple
languages. To enable additional languages, select them in the
text field’s context menu.
- HDR video is now supported in Firefox on Mac—starting with
YouTube! Firefox users on macOS 11+ (with HDR-compatible
screens) can enjoy higher-fidelity video content. No need to
manually flip any preferences to turn HDR video support
on—just make sure battery preferences are NOT set to
“optimize video streaming while on battery”.
- Hardware-accelerated AV1 video decoding is enabled on
Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2
Excluding Navi 24, GeForce 30). Installing the AV1 Video
Extension from the Microsoft Store may also be required.
- Video overlay is enabled on Windows for Intel GPUs,
reducing power usage during video playback.
- Improved fairness between painting and handling other
events. This noticeably improves the performance of the
volume slider on Twitch.
- Scrollbars on Linux and Windows 11 won't take space by
default. On Linux, users can change this in Settings. On
Windows, Firefox follows the system setting (System Settings
> Accessibility > Visual Effects > Always show scrollbars).
- Firefox now ignores less restricted referrer
policies—including unsafe-url, no-referrer-when-downgrade,
and origin-when-cross-origin—for cross-site
subresource/iframe requests to prevent privacy leaks from the
referrer.
- Reading is now easier with the prefers-contrast media
query, which allows sites to detect if the user has requested
that web content is presented with a higher (or lower)
contrast.
- All non-configured MIME types can now be assigned a custom
action upon download completion.
- Firefox now allows users to use as many microphones as they
want, at the same time, during video conferencing. The most
exciting benefit is that you can easily switch your
microphones at any time (if your conferencing service
provider enables this flexibility).
- Print preview has been updated.
* Fixed: Various security fixes.
- MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34483 (bmo#1335845)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34476 (bmo#1387919)
ASN.1 parser could have been tricked into accepting malformed
ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138)
Sandboxed iframes could redirect to external schemes
* CVE-2022-34469 (bmo#1721220)
TLS certificate errors on HSTS-protected domains could be
bypassed by the user on Firefox for Android
* CVE-2022-34471 (bmo#1766047)
Compromised server could trick a browser into an addon
downgrade
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a
prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype
pollution
* CVE-2022-34480 (bmo#1454072)
Free of uninitialized pointer in lg_init
* CVE-2022-34477 (bmo#1731614)
MediaError message property leaked information on cross-
origin same-site pages
* CVE-2022-34475 (bmo#1757210)
HTML Sanitizer could have been bypassed via same-origin
script via use tags
* CVE-2022-34473 (bmo#1770888)
HTML Sanitizer could have been bypassed via use tags
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
* CVE-2022-34485 (bmo#1768409, bmo#1768578)
Memory safety bugs fixed in Firefox 102
</description>
</patchinfo>
