Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1263 firefox security update 9 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-6825 CVE-2020-6822 CVE-2020-6821 Reference: ESB-2020.1235 ESB-2020.1229 ESB-2020.1228 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:1404 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:1404-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1404 Issue date: 2020-04-08 CVE Names: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.7.0 ESR. Security Fix(es): * Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method (CVE-2020-6821) * Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 (CVE-2020-6825) * Mozilla: Out of bounds write in GMPDecodeData when processing large images (CVE-2020-6822) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1821674 - CVE-2020-6821 Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method 1821676 - CVE-2020-6822 Mozilla: Out of bounds write in GMPDecodeData when processing large images 1821682 - CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: firefox-68.7.0-2.el8_0.src.rpm aarch64: firefox-68.7.0-2.el8_0.aarch64.rpm firefox-debuginfo-68.7.0-2.el8_0.aarch64.rpm firefox-debugsource-68.7.0-2.el8_0.aarch64.rpm ppc64le: firefox-68.7.0-2.el8_0.ppc64le.rpm firefox-debuginfo-68.7.0-2.el8_0.ppc64le.rpm firefox-debugsource-68.7.0-2.el8_0.ppc64le.rpm s390x: firefox-68.7.0-2.el8_0.s390x.rpm firefox-debuginfo-68.7.0-2.el8_0.s390x.rpm firefox-debugsource-68.7.0-2.el8_0.s390x.rpm x86_64: firefox-68.7.0-2.el8_0.x86_64.rpm firefox-debuginfo-68.7.0-2.el8_0.x86_64.rpm firefox-debugsource-68.7.0-2.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6821 https://access.redhat.com/security/cve/CVE-2020-6822 https://access.redhat.com/security/cve/CVE-2020-6825 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXo3TiNzjgjWX9erEAQioIA/9GfWUYqr+8TRL+be1YJHhVgPnQRfC8Cdq uUGvtOrJ+fkObk2GwNgOHWpM0XPD1dWqLpxRVm9atZi4jfj21v3I35oKHEa1z4+3 2ucyqnmEx6qBhpf0jBMec1g1nxI5QN394bw7lhUtPDj1UKIAjgSfUCNqnxNC/GTP YcPdXiGz35m5yAWZZpl/KGCur+iZfihsPznYZRumaAnnGgmu7KsLuqmXIjCRaMOt vPyN2yRCTATJv2s8pbHRmO0PjrtqX927Yr7s9L9wqFCkvyG8yY2bdL93VYdIOnqp eZMMnQfyKqVAblLvRiqS603NRn2cHsfl6ofA+lLeMkbG2HeNQR4EcGKIbK8IBrac 08biwnf7tJlK2+/GQ4T6+rvEfmiOmy+6YTozawRXEWWDAcdn0AzuVduwi/LLt3Nm ND91DRznlUR+YB52HKQpkMfrPdzj+36fEEE38QwlRKnfKPq032nwP5uktwZnpNj/ Ng+IaizW/5yc9x9HriIqV9HiQPLM2HQQN5TI8FQY4CAMhPqK47M2qiEb274OF88T Oz/cMgFMqNXd8LgsoXOm3/uSMSFQphOQQW3YMF9grJsPYa1uOuwXg2kRFe9O0ybR WV+x1WDqDnBLH3co8CtwkKZnH7hDSkv8r8WBFnUbixeQyczaScMKzGus6hGBRxsE hkkBLsm332A= =+mVI - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:1406-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1406 Issue date: 2020-04-08 CVE Names: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.7.0 ESR. Security Fix(es): * Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method (CVE-2020-6821) * Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 (CVE-2020-6825) * Mozilla: Out of bounds write in GMPDecodeData when processing large images (CVE-2020-6822) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1821674 - CVE-2020-6821 Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method 1821676 - CVE-2020-6822 Mozilla: Out of bounds write in GMPDecodeData when processing large images 1821682 - CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: firefox-68.7.0-2.el8_1.src.rpm aarch64: firefox-68.7.0-2.el8_1.aarch64.rpm firefox-debuginfo-68.7.0-2.el8_1.aarch64.rpm firefox-debugsource-68.7.0-2.el8_1.aarch64.rpm ppc64le: firefox-68.7.0-2.el8_1.ppc64le.rpm firefox-debuginfo-68.7.0-2.el8_1.ppc64le.rpm firefox-debugsource-68.7.0-2.el8_1.ppc64le.rpm s390x: firefox-68.7.0-2.el8_1.s390x.rpm firefox-debuginfo-68.7.0-2.el8_1.s390x.rpm firefox-debugsource-68.7.0-2.el8_1.s390x.rpm x86_64: firefox-68.7.0-2.el8_1.x86_64.rpm firefox-debuginfo-68.7.0-2.el8_1.x86_64.rpm firefox-debugsource-68.7.0-2.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6821 https://access.redhat.com/security/cve/CVE-2020-6822 https://access.redhat.com/security/cve/CVE-2020-6825 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXo37l9zjgjWX9erEAQjhwBAAhg5yMcbxzLSZNFbdikbyj8RaUTt9m/3b hdtAPDuZV/nMrXqrxJu22xf1kvx3zRZDhp+DRN5Re1oPqeFS4tMgkCEK7J2JJDQU +jNy/mVMJ/DixVniNyQ+IpqLepmJNak19Wr8CgRChmylE20QlUjK6aq+EW61ZycY MkvK7GkzUEcxllNI6k3vb47B1oLbcYX+pDVpWH1SnwtnPOuYK4cjnd8Q0n6AVrYP a32wTVifcfWc7hZpBPAgNoYKXWtBgclYCq/ytGi5n5/VeUoHzLChps0Rb5Ug2wkX NvG15+3Mqsn6hoYeJllbVnUYPSatKgYQuOsEFEwlLnJMy4SargKK2BzAJWWJ4NSg Oaa34x/avN7LHF4N6R3pvQynWQtvHivWM+nwoc3nzxeGUhVzP33sO/WgCqDvOljh H4CZ6dLvd//1/B00uasPocGZCl/e1sKzQAx6tqbM/1/AUqr11kQ/+ejpPOEq9qPN P4Gx6bLWI88Xm8Im/WmwNGIMPbdyxGLSs8Ewb+7rxy++WmJH9sxZsEyUE4N8N4pH qwiY1yAO7yMlxnvuORRMTnMCap5wMDoKrzPeyCyPMeVtlPa7lZ+kvW+tqDetCkhB eKPBc/Tst8sJcCAwJyXkiHm3OBI+6YqqSnZk2767B7SzhE1tn8sCBvuKci4ELEEc D2hSR1fB1ag= =qIvK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXo5qhGaOgq3Tt24GAQjmQBAAu24dj1iKjoVnswiwVDsdnLCgP76pNCeC ahV7eu7RxkWXlvTBkvTwg0b3exPIIPNspwjMxfMBD2JrZth77xEjC4Ifier+6KnY CgqpWP6y4N4M/zxERmvX3dS/K1jsUTgjCXWllPbfwlzp2weuNpgyYOinPgMNmI1O 13SXdKMRzivCQBRwIHzQ9+3y8DnMuDmpWZLu+KDY0smJz5ypYJLoF5wZfoYeLeWj 7fY6DzlcGwUZdjSxZBLtFB9AscAhiNKmh26TerDSrGZOV4kvb3Kc3aSndaX14nj5 VqCu8hx46Go3Mu2x20VPeDzD4DOwhERwSFapCWdRq3b3VyfHckkT9DZtZLEd9Mt6 PkU3WSli2f8wrjyJGRBSYdSWUSTk8vWi4cJ2pEOb9U9Zq2G6m5p1RTOSDvxcOCjX 17C4VfQhKiyhHBLyH7IttJbHKK3ANi+U4W3ZSWxE/qcxZDcg1fLd4oggrT75E5Sw JlkZ12mWanW5yY0v5RHh3Wf6aTKMTLQvq377U6ULUlD2Omg4sQ5srCbbyc0p/8au 2L3YmyzVJQSNgVTLpHzuce8ugr4wAh6CLLk/aXgqwWDHFLBFRjAc3rhggzwoDqql K1rKrCooPMAWr1BAV1iOuuFIBuTrw2mGJ+sgUTLUcrxHS+RQansQzCKwhAEnrAmA 3w56yIkDxMQ= =fikB -----END PGP SIGNATURE-----