Overview

File _patchinfo of Package patchinfo.8722

<patchinfo incident="8722">
  <issue tracker="bnc" id="1107343">VUL-0: MozillaFirefox: 62 / 60.2 ESR releases</issue>
  <issue tracker="cve" id="2017-16541"/>
  <issue tracker="cve" id="2018-12377"/>
  <issue tracker="cve" id="2018-12376"/>
  <issue tracker="cve" id="2018-12379"/>
  <issue tracker="cve" id="2018-12381"/>
  <issue tracker="cve" id="2018-12378"/>
  <category>security</category>
  <rating>important</rating>
  <packager>pcerny</packager>
  <description>This update for MozillaFirefox to ESR 60.2 fixes several issues.

These general changes are part of the version 60 release.

- New browser engine with speed improvements
- Redesigned graphical user interface elements
- Unified address and search bar for new installations
- New tab page listing top visited, recently visited and recommended pages
- Support for configuration policies in enterprise deployments via JSON files
- Support for Web Authentication, allowing the use of USB tokens for
  authentication to web sites

The following changes affect compatibility:

- Now exclusively supports extensions built using the WebExtension API.
- Unsupported legacy extensions will no longer work in Firefox 60 ESR
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted
  The "security.pki.distrust_ca_policy" preference can be set to 0 to reinstate
  trust in those certificates

The following issues affect performance:

- new format for storing private keys, certificates and certificate trust
  If the user home or data directory is on a network file system, it is
  recommended that users set the following environment variable to avoid
  slowdowns: NSS_SDB_USE_CACHE=yes
  This setting is not recommended for local, fast file systems.

These security issues were fixed:

- CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
- CVE-2018-12376: Various memory safety bugs (bsc#1107343).
- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
- CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
</description>
  <summary>Security update for MozillaFirefox</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places