Bug 1193485 - VUL-0: MozillaFirefox / MozillaThunderbird: update to 95 and 91.4esr
VUL-0: MozillaFirefox / MozillaThunderbird: update to 95 and 91.4esr
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2021-43528:6.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-07 13:36 UTC by Martin Sirringhaus
Modified: 2022-04-01 10:40 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Sirringhaus 2021-12-07 13:36:27 UTC
- Mozilla Firefox 95
  MFSA 2021-52
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * MOZ-2021-0010 (bmo#1735852)
    Use-after-free in fullscreen objects on MacOS
  * CVE-2021-43540 (bmo#1636629)
    WebExtensions could have installed persistent ServiceWorkers
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43544 (bmo#1739934)
    Receiving a malicious URL as text through a SEND intent could
    have led to XSS
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)
    Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

- Mozilla Firefox ESR 91.4.0
  MFSA 2021-53
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)
    Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

- Mozilla Thunderbird 91.4.0
  MFSA 2021-54
  * CVE-2021-43536 (bmo#1730120)
    URL leakage when navigating while executing asynchronous
    function
  * CVE-2021-43537 (bmo#1738237)
    Heap buffer overflow when using structured clone
  * CVE-2021-43538 (bmo#1739091)
    Missing fullscreen and pointer lock notification when
    requesting both
  * CVE-2021-43539 (bmo#1739683)
    GC rooting failure when calling wasm instance methods
  * CVE-2021-43541 (bmo#1696685)
    External protocol handler parameters were unescaped
  * CVE-2021-43542 (bmo#1723281)
    XMLHttpRequest error codes could have leaked the existence of
    an external protocol handler
  * CVE-2021-43543 (bmo#1738418)
    Bypass of CSP sandbox directive when embedding
  * CVE-2021-43545 (bmo#1720926)
    Denial of Service when using the Location API in a loop
  * CVE-2021-43546 (bmo#1737751)
    Cursor spoofing could overlay user interface when native
    cursor is zoomed
  * CVE-2021-43528 (bmo#1742579)
    JavaScript unexpectedly enabled for the composition area
  * MOZ-2021-0009 (bmo#1393362, bmo#1736046, bmo#1736751,
    bmo#1737009, bmo#1739372, bmo#1739421)
    Memory safety bugs fixed in Thunderbird 91.4.0
Comment 1 OBSbugzilla Bot 2021-12-07 21:50:08 UTC
This is an autogenerated message for OBS integration:
This bug (1193485) was mentioned in
https://build.opensuse.org/request/show/936364 Factory / MozillaFirefox
https://build.opensuse.org/request/show/936365 Factory / MozillaThunderbird
Comment 4 Swamp Workflow Management 2021-12-10 17:17:30 UTC
SUSE-SU-2021:3993-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1193321,1193485
CVE References: CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    MozillaFirefox-91.4.0-152.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    MozillaFirefox-91.4.0-152.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-10 17:18:53 UTC
openSUSE-SU-2021:3993-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1193321,1193485
CVE References: CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaFirefox-91.4.0-152.9.1
Comment 6 Swamp Workflow Management 2021-12-10 20:29:55 UTC
SUSE-SU-2021:14859-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1193321,1193485
CVE References: CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-91.4.0-78.154.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-91.4.0-78.154.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-12-10 20:33:09 UTC
SUSE-SU-2021:3995-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1193321,1193485
CVE References: CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise Server for SAP 15 (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise Server 15-LTSS (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    MozillaFirefox-91.4.0-150.9.1
SUSE Enterprise Storage 6 (src):    MozillaFirefox-91.4.0-150.9.1
SUSE CaaS Platform 4.0 (src):    MozillaFirefox-91.4.0-150.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-12-12 05:17:26 UTC
openSUSE-SU-2021:1575-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1193321,1193485
CVE References: CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaFirefox-91.4.0-lp152.2.74.1
Comment 9 Swamp Workflow Management 2021-12-12 14:18:32 UTC
SUSE-SU-2021:4000-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1193321,1193485
CVE References: CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE OpenStack Cloud Crowbar 8 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE OpenStack Cloud 9 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE OpenStack Cloud 8 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server 12-SP5 (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    MozillaFirefox-91.4.0-112.83.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    MozillaFirefox-91.4.0-112.83.1
HPE Helion Openstack 8 (src):    MozillaFirefox-91.4.0-112.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-12-22 14:25:30 UTC
SUSE-SU-2021:4150-1: An update that fixes 33 vulnerabilities is now available.

Category: security (important)
Bug References: 1182863,1189547,1190244,1190269,1191332,1192250,1193485
CVE References: CVE-2021-29981,CVE-2021-29982,CVE-2021-29987,CVE-2021-29991,CVE-2021-32810,CVE-2021-38492,CVE-2021-38493,CVE-2021-38495,CVE-2021-38496,CVE-2021-38497,CVE-2021-38498,CVE-2021-38500,CVE-2021-38501,CVE-2021-38502,CVE-2021-38503,CVE-2021-38504,CVE-2021-38505,CVE-2021-38506,CVE-2021-38507,CVE-2021-38508,CVE-2021-38509,CVE-2021-38510,CVE-2021-40529,CVE-2021-43528,CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-91.4.0-8.45.2
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-91.4.0-8.45.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-12-22 14:38:43 UTC
openSUSE-SU-2021:4150-1: An update that fixes 33 vulnerabilities is now available.

Category: security (important)
Bug References: 1182863,1189547,1190244,1190269,1191332,1192250,1193485
CVE References: CVE-2021-29981,CVE-2021-29982,CVE-2021-29987,CVE-2021-29991,CVE-2021-32810,CVE-2021-38492,CVE-2021-38493,CVE-2021-38495,CVE-2021-38496,CVE-2021-38497,CVE-2021-38498,CVE-2021-38500,CVE-2021-38501,CVE-2021-38502,CVE-2021-38503,CVE-2021-38504,CVE-2021-38505,CVE-2021-38506,CVE-2021-38507,CVE-2021-38508,CVE-2021-38509,CVE-2021-38510,CVE-2021-40529,CVE-2021-43528,CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-91.4.0-8.45.2
Comment 13 Swamp Workflow Management 2021-12-29 14:17:24 UTC
openSUSE-SU-2021:1635-1: An update that fixes 33 vulnerabilities is now available.

Category: security (important)
Bug References: 1182863,1189547,1190244,1190269,1191332,1192250,1193485
CVE References: CVE-2021-29981,CVE-2021-29982,CVE-2021-29987,CVE-2021-29991,CVE-2021-32810,CVE-2021-38492,CVE-2021-38493,CVE-2021-38495,CVE-2021-38496,CVE-2021-38497,CVE-2021-38498,CVE-2021-38500,CVE-2021-38501,CVE-2021-38502,CVE-2021-38503,CVE-2021-38504,CVE-2021-38505,CVE-2021-38506,CVE-2021-38507,CVE-2021-38508,CVE-2021-38509,CVE-2021-38510,CVE-2021-40529,CVE-2021-43528,CVE-2021-43536,CVE-2021-43537,CVE-2021-43538,CVE-2021-43539,CVE-2021-43541,CVE-2021-43542,CVE-2021-43543,CVE-2021-43545,CVE-2021-43546
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    MozillaThunderbird-91.4.0-lp152.2.52.1
Comment 14 Alexander Bergmann 2022-01-03 14:26:03 UTC
The MFSA 2021-54 is now mentioning 1 additional CVE.

CVE-2021-4129: Memory safety bugs fixed in Thunderbird 91.4.0

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/