Sicherheit: Ausführen von Code mit höheren Privilegien in MozillaFirefox

Lesezeichen hinzufügen

--===============4040146681997874226==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

# Security update for MozillaFirefox

Announcement ID: SUSE-SU-2025:1414-1
Release Date: 2025-04-30T06:59:28Z
Rating: important
References:

* bsc#1241621

Cross-References:

* CVE-2025-2817

CVSS scores:

* CVE-2025-2817 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-2817 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-2817 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server 12 SP5 LTSS
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
* SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves one vulnerability can now be installed.

## Description:

This update for MozillaFirefox fixes the following issues:

* Firefox Extended Support Release 128.10.0 ESR MFSA 2025-29 (bsc#1241621):
* CVE-2025-2817: Potential privilege escalation in Firefox Updater
* MFSA-RESERVE-2025-193709: WebGL shader attribute memory corruption in
Firefox for macOS
* MFSA-RESERVE-2025-1958350: Process isolation bypass using `javascript:` URI
links in cross-origin frames
* MFSA-RESERVE-2025-1949994: Potential local code execution in "copy as
cURL"
command
* MFSA-RESERVE-2025-1952465: Unsafe attribute access during XPath parsing
* MFSA-RESERVE-2025-3: Memory safety bugs fixed in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10
* MFSA-RESERVE-2025-7: Memory safety bug fixed in Firefox ESR 128.10 and
Thunderbird 128.10

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* SUSE Linux Enterprise Server 12 SP5 LTSS
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-1414=1

* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
zypper in -t patch
SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1414=1

## Package List:

* SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* MozillaFirefox-debugsource-128.10.0-112.255.1
* MozillaFirefox-128.10.0-112.255.1
* MozillaFirefox-translations-common-128.10.0-112.255.1
* MozillaFirefox-debuginfo-128.10.0-112.255.1
* SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
* MozillaFirefox-devel-128.10.0-112.255.1
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
* MozillaFirefox-debugsource-128.10.0-112.255.1
* MozillaFirefox-128.10.0-112.255.1
* MozillaFirefox-translations-common-128.10.0-112.255.1
* MozillaFirefox-debuginfo-128.10.0-112.255.1
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
* MozillaFirefox-devel-128.10.0-112.255.1

## References:

* https://www.suse.com/security/cve/CVE-2025-2817.html
* https://bugzilla.suse.com/show_bug.cgi?id=1241621

--===============4040146681997874226==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

<div class="container">
<h1>Security update for MozillaFirefox</h1>

<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:1414-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-04-30T06:59:28Z</td>
</tr>

<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241621">bsc#1241621</a>
</li>

</ul>
</td>
</tr>

<tr>
<th>
Cross-References:
</th>
<td>
<ul>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-2817.html">CVE-2025-2817</a>
</li>

</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">

<li class="list-group-item">
<span
class="cvss-reference">CVE-2025-2817</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">8.5</span>
<span
class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2025-2817</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">7.8</span>
<span
class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2025-2817</span>
<span class="cvss-source">
(

NVD

):
</span>
<span
class="cvss-score">8.8</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>

</ul>
</td>
</tr>

<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">

<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing 12 SP5</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 12 SP5</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 12 SP5 LTSS</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 12 SP5 LTSS Extended Security</li>

<li class="list-group-item">SUSE Linux
Enterprise Server for SAP Applications 12 SP5</li>

</ul>
</td>
</tr>
</tbody>
</table>

<p>An update that solves one vulnerability can now be
installed.</p>

<h2>Description:</h2>

<p>This update for MozillaFirefox fixes the following
issues:</p>
<ul>
<li>Firefox Extended Support Release 128.10.0 ESR MFSA 2025-29
(bsc#1241621):</li>
<li>CVE-2025-2817: Potential privilege escalation in Firefox
Updater</li>
<li>MFSA-RESERVE-2025-193709: WebGL shader attribute memory corruption in
Firefox for macOS</li>
<li>MFSA-RESERVE-2025-1958350: Process isolation bypass using
<code>javascript:</code> URI links in
cross-origin frames</li>
<li>MFSA-RESERVE-2025-1949994: Potential local code execution in
"copy as cURL" command</li>
<li>MFSA-RESERVE-2025-1952465: Unsafe attribute access during XPath
parsing</li>
<li>MFSA-RESERVE-2025-3: Memory safety bugs fixed in Firefox 138,
Thunderbird 138,
Firefox ESR 128.10, and Thunderbird 128.10</li>
<li>MFSA-RESERVE-2025-7: Memory safety bug fixed in Firefox ESR 128.10
and Thunderbird
128.10</li>
</ul>

<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper
patch".<br/>

Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">

<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS

<br/>
<code>zypper in -t patch
SUSE-SLE-SERVER-12-SP5-LTSS-2025-1414=1</code>

</li>

<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security

<br/>
<code>zypper in -t patch
SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1414=1</code>

</li>

</ul>

<h2>Package List:</h2>
<ul>

<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le
s390x x86_64)
<ul>

<li>MozillaFirefox-debugsource-128.10.0-112.255.1</li>

<li>MozillaFirefox-128.10.0-112.255.1</li>

<li>MozillaFirefox-translations-common-128.10.0-112.255.1</li>

<li>MozillaFirefox-debuginfo-128.10.0-112.255.1</li>

</ul>
</li>

<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
<ul>

<li>MozillaFirefox-devel-128.10.0-112.255.1</li>

</ul>
</li>

<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
(x86_64)
<ul>

<li>MozillaFirefox-debugsource-128.10.0-112.255.1</li>

<li>MozillaFirefox-128.10.0-112.255.1</li>

<li>MozillaFirefox-translations-common-128.10.0-112.255.1</li>

<li>MozillaFirefox-debuginfo-128.10.0-112.255.1</li>

</ul>
</li>

<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
(noarch)
<ul>

<li>MozillaFirefox-devel-128.10.0-112.255.1</li>

</ul>
</li>

</ul>

<h2>References:</h2>
<ul>

<li>
<a href="https://www.suse.com/security/cve/CVE-2025-2817.html">https://www.suse.com/security/cve/CVE-2025-2817.html</a>
</li>

<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241621">https://bugzilla.suse.com/show_bug.cgi?id=1241621</a>
</li>

</ul>

</div>

--===============4040146681997874226==--