Bug 1213746

Summary: VUL-0: MozillaFirefox / MozillaThunderbird: update to 116 and 115.1esr
Product: [Novell Products] SUSE Security Incidents Reporter: Martin Sirringhaus <martin.sirringhaus>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, rfrohl, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373661/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4045:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 3 Martin Sirringhaus 2023-08-02 06:58:43 UTC 
- Mozilla Firefox 116
  MFSA 2023-29
  * CVE-2023-4045 (bmo#1833876)
    Offscreen Canvas could have bypassed cross-origin
    restrictions
  * CVE-2023-4046 (bmo#1837686)
    Incorrect value used during WASM compilation
  * CVE-2023-4047 (bmo#1839073)
    Potential permissions request bypass via clickjacking
  * CVE-2023-4048 (bmo#1841368)
    Crash in DOMParser due to out-of-memory conditions
  * CVE-2023-4049 (bmo#1842658)
    Fix potential race conditions when releasing platform objects
  * CVE-2023-4050 (bmo#1843038)
    Stack buffer overflow in StorageManager
  * CVE-2023-4051 (bmo#1821884)
    Full screen notification obscured by file open dialog
  * CVE-2023-4052 (bmo#1824420)
    File deletion and privilege escalation through Firefox
    uninstaller
  * CVE-2023-4053 (bmo#1839079)
    Full screen notification obscured by external program
  * CVE-2023-4054 (bmo#1840777)
    Lack of warning when opening appref-ms files
  * CVE-2023-4055 (bmo#1782561)
    Cookie jar overflow caused unexpected cookie jar state
  * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
    bmo#1842325, bmo#1843847)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
  * CVE-2023-4057 (bmo#1841682)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    and Thunderbird 115.1
  * CVE-2023-4058 (bmo#1819160, bmo#1828024)
    Memory safety bugs fixed in Firefox 116

- Mozilla Firefox ESR 115.1
  MFSA 2023-31
  * CVE-2023-4045 (bmo#1833876)
    Offscreen Canvas could have bypassed cross-origin
    restrictions
  * CVE-2023-4046 (bmo#1837686)
    Incorrect value used during WASM compilation
  * CVE-2023-4047 (bmo#1839073)
    Potential permissions request bypass via clickjacking
  * CVE-2023-4048 (bmo#1841368)
    Crash in DOMParser due to out-of-memory conditions
  * CVE-2023-4049 (bmo#1842658)
    Fix potential race conditions when releasing platform objects
  * CVE-2023-4050 (bmo#1843038)
    Stack buffer overflow in StorageManager
  * CVE-2023-4052 (bmo#1824420)
    File deletion and privilege escalation through Firefox
    uninstaller
  * CVE-2023-4054 (bmo#1840777)
    Lack of warning when opening appref-ms files
  * CVE-2023-4055 (bmo#1782561)
    Cookie jar overflow caused unexpected cookie jar state
  * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
    bmo#1842325, bmo#1843847)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
  * CVE-2023-4057 (bmo#1841682)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    and Thunderbird 115.1
Comment 4 Maintenance Automation 2023-08-02 12:30:09 UTC 
SUSE-SU-2023:3163-1: An update that solves 11 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213657, 1213746
CVE References: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4052, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.1.0-150000.150.97.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.1.0-150000.150.97.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): MozillaFirefox-115.1.0-150000.150.97.1
SUSE CaaS Platform 4.0 (src): MozillaFirefox-115.1.0-150000.150.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-08-02 12:30:12 UTC 
SUSE-SU-2023:3162-1: An update that solves 11 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213657, 1213746
CVE References: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4052, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057
Sources used:
openSUSE Leap 15.4 (src): MozillaFirefox-115.1.0-150200.152.99.1
openSUSE Leap 15.5 (src): MozillaFirefox-115.1.0-150200.152.99.1
Desktop Applications Module 15-SP4 (src): MozillaFirefox-115.1.0-150200.152.99.1
Desktop Applications Module 15-SP5 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): MozillaFirefox-115.1.0-150200.152.99.1
SUSE Enterprise Storage 7.1 (src): MozillaFirefox-115.1.0-150200.152.99.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-08-02 12:30:14 UTC 
SUSE-SU-2023:3161-1: An update that solves 11 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213657, 1213746
CVE References: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4052, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): MozillaFirefox-115.1.0-112.173.1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): MozillaFirefox-115.1.0-112.173.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): MozillaFirefox-115.1.0-112.173.1
SUSE Linux Enterprise Server 12 SP5 (src): MozillaFirefox-115.1.0-112.173.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): MozillaFirefox-115.1.0-112.173.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Martin Sirringhaus 2023-08-03 06:39:37 UTC 
- Mozilla Thunderbird 102.14
  MFSA 2023-32
  * CVE-2023-4045 (bmo#1833876)
    Offscreen Canvas could have bypassed cross-origin
    restrictions
  * CVE-2023-4046 (bmo#1837686)
    Incorrect value used during WASM compilation
  * CVE-2023-4047 (bmo#1839073)
    Potential permissions request bypass via clickjacking
  * CVE-2023-4048 (bmo#1841368)
    Crash in DOMParser due to out-of-memory conditions
  * CVE-2023-4049 (bmo#1842658)
    Fix potential race conditions when releasing platform objects
  * CVE-2023-4050 (bmo#1843038)
    Stack buffer overflow in StorageManager
  * CVE-2023-4054 (bmo#1840777)
    Lack of warning when opening appref-ms files
  * CVE-2023-4055 (bmo#1782561)
    Cookie jar overflow caused unexpected cookie jar state
  * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
    bmo#1842325, bmo#1843847)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14

- Mozilla Thunderbird 115.1
  MFSA 2023-33
  * CVE-2023-4045 (bmo#1833876)
    Offscreen Canvas could have bypassed cross-origin
    restrictions
  * CVE-2023-4046 (bmo#1837686)
    Incorrect value used during WASM compilation
  * CVE-2023-4047 (bmo#1839073)
    Potential permissions request bypass via clickjacking
  * CVE-2023-4048 (bmo#1841368)
    Crash in DOMParser due to out-of-memory conditions
  * CVE-2023-4049 (bmo#1842658)
    Fix potential race conditions when releasing platform objects
  * CVE-2023-4050 (bmo#1843038)
    Stack buffer overflow in StorageManager
  * CVE-2023-4052 (bmo#1824420)
    File deletion and privilege escalation through Firefox
    uninstaller
  * CVE-2023-4054 (bmo#1840777)
    Lack of warning when opening appref-ms files
  * CVE-2023-4055 (bmo#1782561)
    Cookie jar overflow caused unexpected cookie jar state
  * CVE-2023-4056 (bmo#1820587, bmo#1824634, bmo#1839235,
    bmo#1842325, bmo#1843847)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14
  * CVE-2023-4057 (bmo#1841682)
    Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1,
    and Thunderbird 115.1
Comment 8 OBSbugzilla Bot 2023-08-03 07:25:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1213746) was mentioned in
https://build.opensuse.org/request/show/1102113 Factory / MozillaThunderbird
Comment 11 OBSbugzilla Bot 2023-08-04 07:45:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1213746) was mentioned in
https://build.opensuse.org/request/show/1102301 Factory / MozillaFirefox
Comment 12 OBSbugzilla Bot 2023-08-04 17:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1213746) was mentioned in
https://build.opensuse.org/request/show/1102415 Factory / MozillaFirefox
Comment 14 Maintenance Automation 2023-08-08 12:30:02 UTC 
SUSE-SU-2023:3228-1: An update that solves 11 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213657, 1213746
CVE References: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050, CVE-2023-4052, CVE-2023-4054, CVE-2023-4055, CVE-2023-4056, CVE-2023-4057
Sources used:
openSUSE Leap 15.5 (src): MozillaThunderbird-115.1.0-150200.8.127.1
SUSE Package Hub 15 15-SP4 (src): MozillaThunderbird-115.1.0-150200.8.127.1
SUSE Package Hub 15 15-SP5 (src): MozillaThunderbird-115.1.0-150200.8.127.1
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): MozillaThunderbird-115.1.0-150200.8.127.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): MozillaThunderbird-115.1.0-150200.8.127.1
openSUSE Leap 15.4 (src): MozillaThunderbird-115.1.0-150200.8.127.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 OBSbugzilla Bot 2023-08-11 19:15:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1213746) was mentioned in
https://build.opensuse.org/request/show/1103536 Factory / MozillaFirefox
Comment 16 Maintenance Automation 2023-09-08 16:30:19 UTC 
SUSE-SU-2023:3562-1: An update that solves 13 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1213746, 1214606
CVE References: CVE-2023-4051, CVE-2023-4053, CVE-2023-4574, CVE-2023-4575, CVE-2023-4576, CVE-2023-4577, CVE-2023-4578, CVE-2023-4580, CVE-2023-4581, CVE-2023-4582, CVE-2023-4583, CVE-2023-4584, CVE-2023-4585
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.2.0-150000.150.100.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.2.0-150000.150.100.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): MozillaFirefox-115.2.0-150000.150.100.1
SUSE CaaS Platform 4.0 (src): MozillaFirefox-115.2.0-150000.150.100.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Marcus Meissner 2024-01-24 15:29:52 UTC 
done