Bug 1028391

Summary:	VUL-0: MozillaFirefox 52/45.8.0 security release
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	astieger, cgrobertson, meissner, pcerny, security-team, vpereira, wolfgang
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	All
URL:	https://smash.suse.de/issue/181311/
Whiteboard:	CVSSv2:RedHat:CVE-2017-5401:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5410:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5400:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5404:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5402:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5405:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5398:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2017-5408:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:RedHat:CVE-2017-5407:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:SUSE:CVE-2017-5427:4.1:(AV:L/AC:M/Au:S/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5426:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5415:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5412:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2017-5416:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-5407:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2017-5421:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5413:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5411:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5404:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5403:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5399:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5406:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5409:1.5:(AV:L/AC:M/Au:S/C:N/I:P/A:N) CVSSv2:SUSE:CVE-2017-5408:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2017-5405:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-5420:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5398:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5401:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5414:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2017-5425:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2017-5400:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5410:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-5402:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5417:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2017-5418:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2017-5419:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2017-5422:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:released:oes2015:63480 CVSSv3:RedHat:CVE-2017-5398:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-5404:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-5410:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-5408:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2017-5407:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSSv3:RedHat:CVE-2017-5401:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-5400:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-5405:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-5402:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSSv2:NVD:CVE-2017-5398:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2017-5399:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2017-5400:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5401:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5402:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5403:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5404:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5405:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-5406:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-5407:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-5408:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-5409:3.6:(AV:L/AC:L/Au:N/C:N/I:P/A:P) CVSSv2:NVD:CVE-2017-5410:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5411:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-5412:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-5413:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2017-5414:4.9:(AV:L/AC:L/Au:N/C:C/I:N/A:N) CVSSv2:NVD:CVE-2017-5415:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-5416:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-5417:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-5418:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-5419:7.8:(AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSSv2:NVD:CVE-2017-5420:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-5421:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-5422:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-5425:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-5426:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2017-5427:1.9:(AV:L/AC:M/Au:N/C:N/I:P/A:N) CVSSv3:NVD:CVE-2017-5398:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5399:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5400:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5401:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5402:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5403:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5404:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5405:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-5406:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-5407:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVSSv3:NVD:CVE-2017-5408:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-5409:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVSSv3:NVD:CVE-2017-5410:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5411:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-5412:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:NVD:CVE-2017-5413:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2017-5414:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSSv3:NVD:CVE-2017-5415:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVSSv3:NVD:CVE-2017-5416:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-5417:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVSSv3:NVD:CVE-2017-5418:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:NVD:CVE-2017-5419:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-5420:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVSSv3:NVD:CVE-2017-5421:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSSv3:NVD:CVE-2017-5422:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-5425:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:NVD:CVE-2017-5426:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVSSv3:NVD:CVE-2017-5427:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:	1026102
Bug Blocks:
Deadline:	2017-03-23

Description Andreas Stieger 2017-03-07 22:02:53 UTC

https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/

Fixed in Mozilla Firefox 52:

CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP bmo#1334933
CVE-2017-5401: Memory Corruption when handling ErrorResult bmo#1328861
CVE-2017-5402: Use-after-free working with events in FontFace objects bmo#1334876
CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object bmo#1340186
CVE-2017-5404: Use-after-free working with ranges in selections bmo#1340138
CVE-2017-5406: Segmentation fault in Skia with canvas operations bmo#1306890
CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters bmo#1336622
CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping bmo#1330687
CVE-2017-5408: Cross-origin reading of video captions in violation of CORS bmo#1313711
CVE-2017-5412: Buffer overflow read in SVG filters bmo#1328323
CVE-2017-5413: Segmentation fault during bidirectional operations bmo#1337504
CVE-2017-5414: File picker can choose incorrect default directory bmo#1319370
CVE-2017-5415: Addressbar spoofing through blob URL bmo#1321719
CVE-2017-5416: Null dereference crash in HttpChannel bmo#1328121
CVE-2017-5417: Addressbar spoofing by draging and dropping URLs bmo#791597
CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running bmo#1257361
CVE-2017-5427: Non-existent chrome.manifest file loaded during startup bmo#1295542
CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses bmo#1338876
CVE-2017-5419: Repeated authentication prompts lead to DOS attack bmo#1312243
CVE-2017-5420: Javascript: URLs can obfuscate addressbar location bmo#1284395
CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports bmo#1336699
CVE-2017-5421: Print preview spoofing bmo#1301876
CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink bmo#1295002
CVE-2017-5399: Memory safety bugs fixed in Firefox 52
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/

Fixed in Mozilla Firefox ESR 45.6.0:

CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP bmo#1334933
CVE-2017-5401: Memory Corruption when handling ErrorResult bmo#1328861
CVE-2017-5402: Use-after-free working with events in FontFace objects bmo#1334876
CVE-2017-5404: Use-after-free working with ranges in selections bmo#1340138
CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters bmo#1336622
CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping bmo#1330687
CVE-2017-5408: Cross-origin reading of video captions in violation of CORS bmo#1313711
CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports bmo#1336699
CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8

Windows only:

CVE-2017-5411: Use-after-free in Buffer Storage in libGLES bmo#1325511
CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service bmo#1321814

OS X only:
CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access bmo#1322716

Comment 1 Andreas Stieger 2017-03-07 22:18:03 UTC

> Fixed in Mozilla Firefox ESR 45.6.0:

45.8.0

Comment 2 Andreas Stieger 2017-03-07 22:18:19 UTC

*** Bug 1028393 has been marked as a duplicate of this bug. ***

Comment 3 Swamp Workflow Management 2017-03-07 23:01:01 UTC

bugbot adjusting priority

Comment 4 Bernhard Wiedemann 2017-03-08 01:01:14 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/477659 Factory / MozillaFirefox
https://build.opensuse.org/request/show/477667 42.1 / MozillaFirefox
https://build.opensuse.org/request/show/477668 42.2 / MozillaFirefox

Comment 6 Wolfgang Rosenauer 2017-03-08 14:15:33 UTC

I got a community report that Firefox 52 disables ALSA support by default and requires pulseaudio. I will look into our options but it will take at least one more day to get a better understanding of the impact.

Not sure what the update plans are but if there is a feasible solution to avoid thta on released distributions it might make sense to delay the update for a moment. I will update this bugreport as there currently is no other one about the topic.

Comment 7 Wolfgang Rosenauer 2017-03-08 16:05:04 UTC

Update on ALSA situation:
It seems the ALSA code is still there and can be enabled but it's obsolete and officially unsupported upstream.
So my proposal:
- I will enable ALSA for the 42.x updates
- I will even enable it for Tumbleweed but as soon as it breaks building with upcoming versions or there are bugreports about ALSA only problems I will most likely disable it and do not put any effort into ALSA support

Can I get a quick ACK/NACK from maintenance on that plan as it means I will submit a slightly changed package tomorrow to reenable ALSA support?

Comment 9 Bernhard Wiedemann 2017-03-09 13:00:43 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/477955 Factory / MozillaFirefox
https://build.opensuse.org/request/show/477956 42.2 / MozillaFirefox
https://build.opensuse.org/request/show/477957 42.1 / MozillaFirefox

Comment 10 Wolfgang Rosenauer 2017-03-09 15:32:03 UTC

Alsa reenabled with latest submission.

Comment 11 Bernhard Wiedemann 2017-03-09 17:00:34 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/477996 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/477997 42.2 / MozillaThunderbird
https://build.opensuse.org/request/show/477998 42.1 / MozillaThunderbird

Comment 12 Bernhard Wiedemann 2017-03-10 15:01:34 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/478505 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/478506 42.2 / MozillaThunderbird
https://build.opensuse.org/request/show/478507 42.1 / MozillaThunderbird

Comment 13 Swamp Workflow Management 2017-03-14 17:09:06 UTC

openSUSE-SU-2017:0687-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028391
CVE References: CVE-2017-5398,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5404,CVE-2017-5405,CVE-2017-5407,CVE-2017-5408,CVE-2017-5410
Sources used:
openSUSE Leap 42.2 (src):    MozillaThunderbird-45.8.0-39.1
openSUSE Leap 42.1 (src):    MozillaThunderbird-45.8.0-39.1

Comment 14 Swamp Workflow Management 2017-03-14 17:09:24 UTC

openSUSE-SU-2017:0688-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028391
CVE References: CVE-2017-5398,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5404,CVE-2017-5405,CVE-2017-5407,CVE-2017-5408,CVE-2017-5410
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-45.8.0-27.1

Comment 15 Swamp Workflow Management 2017-03-14 17:09:44 UTC

openSUSE-SU-2017:0690-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 1028391
CVE References: CVE-2017-5398,CVE-2017-5399,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5403,CVE-2017-5404,CVE-2017-5405,CVE-2017-5406,CVE-2017-5407,CVE-2017-5408,CVE-2017-5410,CVE-2017-5412,CVE-2017-5413,CVE-2017-5414,CVE-2017-5415,CVE-2017-5416,CVE-2017-5417,CVE-2017-5418,CVE-2017-5419,CVE-2017-5420,CVE-2017-5421,CVE-2017-5422,CVE-2017-5426,CVE-2017-5427
Sources used:
openSUSE Leap 42.2 (src):    MozillaFirefox-52.0-55.2, java-1_8_0-openjdk-1.8.0.121-8.1, mozilla-nss-3.28.3-38.1
openSUSE Leap 42.1 (src):    MozillaFirefox-52.0-55.1, MozillaFirefox-52.0-55.2, java-1_8_0-openjdk-1.8.0.121-23.1, mozilla-nss-3.28.3-38.1

Comment 16 Arjan de Jong 2017-03-15 09:33:05 UTC

After the install of the Firefox upgrade plugins from /usr/lib64/browser-plugins aren't loaded. Downgrade of Firefox solved this problem.

Comment 17 Andreas Stieger 2017-03-15 09:34:51 UTC

(In reply to Arjan de Jong from comment #16)
> After the install of the Firefox upgrade plugins from
> /usr/lib64/browser-plugins aren't loaded. Downgrade of Firefox solved this
> problem.

See https://www.mozilla.org/en-US/firefox/52.0/releasenotes/

Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.

Comment 18 Wolfgang Rosenauer 2017-03-15 09:51:33 UTC

Please note that Firefox 52.0ESR still has (more) plugin support.
I will be providing those versions soon in the mozilla repository and then Firefox ESR will be supported with plugin support for the coming year. Within openSUSE we used to ship the non-ESR version though.

Comment 19 Wolfgang Rosenauer 2017-03-15 14:17:22 UTC

Please try if you can get plugins supported by setting:
plugin.load_flash_only = false
(if it works it will stop working with Firefox 53 latest)

Comment 20 Swamp Workflow Management 2017-03-16 09:51:20 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-03-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63478

Comment 21 Swamp Workflow Management 2017-03-17 11:08:39 UTC

SUSE-SU-2017:0714-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1028391
CVE References: CVE-2017-5398,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5404,CVE-2017-5405,CVE-2017-5407,CVE-2017-5408,CVE-2017-5409,CVE-2017-5410
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Server for SAP 12 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Server 12-SP2 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Server 12-SP1 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Server 12-LTSS (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    MozillaFirefox-45.8.0esr-102.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    MozillaFirefox-45.8.0esr-102.1

Comment 22 Swamp Workflow Management 2017-03-17 20:08:23 UTC

SUSE-SU-2017:0732-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1027527,1028391
CVE References: CVE-2017-5398,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5404,CVE-2017-5405,CVE-2017-5407,CVE-2017-5408,CVE-2017-5409,CVE-2017-5410
Sources used:
SUSE OpenStack Cloud 5 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Manager Proxy 2.1 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Manager 2.1 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Linux Enterprise Server 11-SP4 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    MozillaFirefox-45.8.0esr-68.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    MozillaFirefox-45.8.0esr-68.1

Comment 23 Bernhard Wiedemann 2017-03-18 23:01:13 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/481063 Factory / MozillaFirefox

Comment 24 Bernhard Wiedemann 2017-03-20 19:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/481401 Factory / MozillaFirefox

Comment 25 Bernhard Wiedemann 2017-03-20 21:01:19 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/481555 Factory / MozillaFirefox

Comment 26 Bernhard Wiedemann 2017-04-18 20:00:40 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/489159 42.1+42.2 / MozillaThunderbird

Comment 27 Bernhard Wiedemann 2017-05-02 16:01:05 UTC

This is an autogenerated message for OBS integration:
This bug (1028391) was mentioned in
https://build.opensuse.org/request/show/492510 Backports:SLE-12 / MozillaThunderbird

Comment 28 Swamp Workflow Management 2017-05-06 22:11:34 UTC

openSUSE-SU-2017:1196-1: An update that fixes 51 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028391,1035082
CVE References: CVE-2017-5398,CVE-2017-5399,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5403,CVE-2017-5404,CVE-2017-5405,CVE-2017-5406,CVE-2017-5407,CVE-2017-5408,CVE-2017-5410,CVE-2017-5412,CVE-2017-5413,CVE-2017-5414,CVE-2017-5416,CVE-2017-5418,CVE-2017-5419,CVE-2017-5421,CVE-2017-5422,CVE-2017-5426,CVE-2017-5429,CVE-2017-5430,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5449,CVE-2017-5451,CVE-2017-5454,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5466,CVE-2017-5467,CVE-2017-5469
Sources used:
openSUSE Leap 42.2 (src):    MozillaThunderbird-52.1.0-41.3.1
openSUSE Leap 42.1 (src):    MozillaThunderbird-52.1.0-42.1

Comment 29 Swamp Workflow Management 2017-05-15 16:21:01 UTC

openSUSE-SU-2017:1268-1: An update that fixes 51 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1028391,1035082
CVE References: CVE-2017-5398,CVE-2017-5399,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5403,CVE-2017-5404,CVE-2017-5405,CVE-2017-5406,CVE-2017-5407,CVE-2017-5408,CVE-2017-5410,CVE-2017-5412,CVE-2017-5413,CVE-2017-5414,CVE-2017-5416,CVE-2017-5418,CVE-2017-5419,CVE-2017-5421,CVE-2017-5422,CVE-2017-5426,CVE-2017-5429,CVE-2017-5430,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5449,CVE-2017-5451,CVE-2017-5454,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5466,CVE-2017-5467,CVE-2017-5469
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-52.1.0-30.1

Comment 30 Victor Pereira 2017-09-20 09:27:04 UTC

closed and released