Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1263
firefox security update
9 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-6825 CVE-2020-6822 CVE-2020-6821
Reference: ESB-2020.1235
ESB-2020.1229
ESB-2020.1228
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:1404
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:1404-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1404
Issue date: 2020-04-08
CVE Names: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.7.0 ESR.
Security Fix(es):
* Mozilla: Uninitialized memory could be read when using the WebGL
copyTexSubImage method (CVE-2020-6821)
* Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
(CVE-2020-6825)
* Mozilla: Out of bounds write in GMPDecodeData when processing large
images (CVE-2020-6822)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1821674 - CVE-2020-6821 Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method
1821676 - CVE-2020-6822 Mozilla: Out of bounds write in GMPDecodeData when processing large images
1821682 - CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
6. Package List:
Red Hat Enterprise Linux AppStream E4S (v. 8.0):
Source:
firefox-68.7.0-2.el8_0.src.rpm
aarch64:
firefox-68.7.0-2.el8_0.aarch64.rpm
firefox-debuginfo-68.7.0-2.el8_0.aarch64.rpm
firefox-debugsource-68.7.0-2.el8_0.aarch64.rpm
ppc64le:
firefox-68.7.0-2.el8_0.ppc64le.rpm
firefox-debuginfo-68.7.0-2.el8_0.ppc64le.rpm
firefox-debugsource-68.7.0-2.el8_0.ppc64le.rpm
s390x:
firefox-68.7.0-2.el8_0.s390x.rpm
firefox-debuginfo-68.7.0-2.el8_0.s390x.rpm
firefox-debugsource-68.7.0-2.el8_0.s390x.rpm
x86_64:
firefox-68.7.0-2.el8_0.x86_64.rpm
firefox-debuginfo-68.7.0-2.el8_0.x86_64.rpm
firefox-debugsource-68.7.0-2.el8_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6821
https://access.redhat.com/security/cve/CVE-2020-6822
https://access.redhat.com/security/cve/CVE-2020-6825
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXo3TiNzjgjWX9erEAQioIA/9GfWUYqr+8TRL+be1YJHhVgPnQRfC8Cdq
uUGvtOrJ+fkObk2GwNgOHWpM0XPD1dWqLpxRVm9atZi4jfj21v3I35oKHEa1z4+3
2ucyqnmEx6qBhpf0jBMec1g1nxI5QN394bw7lhUtPDj1UKIAjgSfUCNqnxNC/GTP
YcPdXiGz35m5yAWZZpl/KGCur+iZfihsPznYZRumaAnnGgmu7KsLuqmXIjCRaMOt
vPyN2yRCTATJv2s8pbHRmO0PjrtqX927Yr7s9L9wqFCkvyG8yY2bdL93VYdIOnqp
eZMMnQfyKqVAblLvRiqS603NRn2cHsfl6ofA+lLeMkbG2HeNQR4EcGKIbK8IBrac
08biwnf7tJlK2+/GQ4T6+rvEfmiOmy+6YTozawRXEWWDAcdn0AzuVduwi/LLt3Nm
ND91DRznlUR+YB52HKQpkMfrPdzj+36fEEE38QwlRKnfKPq032nwP5uktwZnpNj/
Ng+IaizW/5yc9x9HriIqV9HiQPLM2HQQN5TI8FQY4CAMhPqK47M2qiEb274OF88T
Oz/cMgFMqNXd8LgsoXOm3/uSMSFQphOQQW3YMF9grJsPYa1uOuwXg2kRFe9O0ybR
WV+x1WDqDnBLH3co8CtwkKZnH7hDSkv8r8WBFnUbixeQyczaScMKzGus6hGBRxsE
hkkBLsm332A=
=+mVI
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:1406-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1406
Issue date: 2020-04-08
CVE Names: CVE-2020-6821 CVE-2020-6822 CVE-2020-6825
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.7.0 ESR.
Security Fix(es):
* Mozilla: Uninitialized memory could be read when using the WebGL
copyTexSubImage method (CVE-2020-6821)
* Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
(CVE-2020-6825)
* Mozilla: Out of bounds write in GMPDecodeData when processing large
images (CVE-2020-6822)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1821674 - CVE-2020-6821 Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method
1821676 - CVE-2020-6822 Mozilla: Out of bounds write in GMPDecodeData when processing large images
1821682 - CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
firefox-68.7.0-2.el8_1.src.rpm
aarch64:
firefox-68.7.0-2.el8_1.aarch64.rpm
firefox-debuginfo-68.7.0-2.el8_1.aarch64.rpm
firefox-debugsource-68.7.0-2.el8_1.aarch64.rpm
ppc64le:
firefox-68.7.0-2.el8_1.ppc64le.rpm
firefox-debuginfo-68.7.0-2.el8_1.ppc64le.rpm
firefox-debugsource-68.7.0-2.el8_1.ppc64le.rpm
s390x:
firefox-68.7.0-2.el8_1.s390x.rpm
firefox-debuginfo-68.7.0-2.el8_1.s390x.rpm
firefox-debugsource-68.7.0-2.el8_1.s390x.rpm
x86_64:
firefox-68.7.0-2.el8_1.x86_64.rpm
firefox-debuginfo-68.7.0-2.el8_1.x86_64.rpm
firefox-debugsource-68.7.0-2.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6821
https://access.redhat.com/security/cve/CVE-2020-6822
https://access.redhat.com/security/cve/CVE-2020-6825
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXo37l9zjgjWX9erEAQjhwBAAhg5yMcbxzLSZNFbdikbyj8RaUTt9m/3b
hdtAPDuZV/nMrXqrxJu22xf1kvx3zRZDhp+DRN5Re1oPqeFS4tMgkCEK7J2JJDQU
+jNy/mVMJ/DixVniNyQ+IpqLepmJNak19Wr8CgRChmylE20QlUjK6aq+EW61ZycY
MkvK7GkzUEcxllNI6k3vb47B1oLbcYX+pDVpWH1SnwtnPOuYK4cjnd8Q0n6AVrYP
a32wTVifcfWc7hZpBPAgNoYKXWtBgclYCq/ytGi5n5/VeUoHzLChps0Rb5Ug2wkX
NvG15+3Mqsn6hoYeJllbVnUYPSatKgYQuOsEFEwlLnJMy4SargKK2BzAJWWJ4NSg
Oaa34x/avN7LHF4N6R3pvQynWQtvHivWM+nwoc3nzxeGUhVzP33sO/WgCqDvOljh
H4CZ6dLvd//1/B00uasPocGZCl/e1sKzQAx6tqbM/1/AUqr11kQ/+ejpPOEq9qPN
P4Gx6bLWI88Xm8Im/WmwNGIMPbdyxGLSs8Ewb+7rxy++WmJH9sxZsEyUE4N8N4pH
qwiY1yAO7yMlxnvuORRMTnMCap5wMDoKrzPeyCyPMeVtlPa7lZ+kvW+tqDetCkhB
eKPBc/Tst8sJcCAwJyXkiHm3OBI+6YqqSnZk2767B7SzhE1tn8sCBvuKci4ELEEc
D2hSR1fB1ag=
=qIvK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXo5qhGaOgq3Tt24GAQjmQBAAu24dj1iKjoVnswiwVDsdnLCgP76pNCeC
ahV7eu7RxkWXlvTBkvTwg0b3exPIIPNspwjMxfMBD2JrZth77xEjC4Ifier+6KnY
CgqpWP6y4N4M/zxERmvX3dS/K1jsUTgjCXWllPbfwlzp2weuNpgyYOinPgMNmI1O
13SXdKMRzivCQBRwIHzQ9+3y8DnMuDmpWZLu+KDY0smJz5ypYJLoF5wZfoYeLeWj
7fY6DzlcGwUZdjSxZBLtFB9AscAhiNKmh26TerDSrGZOV4kvb3Kc3aSndaX14nj5
VqCu8hx46Go3Mu2x20VPeDzD4DOwhERwSFapCWdRq3b3VyfHckkT9DZtZLEd9Mt6
PkU3WSli2f8wrjyJGRBSYdSWUSTk8vWi4cJ2pEOb9U9Zq2G6m5p1RTOSDvxcOCjX
17C4VfQhKiyhHBLyH7IttJbHKK3ANi+U4W3ZSWxE/qcxZDcg1fLd4oggrT75E5Sw
JlkZ12mWanW5yY0v5RHh3Wf6aTKMTLQvq377U6ULUlD2Omg4sQ5srCbbyc0p/8au
2L3YmyzVJQSNgVTLpHzuce8ugr4wAh6CLLk/aXgqwWDHFLBFRjAc3rhggzwoDqql
K1rKrCooPMAWr1BAV1iOuuFIBuTrw2mGJ+sgUTLUcrxHS+RQansQzCKwhAEnrAmA
3w56yIkDxMQ=
=fikB
-----END PGP SIGNATURE-----