1212438 – VUL-0: MozillaFirefox / MozillaThunderbird: update to 115 and 102.13esr/115esr

Bug 1212438 - VUL-0: MozillaFirefox / MozillaThunderbird: update to 115 and 102.13esr/115esr

Summary: VUL-0: MozillaFirefox / MozillaThunderbird: update to 115 and 102.13esr/115esr

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/369725/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-16 09:34 UTC by Martin Sirringhaus
Modified:	2024-01-24 15:29 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Martin Sirringhaus 2023-07-04 05:49:37 UTC

- Mozilla Firefox 115
  MFSA 2023-22
  * CVE-2023-3482 (bmo#1839464)
    Block all cookies bypass for localstorage
  * CVE-2023-37201 (bmo#1826002)
    Use-after-free in WebRTC certificate generation
  * CVE-2023-37202 (bmo#1834711)
    Potential use-after-free from compartment mismatch in
    SpiderMonkey
  * CVE-2023-37203 (bmo#291640)
    Drag and Drop API may provide access to local system files
  * CVE-2023-37204 (bmo#1832195)
    Fullscreen notification obscured via option element
  * CVE-2023-37205 (bmo#1704420)
    URL spoofing in address bar using RTL characters
  * CVE-2023-37206 (bmo#1813299)
    Insufficient validation of symlinks in the FileSystem API
  * CVE-2023-37207 (bmo#1816287)
    Fullscreen notification obscured
  * CVE-2023-37208 (bmo#1837675)
    Lack of warning when opening Diagcab files
  * CVE-2023-37209 (bmo#1837993)
    Use-after-free in `NotifyOnHistoryReload`
  * CVE-2023-37210 (bmo#1821886)
    Full-screen mode exit prevention
  * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
    bmo#1836550, bmo#1837450)
    Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
    and Thunderbird 102.13
  * CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206,
    bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710,
    bmo#1838587)
    Memory safety bugs fixed in Firefox 115

We will probably not use this version, but just in case:

- Mozilla Firefox ESR 102.13
  MFSA 2023-23
  * CVE-2023-37201 (bmo#1826002)
    Use-after-free in WebRTC certificate generation
  * CVE-2023-37202 (bmo#1834711)
    Potential use-after-free from compartment mismatch in
    SpiderMonkey
  * CVE-2023-37207 (bmo#1816287)
    Fullscreen notification obscured
  * CVE-2023-37208 (bmo#1837675)
    Lack of warning when opening Diagcab files
  * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
    bmo#1836550, bmo#1837450)
    Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
    and Thunderbird 102.13

Comment 10 OBSbugzilla Bot 2023-07-08 19:15:03 UTC

This is an autogenerated message for OBS integration:
This bug (1212438) was mentioned in
https://build.opensuse.org/request/show/1097755 Factory / MozillaThunderbird

Comment 14 Maintenance Automation 2023-07-17 09:36:51 UTC

SUSE-SU-2023:2850-1: An update that solves 13 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212101, 1212438
CVE References: CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211, CVE-2023-37212
Sources used:
SUSE OpenStack Cloud 9 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE OpenStack Cloud Crowbar 9 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): MozillaFirefox-115.0-112.165.1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise Server 12 SP5 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): MozillaFirefox-115.0-112.165.1, MozillaFirefox-branding-SLE-115-35.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2023-07-17 09:36:55 UTC

SUSE-SU-2023:2849-1: An update that solves 13 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212101, 1212438
CVE References: CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211, CVE-2023-37212
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.0-150000.150.91.1, MozillaFirefox-branding-SLE-115-150000.4.25.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-115.0-150000.150.91.1, MozillaFirefox-branding-SLE-115-150000.4.25.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): MozillaFirefox-115.0-150000.150.91.1, MozillaFirefox-branding-SLE-115-150000.4.25.1
SUSE CaaS Platform 4.0 (src): MozillaFirefox-115.0-150000.150.91.1, MozillaFirefox-branding-SLE-115-150000.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2023-07-19 16:30:08 UTC

SUSE-SU-2023:2886-1: An update that solves 13 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212101, 1212438
CVE References: CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211, CVE-2023-37212
Sources used:
openSUSE Leap 15.5 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
Desktop Applications Module 15-SP4 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
Desktop Applications Module 15-SP5 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise Real Time 15 SP3 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Enterprise Storage 7.1 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
SUSE Enterprise Storage 7 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1
openSUSE Leap 15.4 (src): MozillaFirefox-branding-SLE-115-150200.9.13.1, MozillaFirefox-115.0-150200.152.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Maintenance Automation 2023-07-31 12:30:23 UTC

SUSE-SU-2023:3059-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212438
CVE References: CVE-2023-3417, CVE-2023-3600
Sources used:
openSUSE Leap 15.4 (src): MozillaThunderbird-115.0.1-150200.8.124.1
openSUSE Leap 15.5 (src): MozillaThunderbird-115.0.1-150200.8.124.1
SUSE Package Hub 15 15-SP4 (src): MozillaThunderbird-115.0.1-150200.8.124.1
SUSE Package Hub 15 15-SP5 (src): MozillaThunderbird-115.0.1-150200.8.124.1
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): MozillaThunderbird-115.0.1-150200.8.124.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): MozillaThunderbird-115.0.1-150200.8.124.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Brad Bendily 2023-08-02 23:40:11 UTC

Just curious if we are aware, according to Upstream this is version of TB (115) is not an upgrade for the previous version 102:

https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/

Thunderbird version 115 is only offered as direct download from thunderbird.net and not as an upgrade from Thunderbird version 102 or earlier. A future release will provide updates from earlier versions.

For more on all the new features in Thunderbird 115, see What?s New in Thunderbird 115.

We should only offer this as an upgrade, or make it so that zypper will not try to upgrade it from 102?

Comment 23 Wolfgang Rosenauer 2023-08-03 04:31:02 UTC

TB 115 is an upgrade but there is an overlapping maintenance until TB 102.15.0 to be released end of August. That will be the last 102 version and the when 115.3.0 is released it will start to be the only upstream maintained version.

For TW I'm about to release 102.14.0 now but within the next days and weeks plan to provide 115.1.0 as another upgrade. But that is TW which is supposed to be bleeding edge even if the UI is kind of disruptive.

Comment 27 Marcus Meissner 2024-01-24 15:29:52 UTC

done