libmozjs-128-0-128.8.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:14958-1 Final 1 1 2025-04-02T00:00:00Z current 2025-04-02T00:00:00Z 2025-04-02T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmozjs-128-0-128.8.1-1.1 on GA media These are all security issues fixed in the libmozjs-128-0-128.8.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-14958 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MZKGV75ZSDUQ4HV5GEU5SXQRWEVYV5SQ/ E-Mail link for openSUSE-SU-2025:14958-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-43097/ SUSE CVE CVE-2024-43097 page https://www.suse.com/security/cve/CVE-2025-1931/ SUSE CVE CVE-2025-1931 page https://www.suse.com/security/cve/CVE-2025-1935/ SUSE CVE CVE-2025-1935 page https://www.suse.com/security/cve/CVE-2025-2857/ SUSE CVE CVE-2025-2857 page openSUSE Tumbleweed libmozjs-128-0-128.8.1-1.1 mozjs128-128.8.1-1.1 mozjs128-devel-128.8.1-1.1 libmozjs-128-0-128.8.1-1.1 as a component of openSUSE Tumbleweed mozjs128-128.8.1-1.1 as a component of openSUSE Tumbleweed mozjs128-devel-128.8.1-1.1 as a component of openSUSE Tumbleweed In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. CVE-2024-43097 openSUSE Tumbleweed:libmozjs-128-0-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.8.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MZKGV75ZSDUQ4HV5GEU5SXQRWEVYV5SQ/ https://www.suse.com/security/cve/CVE-2024-43097.html CVE-2024-43097 https://bugzilla.suse.com/1237683 SUSE Bug 1237683 It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. This vulnerability affects Firefox < 136, Firefox ESR < 115.21, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8. CVE-2025-1931 openSUSE Tumbleweed:libmozjs-128-0-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.8.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MZKGV75ZSDUQ4HV5GEU5SXQRWEVYV5SQ/ https://www.suse.com/security/cve/CVE-2025-1931.html CVE-2025-1931 https://bugzilla.suse.com/1237683 SUSE Bug 1237683 A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8. CVE-2025-1935 openSUSE Tumbleweed:libmozjs-128-0-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.8.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MZKGV75ZSDUQ4HV5GEU5SXQRWEVYV5SQ/ https://www.suse.com/security/cve/CVE-2025-1935.html CVE-2025-1935 https://bugzilla.suse.com/1237683 SUSE Bug 1237683 Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1. CVE-2025-2857 openSUSE Tumbleweed:libmozjs-128-0-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-128.8.1-1.1 openSUSE Tumbleweed:mozjs128-devel-128.8.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MZKGV75ZSDUQ4HV5GEU5SXQRWEVYV5SQ/ https://www.suse.com/security/cve/CVE-2025-2857.html CVE-2025-2857 https://bugzilla.suse.com/1240140 SUSE Bug 1240140