MozillaFirefox-103.0.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12227-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z MozillaFirefox-103.0.1-1.1 on GA media These are all security issues fixed in the MozillaFirefox-103.0.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12227 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-2505/ SUSE CVE CVE-2022-2505 page https://www.suse.com/security/cve/CVE-2022-36314/ SUSE CVE CVE-2022-36314 page https://www.suse.com/security/cve/CVE-2022-36315/ SUSE CVE CVE-2022-36315 page https://www.suse.com/security/cve/CVE-2022-36316/ SUSE CVE CVE-2022-36316 page https://www.suse.com/security/cve/CVE-2022-36317/ SUSE CVE CVE-2022-36317 page https://www.suse.com/security/cve/CVE-2022-36318/ SUSE CVE CVE-2022-36318 page https://www.suse.com/security/cve/CVE-2022-36319/ SUSE CVE CVE-2022-36319 page https://www.suse.com/security/cve/CVE-2022-36320/ SUSE CVE CVE-2022-36320 page openSUSE Tumbleweed MozillaFirefox-103.0.1-1.1 MozillaFirefox-branding-upstream-103.0.1-1.1 MozillaFirefox-devel-103.0.1-1.1 MozillaFirefox-translations-common-103.0.1-1.1 MozillaFirefox-translations-other-103.0.1-1.1 MozillaFirefox-103.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-branding-upstream-103.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-devel-103.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-translations-common-103.0.1-1.1 as a component of openSUSE Tumbleweed MozillaFirefox-translations-other-103.0.1-1.1 as a component of openSUSE Tumbleweed Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1. CVE-2022-2505 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-2505.html CVE-2022-2505 When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1. CVE-2022-36314 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36314.html CVE-2022-36314 When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103. CVE-2022-36315 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36315.html CVE-2022-36315 When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox < 103. CVE-2022-36316 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36316.html CVE-2022-36316 When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 103. CVE-2022-36317 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36317.html CVE-2022-36317 When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12. CVE-2022-36318 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36318.html CVE-2022-36318 When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12. CVE-2022-36319 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36319.html CVE-2022-36319 Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 103. CVE-2022-36320 openSUSE Tumbleweed:MozillaFirefox-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-branding-upstream-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-devel-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-common-103.0.1-1.1 openSUSE Tumbleweed:MozillaFirefox-translations-other-103.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36320.html CVE-2022-36320