Security update for mozjs115 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3538-1 Final 1 1 2024-10-07T12:16:34Z current 2024-10-07T12:16:34Z 2024-10-07T12:16:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mozjs115 This update for mozjs115 fixes the following issues: - CVE-2024-45490: Fixed negative len for XML_ParseBuffer in embedded expat (bnc#1230036) - CVE-2024-45491: Fixed integer overflow in dtdCopy in embedded expat (bnc#1230037) - CVE-2024-45492: Fixed integer overflow in function nextScaffoldPart in embedded expat (bnc#1230038) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3538,SUSE-SLE-Module-Desktop-Applications-15-SP6-2024-3538,openSUSE-SLE-15.6-2024-3538 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243538-1/ Link for SUSE-SU-2024:3538-1 https://lists.suse.com/pipermail/sle-security-updates/2024-October/019556.html E-Mail link for SUSE-SU-2024:3538-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1230036 SUSE Bug 1230036 https://bugzilla.suse.com/1230037 SUSE Bug 1230037 https://bugzilla.suse.com/1230038 SUSE Bug 1230038 https://www.suse.com/security/cve/CVE-2024-45490/ SUSE CVE CVE-2024-45490 page https://www.suse.com/security/cve/CVE-2024-45491/ SUSE CVE CVE-2024-45491 page https://www.suse.com/security/cve/CVE-2024-45492/ SUSE CVE CVE-2024-45492 page SUSE Linux Enterprise Module for Desktop Applications 15 SP6 openSUSE Leap 15.6 libmozjs-115-0-115.4.0-150600.3.3.1 mozjs115-115.4.0-150600.3.3.1 mozjs115-devel-115.4.0-150600.3.3.1 libmozjs-115-0-115.4.0-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP6 mozjs115-devel-115.4.0-150600.3.3.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP6 libmozjs-115-0-115.4.0-150600.3.3.1 as a component of openSUSE Leap 15.6 mozjs115-115.4.0-150600.3.3.1 as a component of openSUSE Leap 15.6 mozjs115-devel-115.4.0-150600.3.3.1 as a component of openSUSE Leap 15.6 An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:libmozjs-115-0-115.4.0-150600.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:mozjs115-devel-115.4.0-150600.3.3.1 openSUSE Leap 15.6:libmozjs-115-0-115.4.0-150600.3.3.1 openSUSE Leap 15.6:mozjs115-115.4.0-150600.3.3.1 openSUSE Leap 15.6:mozjs115-devel-115.4.0-150600.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243538-1/ https://www.suse.com/security/cve/CVE-2024-45490.html CVE-2024-45490 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:libmozjs-115-0-115.4.0-150600.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:mozjs115-devel-115.4.0-150600.3.3.1 openSUSE Leap 15.6:libmozjs-115-0-115.4.0-150600.3.3.1 openSUSE Leap 15.6:mozjs115-115.4.0-150600.3.3.1 openSUSE Leap 15.6:mozjs115-devel-115.4.0-150600.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243538-1/ https://www.suse.com/security/cve/CVE-2024-45491.html CVE-2024-45491 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229931 SUSE Bug 1229931 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:libmozjs-115-0-115.4.0-150600.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP6:mozjs115-devel-115.4.0-150600.3.3.1 openSUSE Leap 15.6:libmozjs-115-0-115.4.0-150600.3.3.1 openSUSE Leap 15.6:mozjs115-115.4.0-150600.3.3.1 openSUSE Leap 15.6:mozjs115-devel-115.4.0-150600.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243538-1/ https://www.suse.com/security/cve/CVE-2024-45492.html CVE-2024-45492 https://bugzilla.suse.com/1229930 SUSE Bug 1229930 https://bugzilla.suse.com/1229932 SUSE Bug 1229932