Security update for MozillaFirefox, mozilla-nspr and mozilla-nss SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:4236-2 Final 1 1 2019-04-15T15:37:00Z current 2019-04-15T15:37:00Z 2019-04-15T15:37:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox, mozilla-nspr and mozilla-nss This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SAP-12-SP1-2019-952 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ Link for SUSE-SU-2018:4236-2 https://lists.suse.com/pipermail/sle-security-updates/2019-April/005339.html E-Mail link for SUSE-SU-2018:4236-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1097410 SUSE Bug 1097410 https://bugzilla.suse.com/1106873 SUSE Bug 1106873 https://bugzilla.suse.com/1119069 SUSE Bug 1119069 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://www.suse.com/security/cve/CVE-2018-0495/ SUSE CVE CVE-2018-0495 page https://www.suse.com/security/cve/CVE-2018-12384/ SUSE CVE CVE-2018-12384 page https://www.suse.com/security/cve/CVE-2018-12404/ SUSE CVE CVE-2018-12404 page https://www.suse.com/security/cve/CVE-2018-12405/ SUSE CVE CVE-2018-12405 page https://www.suse.com/security/cve/CVE-2018-17466/ SUSE CVE CVE-2018-17466 page https://www.suse.com/security/cve/CVE-2018-18492/ SUSE CVE CVE-2018-18492 page https://www.suse.com/security/cve/CVE-2018-18493/ SUSE CVE CVE-2018-18493 page https://www.suse.com/security/cve/CVE-2018-18494/ SUSE CVE CVE-2018-18494 page https://www.suse.com/security/cve/CVE-2018-18498/ SUSE CVE CVE-2018-18498 page SUSE Linux Enterprise Server for SAP Applications 12 SP1 MozillaFirefox-60.4.0esr-109.55.1 MozillaFirefox-devel-60.4.0esr-109.55.1 MozillaFirefox-translations-common-60.4.0esr-109.55.1 libfreebl3-3.40.1-58.18.1 libfreebl3-32bit-3.40.1-58.18.1 libsoftokn3-3.40.1-58.18.1 libsoftokn3-32bit-3.40.1-58.18.1 mozilla-nspr-4.20-19.6.1 mozilla-nspr-32bit-4.20-19.6.1 mozilla-nspr-devel-4.20-19.6.1 mozilla-nss-3.40.1-58.18.1 mozilla-nss-32bit-3.40.1-58.18.1 mozilla-nss-certs-3.40.1-58.18.1 mozilla-nss-certs-32bit-3.40.1-58.18.1 mozilla-nss-devel-3.40.1-58.18.1 mozilla-nss-sysinit-3.40.1-58.18.1 mozilla-nss-sysinit-32bit-3.40.1-58.18.1 mozilla-nss-tools-3.40.1-58.18.1 MozillaFirefox-60.4.0esr-109.55.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 MozillaFirefox-devel-60.4.0esr-109.55.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 MozillaFirefox-translations-common-60.4.0esr-109.55.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libfreebl3-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libfreebl3-32bit-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libsoftokn3-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libsoftokn3-32bit-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nspr-4.20-19.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nspr-32bit-4.20-19.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nspr-devel-4.20-19.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-32bit-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-certs-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-certs-32bit-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-devel-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-sysinit-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-sysinit-32bit-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 mozilla-nss-tools-3.40.1-58.18.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. CVE-2018-0495 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-0495.html CVE-2018-0495 https://bugzilla.suse.com/1097410 SUSE Bug 1097410 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3. CVE-2018-12384 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-12384.html CVE-2018-12384 https://bugzilla.suse.com/1106873 SUSE Bug 1106873 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. CVE-2018-12404 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-12404.html CVE-2018-12404 https://bugzilla.suse.com/1119069 SUSE Bug 1119069 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 Mozilla developers and community members reported memory safety bugs present in Firefox 63 and Firefox ESR 60.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-12405 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-12405.html CVE-2018-12405 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 Incorrect texture handling in Angle in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-17466 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-17466.html CVE-2018-17466 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select element in the options collection. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18492 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-18492.html CVE-2018-18492 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A buffer overflow can occur in the Skia library during buffer offset calculations with hardware accelerated canvas 2D actions due to the use of 32-bit calculations instead of 64-bit. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18493 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-18493.html CVE-2018-18493 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18494 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-18494.html CVE-2018-18494 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A potential vulnerability leading to an integer overflow can occur during buffer size calculations for images when a raw value is used instead of the checked value. This leads to a possible out-of-bounds write. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18498 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-devel-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:MozillaFirefox-translations-common-60.4.0esr-109.55.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libfreebl3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libsoftokn3-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-32bit-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nspr-devel-4.20-19.6.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-certs-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-devel-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-sysinit-32bit-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:mozilla-nss-tools-3.40.1-58.18.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20184236-2/ https://www.suse.com/security/cve/CVE-2018-18498.html CVE-2018-18498 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207