libmozjs-128-0-128.5.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14542-1 Final 1 1 2024-12-04T00:00:00Z current 2024-12-04T00:00:00Z 2024-12-04T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmozjs-128-0-128.5.1-1.1 on GA media These are all security issues fixed in the libmozjs-128-0-128.5.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14542 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ E-Mail link for openSUSE-SU-2024:14542-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-11691/ SUSE CVE CVE-2024-11691 page https://www.suse.com/security/cve/CVE-2024-11692/ SUSE CVE CVE-2024-11692 page https://www.suse.com/security/cve/CVE-2024-11694/ SUSE CVE CVE-2024-11694 page https://www.suse.com/security/cve/CVE-2024-11695/ SUSE CVE CVE-2024-11695 page https://www.suse.com/security/cve/CVE-2024-11696/ SUSE CVE CVE-2024-11696 page https://www.suse.com/security/cve/CVE-2024-11697/ SUSE CVE CVE-2024-11697 page openSUSE Tumbleweed libmozjs-128-0-128.5.1-1.1 mozjs128-128.5.1-1.1 mozjs128-devel-128.5.1-1.1 libmozjs-128-0-128.5.1-1.1 as a component of openSUSE Tumbleweed mozjs128-128.5.1-1.1 as a component of openSUSE Tumbleweed mozjs128-devel-128.5.1-1.1 as a component of openSUSE Tumbleweed Certain WebGL operations on Apple silicon M series devices could have lead to an out-of-bounds write and memory corruption due to a flaw in Apple's GPU driver. *This bug only affected the application on Apple M series hardware. Other platforms were unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. CVE-2024-11691 openSUSE Tumbleweed:libmozjs-128-0-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.5.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ https://www.suse.com/security/cve/CVE-2024-11691.html CVE-2024-11691 https://bugzilla.suse.com/1233695 SUSE Bug 1233695 An attacker could cause a select dropdown to be shown over another tab; this could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. CVE-2024-11692 openSUSE Tumbleweed:libmozjs-128-0-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.5.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ https://www.suse.com/security/cve/CVE-2024-11692.html CVE-2024-11692 https://bugzilla.suse.com/1233695 SUSE Bug 1233695 Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18. CVE-2024-11694 openSUSE Tumbleweed:libmozjs-128-0-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.5.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ https://www.suse.com/security/cve/CVE-2024-11694.html CVE-2024-11694 https://bugzilla.suse.com/1233695 SUSE Bug 1233695 A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. CVE-2024-11695 openSUSE Tumbleweed:libmozjs-128-0-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.5.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ https://www.suse.com/security/cve/CVE-2024-11695.html CVE-2024-11695 https://bugzilla.suse.com/1233695 SUSE Bug 1233695 The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. CVE-2024-11696 openSUSE Tumbleweed:libmozjs-128-0-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.5.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ https://www.suse.com/security/cve/CVE-2024-11696.html CVE-2024-11696 https://bugzilla.suse.com/1233695 SUSE Bug 1233695 When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. CVE-2024-11697 openSUSE Tumbleweed:libmozjs-128-0-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-128.5.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.5.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HIP7LBABDEHTEPO7WYQ5CHI542PJGK5L/ https://www.suse.com/security/cve/CVE-2024-11697.html CVE-2024-11697 https://bugzilla.suse.com/1233695 SUSE Bug 1233695