Security update for MozillaFirefox SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0056-1 Final 1 1 2025-01-09T16:59:11Z current 2025-01-09T16:59:11Z 2025-01-09T16:59:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 128.6.0 ESR * Fixed: Various security fixes. MFSA 2025-02 (bsc#1234991) * CVE-2025-0237 (bmo#1915257) WebChannel APIs susceptible to confused deputy attack * CVE-2025-0238 (bmo#1915535) Use-after-free when breaking lines * CVE-2025-0239 (bmo#1929156) Alt-Svc ALPN validation failure when redirected * CVE-2025-0240 (bmo#1929623) Compartment mismatch when parsing JavaScript JSON module * CVE-2025-0241 (bmo#1933023) Memory corruption when using JavaScript Text Segmentation * CVE-2025-0242 (bmo#1874523, bmo#1926454, bmo#1931873, bmo#1932169) Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6 * CVE-2025-0243 (bmo#1827142, bmo#1932783) Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6 - Firefox Extended Support Release 128.5.2 ESR * Fixed: Fixed a crash experienced by Windows users with Qihoo 360 Total Security Antivirus software installed (bmo#1934258) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2025-56,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2025-56,SUSE-2025-56,SUSE-SLE-SERVER-12-SP5-LTSS-2025-56,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-56 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ Link for SUSE-SU-2025:0056-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020078.html E-Mail link for SUSE-SU-2025:0056-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234991 SUSE Bug 1234991 https://www.suse.com/security/cve/CVE-2025-0237/ SUSE CVE CVE-2025-0237 page https://www.suse.com/security/cve/CVE-2025-0238/ SUSE CVE CVE-2025-0238 page https://www.suse.com/security/cve/CVE-2025-0239/ SUSE CVE CVE-2025-0239 page https://www.suse.com/security/cve/CVE-2025-0240/ SUSE CVE CVE-2025-0240 page https://www.suse.com/security/cve/CVE-2025-0241/ SUSE CVE CVE-2025-0241 page https://www.suse.com/security/cve/CVE-2025-0242/ SUSE CVE CVE-2025-0242 page https://www.suse.com/security/cve/CVE-2025-0243/ SUSE CVE CVE-2025-0243 page Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 MozillaFirefox-128.6.0-112.243.1 MozillaFirefox-branding-upstream-128.6.0-112.243.1 MozillaFirefox-devel-128.6.0-112.243.1 MozillaFirefox-translations-common-128.6.0-112.243.1 MozillaFirefox-translations-other-128.6.0-112.243.1 MozillaFirefox-128.6.0-112.243.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production MozillaFirefox-128.6.0-112.243.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production MozillaFirefox-128.6.0-112.243.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS MozillaFirefox-devel-128.6.0-112.243.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS MozillaFirefox-translations-common-128.6.0-112.243.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS MozillaFirefox-128.6.0-112.243.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 MozillaFirefox-devel-128.6.0-112.243.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 MozillaFirefox-translations-common-128.6.0-112.243.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0237 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0237.html CVE-2025-0237 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0238 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0238.html CVE-2025-0238 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0239 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0239.html CVE-2025-0239 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0240 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0240.html CVE-2025-0240 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0241 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0241.html CVE-2025-0241 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0242 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0242.html CVE-2025-0242 https://bugzilla.suse.com/1234991 SUSE Bug 1234991 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. CVE-2025-0243 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-128.6.0-112.243.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-128.6.0-112.243.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250056-1/ https://www.suse.com/security/cve/CVE-2025-0243.html CVE-2025-0243 https://bugzilla.suse.com/1234991 SUSE Bug 1234991