Security update for MozillaFirefox SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2994-1 Final 1 1 2016-12-04T17:21:17Z current 2016-12-04T17:21:17Z 2016-12-04T17:21:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox MozillaFirefox is updated to version 50.0.2 which fixes the following issues: * Firefox crashed with 3rd party Chinese IME when using IME text (fixed in version 50.0.1) * Redirection from an HTTP connection to a data: URL could inherit wrong origin after an HTTP redirect (fixed in version 50.0.1, bmo#1317641, MFSA 2016-91, boo#1012807, CVE-2016-9078) * Maliciously crafted SVG animations could cause remote code execution (fixed in version 50.0.2, bmo#1321066, MFSA 2016-92, boo##1012964, CVE-2016-9079) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00008.html E-Mail link for openSUSE-SU-2016:2994-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 MozillaFirefox-50.0.2-42.2 MozillaFirefox-branding-upstream-50.0.2-42.2 MozillaFirefox-buildsymbols-50.0.2-42.2 MozillaFirefox-devel-50.0.2-42.2 MozillaFirefox-translations-common-50.0.2-42.2 MozillaFirefox-translations-other-50.0.2-42.2 MozillaFirefox-50.0.2-42.2 as a component of openSUSE Leap 42.1 MozillaFirefox-branding-upstream-50.0.2-42.2 as a component of openSUSE Leap 42.1 MozillaFirefox-buildsymbols-50.0.2-42.2 as a component of openSUSE Leap 42.1 MozillaFirefox-devel-50.0.2-42.2 as a component of openSUSE Leap 42.1 MozillaFirefox-translations-common-50.0.2-42.2 as a component of openSUSE Leap 42.1 MozillaFirefox-translations-other-50.0.2-42.2 as a component of openSUSE Leap 42.1 MozillaFirefox-50.0.2-42.2 as a component of openSUSE Leap 42.2 MozillaFirefox-branding-upstream-50.0.2-42.2 as a component of openSUSE Leap 42.2 MozillaFirefox-buildsymbols-50.0.2-42.2 as a component of openSUSE Leap 42.2 MozillaFirefox-devel-50.0.2-42.2 as a component of openSUSE Leap 42.2 MozillaFirefox-translations-common-50.0.2-42.2 as a component of openSUSE Leap 42.2 MozillaFirefox-translations-other-50.0.2-42.2 as a component of openSUSE Leap 42.2 Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50. This vulnerability affects Firefox < 50.0.1. CVE-2016-9078 openSUSE Leap 42.1:MozillaFirefox-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-branding-upstream-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-buildsymbols-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-devel-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-translations-common-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-translations-other-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-branding-upstream-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-buildsymbols-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-devel-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-translations-common-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-translations-other-50.0.2-42.2 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00008.html https://www.suse.com/security/cve/CVE-2016-9078.html CVE-2016-9078 https://bugzilla.suse.com/1012807 SUSE Bug 1012807 A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1. CVE-2016-9079 openSUSE Leap 42.1:MozillaFirefox-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-branding-upstream-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-buildsymbols-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-devel-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-translations-common-50.0.2-42.2 openSUSE Leap 42.1:MozillaFirefox-translations-other-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-branding-upstream-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-buildsymbols-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-devel-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-translations-common-50.0.2-42.2 openSUSE Leap 42.2:MozillaFirefox-translations-other-50.0.2-42.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-12/msg00008.html https://www.suse.com/security/cve/CVE-2016-9079.html CVE-2016-9079 https://bugzilla.suse.com/1012964 SUSE Bug 1012964