libmozjs-128-0-128.7.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:14764-1 Final 1 1 2025-02-11T00:00:00Z current 2025-02-11T00:00:00Z 2025-02-11T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmozjs-128-0-128.7.0-1.1 on GA media These are all security issues fixed in the libmozjs-128-0-128.7.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-14764 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-0237/ SUSE CVE CVE-2025-0237 page https://www.suse.com/security/cve/CVE-2025-0239/ SUSE CVE CVE-2025-0239 page https://www.suse.com/security/cve/CVE-2025-0243/ SUSE CVE CVE-2025-0243 page https://www.suse.com/security/cve/CVE-2025-1009/ SUSE CVE CVE-2025-1009 page https://www.suse.com/security/cve/CVE-2025-1011/ SUSE CVE CVE-2025-1011 page https://www.suse.com/security/cve/CVE-2025-1014/ SUSE CVE CVE-2025-1014 page openSUSE Tumbleweed libmozjs-128-0-128.7.0-1.1 mozjs128-128.7.0-1.1 mozjs128-devel-128.7.0-1.1 libmozjs-128-0-128.7.0-1.1 as a component of openSUSE Tumbleweed mozjs128-128.7.0-1.1 as a component of openSUSE Tumbleweed mozjs128-devel-128.7.0-1.1 as a component of openSUSE Tumbleweed The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0237 openSUSE Tumbleweed:libmozjs-128-0-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-devel-128.7.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0237.html CVE-2025-0237 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0239 openSUSE Tumbleweed:libmozjs-128-0-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-devel-128.7.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0239.html CVE-2025-0239 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0243 openSUSE Tumbleweed:libmozjs-128-0-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-devel-128.7.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-0243.html CVE-2025-0243 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. CVE-2025-1009 openSUSE Tumbleweed:libmozjs-128-0-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-devel-128.7.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-1009.html CVE-2025-1009 https://bugzilla.suse.com/1236539 SUSE Bug 1236539 A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. CVE-2025-1011 openSUSE Tumbleweed:libmozjs-128-0-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-devel-128.7.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-1011.html CVE-2025-1011 https://bugzilla.suse.com/1236539 SUSE Bug 1236539 Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. CVE-2025-1014 openSUSE Tumbleweed:libmozjs-128-0-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-128.7.0-1.1 openSUSE Tumbleweed:mozjs128-devel-128.7.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-1014.html CVE-2025-1014 https://bugzilla.suse.com/1236539 SUSE Bug 1236539