Overview

File _patchinfo of Package patchinfo.22391

<patchinfo incident="22391">
  <issue tracker="bnc" id="1194547">VUL-0: MozillaFirefox / MozillaThunderbird: update to 96 and 91.5esr</issue>
  <issue tracker="cve" id="2021-4140"/>
  <issue tracker="cve" id="2022-22737"/>
  <issue tracker="cve" id="2022-22738"/>
  <issue tracker="cve" id="2022-22739"/>
  <issue tracker="cve" id="2022-22740"/>
  <issue tracker="cve" id="2022-22741"/>
  <issue tracker="cve" id="2022-22742"/>
  <issue tracker="cve" id="2022-22743"/>
  <issue tracker="cve" id="2022-22744"/>
  <issue tracker="cve" id="2022-22745"/>
  <issue tracker="cve" id="2022-22746"/>
  <issue tracker="cve" id="2022-22747"/>
  <issue tracker="cve" id="2022-22748"/>
  <issue tracker="cve" id="2022-22751"/>
  <packager>cgrobertson</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaFirefox</summary>
  <description>This update for MozillaFirefox fixes the following issues:

- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places