Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4447 firefox security update 17 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-35113 CVE-2020-35111 CVE-2020-26978 CVE-2020-26974 CVE-2020-26973 CVE-2020-26971 CVE-2020-16042 Reference: ESB-2020.4446 ESB-2020.4418 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:5561 https://access.redhat.com/errata/RHSA-2020:5562 https://access.redhat.com/errata/RHSA-2020:5563 https://access.redhat.com/errata/RHSA-2020:5564 https://access.redhat.com/errata/RHSA-2020:5565 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:5561-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5561 Issue date: 2020-12-16 CVE Names: CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.6.0 ESR. Security Fix(es): * chromium-browser: Uninitialized Use in V8 (CVE-2020-16042) * Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971) * Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973) * Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free (CVE-2020-26974) * Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 (CVE-2020-35113) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978) * Mozilla: The proxy.onRequest API did not catch view-source URLs (CVE-2020-35111) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1904515 - CVE-2020-16042 chromium-browser: Uninitialized Use in V8 1908022 - CVE-2020-26971 Mozilla: Heap buffer overflow in WebGL 1908023 - CVE-2020-26973 Mozilla: CSS Sanitizer performed incorrect sanitization 1908024 - CVE-2020-26974 Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free 1908025 - CVE-2020-26978 Mozilla: Internal network hosts could have been probed by a malicious webpage 1908027 - CVE-2020-35111 Mozilla: The proxy.onRequest API did not catch view-source URLs 1908029 - CVE-2020-35113 Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: firefox-78.6.0-1.el7_9.src.rpm x86_64: firefox-78.6.0-1.el7_9.x86_64.rpm firefox-debuginfo-78.6.0-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-78.6.0-1.el7_9.i686.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-78.6.0-1.el7_9.src.rpm ppc64: firefox-78.6.0-1.el7_9.ppc64.rpm firefox-debuginfo-78.6.0-1.el7_9.ppc64.rpm ppc64le: firefox-78.6.0-1.el7_9.ppc64le.rpm firefox-debuginfo-78.6.0-1.el7_9.ppc64le.rpm s390x: firefox-78.6.0-1.el7_9.s390x.rpm firefox-debuginfo-78.6.0-1.el7_9.s390x.rpm x86_64: firefox-78.6.0-1.el7_9.x86_64.rpm firefox-debuginfo-78.6.0-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): x86_64: firefox-78.6.0-1.el7_9.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-78.6.0-1.el7_9.src.rpm x86_64: firefox-78.6.0-1.el7_9.x86_64.rpm firefox-debuginfo-78.6.0-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-78.6.0-1.el7_9.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-16042 https://access.redhat.com/security/cve/CVE-2020-26971 https://access.redhat.com/security/cve/CVE-2020-26973 https://access.redhat.com/security/cve/CVE-2020-26974 https://access.redhat.com/security/cve/CVE-2020-26978 https://access.redhat.com/security/cve/CVE-2020-35111 https://access.redhat.com/security/cve/CVE-2020-35113 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9nD9tzjgjWX9erEAQhtXA/+NuXvFLB9Qnb7vLaTIg+WM6DS2GnCeXzt ZIoTrRPEOy+9QfqcvCrtmHO5RFEMJNznXz2LjmxU2whqHJMIHToZP+If60OGTG4H jcewyVtYeq9cuCBfCzgFlIn3onz2DvnxN2PpTlSTha/ZAkAgpr7R7RSZe/xerHYU nO3K9+LrJbiedora5bdfQeW1Llb+n+nHHPLsBkGJKH7ApsyCIsDBy0UXhvtr/ema Nz1G0VXlCePYh684nq3OMk91zJ1bsy9PjK8F1vy8zkk4xFi/JQ7G/79OEXqdnt3Z JEcYVFDbqW5NulY859w37KTojmu5jJU2znYSbuD7XzX+DOXMSScmIO3vv3MASVqh aFVvs0Is4ch5f3y64us7vQLMp36zmyaVTwqyg53M/ube61D2P9eq1HhEwieGShwa 0eXmFQtyWSKWk1sRkLm00cx3o3KzT624l/nfrwcPZgsCRsWKtTzYITg3f1VCuinY qFJnATXG2YCX73zOgbgoWAAfjWdAfdDGExMOET9mK2az3asmUDhCtVMuZ9IoHWTW 3oW2cRoj576d9dBfo6h4MZZGcF1pmmGVMHaZ/3hLQ/q6jgoCjYg8C75eu17n9z0x whuxvtnqjQ5+dGf490PEDmucNB3WN6rID1hNsySXinMxP3svrBZ9g8L/z5qURF0N v1Q9yUjrn24= =ZEjl - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:5562-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5562 Issue date: 2020-12-16 CVE Names: CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.6.0 ESR. Security Fix(es): * chromium-browser: Uninitialized Use in V8 (CVE-2020-16042) * Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971) * Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973) * Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free (CVE-2020-26974) * Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 (CVE-2020-35113) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978) * Mozilla: The proxy.onRequest API did not catch view-source URLs (CVE-2020-35111) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1904515 - CVE-2020-16042 chromium-browser: Uninitialized Use in V8 1908022 - CVE-2020-26971 Mozilla: Heap buffer overflow in WebGL 1908023 - CVE-2020-26973 Mozilla: CSS Sanitizer performed incorrect sanitization 1908024 - CVE-2020-26974 Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free 1908025 - CVE-2020-26978 Mozilla: Internal network hosts could have been probed by a malicious webpage 1908027 - CVE-2020-35111 Mozilla: The proxy.onRequest API did not catch view-source URLs 1908029 - CVE-2020-35113 Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: firefox-78.6.0-1.el8_3.src.rpm aarch64: firefox-78.6.0-1.el8_3.aarch64.rpm firefox-debuginfo-78.6.0-1.el8_3.aarch64.rpm firefox-debugsource-78.6.0-1.el8_3.aarch64.rpm ppc64le: firefox-78.6.0-1.el8_3.ppc64le.rpm firefox-debuginfo-78.6.0-1.el8_3.ppc64le.rpm firefox-debugsource-78.6.0-1.el8_3.ppc64le.rpm s390x: firefox-78.6.0-1.el8_3.s390x.rpm firefox-debuginfo-78.6.0-1.el8_3.s390x.rpm firefox-debugsource-78.6.0-1.el8_3.s390x.rpm x86_64: firefox-78.6.0-1.el8_3.x86_64.rpm firefox-debuginfo-78.6.0-1.el8_3.x86_64.rpm firefox-debugsource-78.6.0-1.el8_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-16042 https://access.redhat.com/security/cve/CVE-2020-26971 https://access.redhat.com/security/cve/CVE-2020-26973 https://access.redhat.com/security/cve/CVE-2020-26974 https://access.redhat.com/security/cve/CVE-2020-26978 https://access.redhat.com/security/cve/CVE-2020-35111 https://access.redhat.com/security/cve/CVE-2020-35113 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9m9otzjgjWX9erEAQh3jA//XkFooO51CRPA1jquHOpqfHLtk1mug3B5 bZKHbumzj+TjKC59zxtXJoyUxaLSN5/3jE2e9bm5zMBIrqls3uKbvqIUZGNo1TDj ZNbIyr/Pj8tQgYHNqrvdxqXXjW2pr3t/a1z1Bh1stdxW6xhY5csqA9aJF86gxKcP dWITDx3XWT94B9FzfE1eFItZ78clqeRIU0fFJSqmuu5cywNAwsGV3ofTn4/hiGAy yhVGkauXc/InJj89pez9QzRy0nQbxNLadrSSIVLWKJg+dh0OaEYB68gMIHt2NKlP JkCgXy93impknVzVjFc08pnDIo7ZmVpjOBwYdpN9Tc8ShzBs6YXJM9CZshN758xR VH8A79zIHJ876g142RBULd2LSVxOgdKJWR+P/JNzALfon/6lrtlmdyuEm0lvUb41 JguNgvh1JRTAS9tBl8ZIA5C+4k7Dtk0I0Km8VpYi5VCHOF9WYwLyEzTIIAFXyVV2 TIV5MmOlhInWfna5yxY2CQboAuxSbWh8xMZIF9TZ6VeIhw0BcMGhdXRgbWh/vjeM At2f9cahiAnQ9SCddiBHpKDBHCjH+JoAuKDqwZVxpQvDkJ3Tm4/c1WF1iqn98Udo Tfl02i9G4UPmwP8IS2NHAilU+H3U2dtR+z59M5PHXt5iXZPNy+XWdmV80ShOQNlt 9v6eqK9/3Wg= =9wM9 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:5563-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5563 Issue date: 2020-12-16 CVE Names: CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.6.0 ESR. Security Fix(es): * chromium-browser: Uninitialized Use in V8 (CVE-2020-16042) * Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971) * Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973) * Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free (CVE-2020-26974) * Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 (CVE-2020-35113) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978) * Mozilla: The proxy.onRequest API did not catch view-source URLs (CVE-2020-35111) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1904515 - CVE-2020-16042 chromium-browser: Uninitialized Use in V8 1908022 - CVE-2020-26971 Mozilla: Heap buffer overflow in WebGL 1908023 - CVE-2020-26973 Mozilla: CSS Sanitizer performed incorrect sanitization 1908024 - CVE-2020-26974 Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free 1908025 - CVE-2020-26978 Mozilla: Internal network hosts could have been probed by a malicious webpage 1908027 - CVE-2020-35111 Mozilla: The proxy.onRequest API did not catch view-source URLs 1908029 - CVE-2020-35113 Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.2): Source: firefox-78.6.0-1.el8_2.src.rpm aarch64: firefox-78.6.0-1.el8_2.aarch64.rpm firefox-debuginfo-78.6.0-1.el8_2.aarch64.rpm firefox-debugsource-78.6.0-1.el8_2.aarch64.rpm ppc64le: firefox-78.6.0-1.el8_2.ppc64le.rpm firefox-debuginfo-78.6.0-1.el8_2.ppc64le.rpm firefox-debugsource-78.6.0-1.el8_2.ppc64le.rpm s390x: firefox-78.6.0-1.el8_2.s390x.rpm firefox-debuginfo-78.6.0-1.el8_2.s390x.rpm firefox-debugsource-78.6.0-1.el8_2.s390x.rpm x86_64: firefox-78.6.0-1.el8_2.x86_64.rpm firefox-debuginfo-78.6.0-1.el8_2.x86_64.rpm firefox-debugsource-78.6.0-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-16042 https://access.redhat.com/security/cve/CVE-2020-26971 https://access.redhat.com/security/cve/CVE-2020-26973 https://access.redhat.com/security/cve/CVE-2020-26974 https://access.redhat.com/security/cve/CVE-2020-26978 https://access.redhat.com/security/cve/CVE-2020-35111 https://access.redhat.com/security/cve/CVE-2020-35113 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9m/RtzjgjWX9erEAQiYxw//e6ayUQaxHWRiq8lhkuYP1/jWhua7/Btp zfbiEBc/5lIEI106jXB7L6JFn/T3KoUv17t8f+AxpsdBzMfkP92SoRNnWxGAtBcf oHQRt6rmxAXcM8eK8pILpuxB5D43SQOkN7C/R5pNEz0D1R6FnVKO/Xsy5ju/Fnp2 +DUpWuZwSwEv7EFHlxJJiK7T7v2drpdKz6NafogU7qZGqcEGKztMhE62ZpE/zeDb CkcjE82MckcFlBlkTpdnG4mkE9h4j3dw/Rg/vRghNsDE1R74e0oH1ELOMCm2keXw DW0LeNezdne+vlB1BuKrRytCDT8+Q2noXCfYxgrhdJwVhAJ4z4LovzWGtXJ+c33e Ypca2jljyXmd5VbtcHOoDUTofGZ6X793y9ThrR0XGXhGq1mjchLpr/oTKRPHdwL+ 6wgzzPxHfPqmbLDWOsmZtoRW3PlBxyEBqeztrLXePoVtQwKU+AwCa5TvqNchyGPR Lq16FWlmd86x35R9kJAmo73+brbbeD/4IFh3JflRMKTUpSV1rQhc99V4aXphOufL EO20CIF3YDHgRAlSYbImLN2934uU6UyWgNiwP+cUbz2UAg324X0xXz8osRI5EFmp tDrwzcgFJUAakBK/dxDNGzViNdIQia1nn/bKS1RIm5m8qtE75YOixR7Rck7cVQN+ ClLeTsNQotM= =kTgO - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:5564-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5564 Issue date: 2020-12-16 CVE Names: CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.6.0 ESR. Security Fix(es): * chromium-browser: Uninitialized Use in V8 (CVE-2020-16042) * Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971) * Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973) * Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free (CVE-2020-26974) * Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 (CVE-2020-35113) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978) * Mozilla: The proxy.onRequest API did not catch view-source URLs (CVE-2020-35111) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1904515 - CVE-2020-16042 chromium-browser: Uninitialized Use in V8 1908022 - CVE-2020-26971 Mozilla: Heap buffer overflow in WebGL 1908023 - CVE-2020-26973 Mozilla: CSS Sanitizer performed incorrect sanitization 1908024 - CVE-2020-26974 Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free 1908025 - CVE-2020-26978 Mozilla: Internal network hosts could have been probed by a malicious webpage 1908027 - CVE-2020-35111 Mozilla: The proxy.onRequest API did not catch view-source URLs 1908029 - CVE-2020-35113 Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: firefox-78.6.0-1.el8_1.src.rpm aarch64: firefox-78.6.0-1.el8_1.aarch64.rpm firefox-debuginfo-78.6.0-1.el8_1.aarch64.rpm firefox-debugsource-78.6.0-1.el8_1.aarch64.rpm ppc64le: firefox-78.6.0-1.el8_1.ppc64le.rpm firefox-debuginfo-78.6.0-1.el8_1.ppc64le.rpm firefox-debugsource-78.6.0-1.el8_1.ppc64le.rpm s390x: firefox-78.6.0-1.el8_1.s390x.rpm firefox-debuginfo-78.6.0-1.el8_1.s390x.rpm firefox-debugsource-78.6.0-1.el8_1.s390x.rpm x86_64: firefox-78.6.0-1.el8_1.x86_64.rpm firefox-debuginfo-78.6.0-1.el8_1.x86_64.rpm firefox-debugsource-78.6.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-16042 https://access.redhat.com/security/cve/CVE-2020-26971 https://access.redhat.com/security/cve/CVE-2020-26973 https://access.redhat.com/security/cve/CVE-2020-26974 https://access.redhat.com/security/cve/CVE-2020-26978 https://access.redhat.com/security/cve/CVE-2020-35111 https://access.redhat.com/security/cve/CVE-2020-35113 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9m87tzjgjWX9erEAQhhbQ//U/5bhqnQbqYSgcPDA4qut71e93JpPHhC tLWchTsL6sP7+JWaLv56XWCBmzUUinQ9eYNq42EpzCpu4i6qG0Y274qHcJJYyjBe tmZhISk2tpaivJyRuo3srR9lEptT5bn84taggJq83er9cycuIbLckqYF6JwRy09r mAk3IFaxDZkDqVx9QVXWUETiorpk7mtzuuewNfNWm4DMASTYsdBMNjLwl7SrSvob eJzum0/d3Of67w2B8Ge5XuHEDP/lOhlyFD1av3XD/8tMEg7eq3FBOOQnwBqTOoyF ZV1q3jZOkaWoqbfvqYooASCF2as1q5VKUSuyLRH+La4T0floEABGE+KvpEE230K5 jM8wGIOdQnGQ58vNBPMQeTvUdbEV65pETIBf6ef4y2JGqupMTvsjJo6SCdrqmke1 hdXgppzJ/dea7U33U/CYLEcxWbiUhBAhGpnSm7jYRZf0JCRe9hPs4pikIXg6xS74 CaFJ+XdFKuB9pNUFs4zhtRJ3IFUvRqbSiNPOFOw17i1rTZFTd2yJ0o6odKc9PTk/ pauQEFbBfkySisDSn+dzSBp0w/frkjTE7hTAp4bD93K1JBHkTreIj9BeZTDVQo5q i66vdJk/YmPZ87ZaRSiXBDOzZs5PgkXkJZnWJD/q7JwrSF6JTLKjb5+seSRz9OfU EvMwWdxbzhg= =O9oZ - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2020:5565-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5565 Issue date: 2020-12-16 CVE Names: CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.6.0 ESR. Security Fix(es): * chromium-browser: Uninitialized Use in V8 (CVE-2020-16042) * Mozilla: Heap buffer overflow in WebGL (CVE-2020-26971) * Mozilla: CSS Sanitizer performed incorrect sanitization (CVE-2020-26973) * Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free (CVE-2020-26974) * Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 (CVE-2020-35113) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2020-26978) * Mozilla: The proxy.onRequest API did not catch view-source URLs (CVE-2020-35111) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1904515 - CVE-2020-16042 chromium-browser: Uninitialized Use in V8 1908022 - CVE-2020-26971 Mozilla: Heap buffer overflow in WebGL 1908023 - CVE-2020-26973 Mozilla: CSS Sanitizer performed incorrect sanitization 1908024 - CVE-2020-26974 Mozilla: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free 1908025 - CVE-2020-26978 Mozilla: Internal network hosts could have been probed by a malicious webpage 1908027 - CVE-2020-35111 Mozilla: The proxy.onRequest API did not catch view-source URLs 1908029 - CVE-2020-35113 Mozilla: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: firefox-78.6.0-1.el8_0.src.rpm aarch64: firefox-78.6.0-1.el8_0.aarch64.rpm firefox-debuginfo-78.6.0-1.el8_0.aarch64.rpm firefox-debugsource-78.6.0-1.el8_0.aarch64.rpm ppc64le: firefox-78.6.0-1.el8_0.ppc64le.rpm firefox-debuginfo-78.6.0-1.el8_0.ppc64le.rpm firefox-debugsource-78.6.0-1.el8_0.ppc64le.rpm s390x: firefox-78.6.0-1.el8_0.s390x.rpm firefox-debuginfo-78.6.0-1.el8_0.s390x.rpm firefox-debugsource-78.6.0-1.el8_0.s390x.rpm x86_64: firefox-78.6.0-1.el8_0.x86_64.rpm firefox-debuginfo-78.6.0-1.el8_0.x86_64.rpm firefox-debugsource-78.6.0-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-16042 https://access.redhat.com/security/cve/CVE-2020-26971 https://access.redhat.com/security/cve/CVE-2020-26973 https://access.redhat.com/security/cve/CVE-2020-26974 https://access.redhat.com/security/cve/CVE-2020-26978 https://access.redhat.com/security/cve/CVE-2020-35111 https://access.redhat.com/security/cve/CVE-2020-35113 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9nCFtzjgjWX9erEAQgXNg//RgncdE33vzo6Qap8Dxb4ucFQpzktghwy weNev/o748XEksS841uRDVqZV5n0ioQrNajS6iApaK1VTXqL7IZZXG1zX+/T0gPE w3xbrmEM7/89IrqfIXHZhJkddGLk19SpZcgbLkc+Y+LgU6y+1NyqU/ECBu3Uq/QU g/z7po2xTZNipuzbXCQ9+KGZxtjUUemXyCivvU72h0uKiVkSAu0hpI1q+CJHgFDk NGA7Sp7r+AYJOmI+h0nZPSY9b/KLl9faQUWebpdHYhcBWOfKHk0M7KcrAzLUHi70 FrEmHFSspm2+mDpL6gdmyhQZff9O4ltnoUcuT397RyaXbmOGPRFCrvtgJDW4YE3h pR0VU9NcxAWYDEgqGjBpeivQKWfuNC69rRvg5B1AIBvNU6dMH5QMWw6tis8W+S8P KX5onuo7zycohbl+yYMauB1cMjmxth+gw4Sd016mgt3oLpnDfNmNOGQnL2pP28hB +nO++RcOGZkQOXnkvi6mu3ixpJIeaSDTMljiZ2LiFx9sKRNrRRppwXKjG+1/l7oc rfHDMr4Au2E/RUYi8paprsble8+tDdwzu0RAbq/tyB/mAJarAwbkd7tIXOOqgWLV cMwZs0R2izCPT6SKVRLIM1dcIDs1KpAsalN7lQ8ir0XF3r9VuKgbXcypu+9c4Ai3 zQ+Gg/MmJXA= =E0A1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX9qaHeNLKJtyKPYoAQjPTw/9G53QZtDXEvq3mfyNVT9oLZqhwQ30l+pa EdAXgADTgqv9Njl6EmyYY0/TttsZObv3Z3g7OSAzyp5CRWig++srpr2XmIMa76o8 0mmAnKolZgMmyvev85GJAlbJckX+nKhPeoy9SDbiGUIVhVi6vpSrtTkqYCeVwB4l CwXRo5uyVjWmcn5LSQR9fHU80QBcUghJkNDNWmvmPDLpevnke3kHIjsPFhJ/z8yv YqqwhPDCCtcqLPjL6vtB5VcjjLjA8PAWexcGMKRE6+kJbALPqjXuH/agfYvGEL0q zxuOfFsoxaDSvqj+mew7xbDxCUVpa8SLIs77Q5QHb2lBkst6qVJ3fughlETu7yM2 1c71xoJdTEEb6Mw+iCtOU9Yo4moYrnGgnN6hbFR052Yu8MqwqPIbpHo3fS+L/T2z 3KbBjdcKV+fknQZNJccsIk3HVyCjtQv6aC6i+eoWOZj/poq8scuKwuY3rqizInSx 0GOKJHd1VfpvI3czbOl6h3eImsjNdqUzQ2F79+Uk0U8bqu8XRQ1/c7ElDilBGSwp WPSA2UOWWwU2tokwl5ICn5Q27ykWAOsrIQ3/jKrizpfF8NlVdO0MlgS3yhiaUkzh yo+nP3fYgQWKAqXLRKFmjNPvvY8gRakrRYKQ4B3ynMgB119E4HexCAs/c6AbeBUG XVbm+ESSOSY= =CEmA -----END PGP SIGNATURE-----