Overview

File _patchinfo of Package patchinfo.25804

<patchinfo incident="25804">
  <issue tracker="bnc" id="1202645">VUL-0: MozillaFirefox / MozillaThunderbird: update to 104 and 102.2esr/91.13esr</issue>
  <issue tracker="bnc" id="1201758">VUL-0: MozillaFirefox / MozillaThunderbird: update to 103 and 102.1esr/91.12esr</issue>
  <issue tracker="bnc" id="1200793">VUL-0: MozillaFirefox / MozillaThunderbird: update to 102 and 91.11esr</issue>
  <issue tracker="bnc" id="1203477">VUL-0: MozillaFirefox / MozillaThunderbird: update to 105 and 102.3esr</issue>
  <issue tracker="cve" id="2022-34480"/>
  <issue tracker="cve" id="2022-34476"/>
  <issue tracker="cve" id="2022-36314"/>
  <issue tracker="cve" id="2022-34474"/>
  <issue tracker="cve" id="2022-34483"/>
  <issue tracker="cve" id="2022-34472"/>
  <issue tracker="cve" id="2022-34470"/>
  <issue tracker="cve" id="2022-2505"/>
  <issue tracker="cve" id="2022-38477"/>
  <issue tracker="cve" id="2022-2200"/>
  <issue tracker="cve" id="2022-34475"/>
  <issue tracker="cve" id="2022-36318"/>
  <issue tracker="cve" id="2022-34469"/>
  <issue tracker="cve" id="2022-38472"/>
  <issue tracker="cve" id="2022-34481"/>
  <issue tracker="cve" id="2022-36319"/>
  <issue tracker="cve" id="2022-34477"/>
  <issue tracker="cve" id="2022-34478"/>
  <issue tracker="cve" id="2022-38476"/>
  <issue tracker="cve" id="2022-38473"/>
  <issue tracker="cve" id="2022-34482"/>
  <issue tracker="cve" id="2022-34471"/>
  <issue tracker="cve" id="2022-34484"/>
  <issue tracker="cve" id="2022-34479"/>
  <issue tracker="cve" id="2022-38478"/>
  <issue tracker="cve" id="2022-34468"/>
  <issue tracker="cve" id="2022-34473"/>
  <issue tracker="cve" id="2022-34485"/>
  <issue tracker="cve" id="2022-40959"/>
  <issue tracker="cve" id="2022-40960"/>
  <issue tracker="cve" id="2022-40958"/>
  <issue tracker="cve" id="2022-40956"/>
  <issue tracker="cve" id="2022-40957"/>
  <issue tracker="cve" id="2022-40962"/>
  <packager>MSirringhaus</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for MozillaFirefox</summary>
  <description>This update for MozillaFirefox fixes the following issues:

Mozilla Firefox was updated to 102.3.0esr ESR (bsc#1200793, bsc#1201758, bsc#1202645, bsc#1203477):

- CVE-2022-40959: Fixed bypassing FeaturePolicy restrictions on transient pages.
- CVE-2022-40960: Fixed data-race when parsing non-UTF-8 URLs in threads.   
- CVE-2022-40958: Fixed bypassing secure context restriction for cookies with __Host and __Secure prefix.                                                           
- CVE-2022-40956: Fixed content-security-policy base-uri bypass.                                                                           
- CVE-2022-40957: Fixed incoherent instruction cache when building WASM on ARM64.
- CVE-2022-40962: Fixed memory safety bugs.
- CVE-2022-38472: Fixed a potential address bar spoofing via XSLT error handling.
- CVE-2022-38473: Fixed an issue where cross-origin XSLT documents could inherit the parent's permissions.
- CVE-2022-38478: Fixed various memory safety issues.
- CVE-2022-38476: Fixed data race and potential use-after-free in PK11_ChangePW.
- CVE-2022-38477: Fixed memory safety bugs.
- CVE-2022-36319: Fixed mouse position spoofing with CSS transforms.
- CVE-2022-36318: Fixed directory indexes for bundled resources reflected URL parameters.
- CVE-2022-36314: Fixed unexpected network loads when opening local .lnk files.
- CVE-2022-2505: Fixed memory safety bugs.
- CVE-2022-34479: Fixed vulnerabilty where a popup window could be resized in a way to overlay the address bar with web content.
- CVE-2022-34470: Fixed use-after-free in nsSHistory.
- CVE-2022-34468: Fixed bypass of CSP sandbox header without `allow-scripts` via retargeted javascript: URI.
- CVE-2022-34482: Fixed drag and drop of malicious image that could have led to malicious executable and potential code execution.
- CVE-2022-34483: Fixed drag and drop of malicious image that could have led to malicious executable and potential code execution.
- CVE-2022-34476: Fixed vulnerability where ASN.1 parser could have been tricked into accepting malformed ASN.1.
- CVE-2022-34481: Fixed potential integer overflow in ReplaceElementsAt
- CVE-2022-34474: Fixed vulnerability where sandboxed iframes could redirect to external schemes.
- CVE-2022-34469: Fixed TLS certificate errors on HSTS-protected domains which could be bypassed by the user on Firefox for Android.
- CVE-2022-34471: Fixed vulnerability where a compromised server could trick a browser into an addon downgrade.
- CVE-2022-34472: Fixed vulnerability where an unavailable PAC file resulted in OCSP requests being blocked.
- CVE-2022-34478: Fixed vulnerability where Microsoft protocols can be attacked if a user accepts a prompt.
- CVE-2022-2200: Fixed vulnerability where undesired attributes could be set as part of prototype pollution.
- CVE-2022-34480: Fixed free of uninitialized pointer in lg_init.
- CVE-2022-34477: Fixed vulnerability in MediaError message property leaking information on cross-origin same-site pages.
- CVE-2022-34475: Fixed vulnerability where the HTML Sanitizer could have been bypassed via same-origin script via use tags.
- CVE-2022-34473: Fixed vulnerability where the HTML Sanitizer could have been bypassed via use tags.
- CVE-2022-34484: Fixed memory safety bugs.
- CVE-2022-34485: Fixed memory safety bugs.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places