Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2487 Critical: firefox security update 9 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-11708 CVE-2019-11707 Reference: ASB-2019.0166 ESB-2019.2388 ESB-2019.2385 ESB-2019.2195 ESB-2019.2158 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1696 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2019:1696-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:1696 Issue date: 2019-07-08 CVE Names: CVE-2019-11707 CVE-2019-11708 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.2 ESR. Security Fix(es): * Mozilla: Type confusion in Array.pop (CVE-2019-11707) * Mozilla: Sandbox escape using Prompt:Open (CVE-2019-11708) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1721789 - CVE-2019-11707 Mozilla: Type confusion in Array.pop 1722673 - CVE-2019-11708 Mozilla: Sandbox escape using Prompt:Open 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: firefox-60.7.2-3.el8_0.src.rpm aarch64: firefox-60.7.2-3.el8_0.aarch64.rpm firefox-debuginfo-60.7.2-3.el8_0.aarch64.rpm firefox-debugsource-60.7.2-3.el8_0.aarch64.rpm ppc64le: firefox-60.7.2-3.el8_0.ppc64le.rpm firefox-debuginfo-60.7.2-3.el8_0.ppc64le.rpm firefox-debugsource-60.7.2-3.el8_0.ppc64le.rpm s390x: firefox-60.7.2-3.el8_0.s390x.rpm firefox-debuginfo-60.7.2-3.el8_0.s390x.rpm firefox-debugsource-60.7.2-3.el8_0.s390x.rpm x86_64: firefox-60.7.2-3.el8_0.x86_64.rpm firefox-debuginfo-60.7.2-3.el8_0.x86_64.rpm firefox-debugsource-60.7.2-3.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11707 https://access.redhat.com/security/cve/CVE-2019-11708 https://access.redhat.com/security/updates/classification/#critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/ https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSL8t9zjgjWX9erEAQgFxw/8DmhqF9EGMr05KJdr/Bt2Df6lhjEbLWyc zmDAgexnKl8QbI+8ZPgFRNxjSdc8n7da2Gyp4OoHi7nRdeBjDZOQW5+c7JykrWkd wrTFf+o18qYGm/ddEjqK4AlaZe5g5HrrSlQZ2LVu439Av/jp0Re2YGdLYlBrDzm2 lYu3vH6dWc62I8q0kT81rk6U3xcpi4Asj49L2Q9QN4CWb4hAh/fASS0BVifLT2B3 HYdlByB3Vxav3W4tJJvuJ4CWEYoS+YM2Oa0bAPW/Jnn5zXJOLzQcl+0rMHwE+112 wEa27eImzQsoFiAFwJ2iD7M9LE8WVRq7Zy7LwPR0sypkeOaHprTqXyUzM6oi/j83 cQ7Wf3nVFVAHj1QiCaEec2a8v8xqP9bNrgLdGXtdKd9Hi6oSK0BfimIFJXFvIkx2 7OXYlForo7vsX0fveRqHiQkGEppK425tsDIR2vYpz7aQUVh/7+MaWYtE/kUGxkp1 oVa9ym6hoDA9SNrj1gOs0so4QugmhJizQwI7lOEA5cDu+oSlxxR+wBGY02ieSGAs WiLRJYLep2mQEcojO0zTkBCX+FYr0AbCmJd362fC26nPohGYDvjAeolS3okgdx1P ednjNaYhkP3llML6HVVNa889FUTaY5Xi0aRBhXLeoLagFN+fMhUOaA6wUNE1HRvW U2RvhjMzCEI= =RbRH - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSPPiGaOgq3Tt24GAQjWWQ/+LhUg9SupqxxD+Yzpfc+zsQdcFOTwmrQ7 tzaAIqOmUtBKNw0/k5jjRCpiStTSUu3FL0gMnFJdaJ/PSML9o3vxPw6t+GUn3suo KP3K49Aw0d4W+37OgjJrhlSdvgbvH2BUcqoL1HLCuiPobjtOBajxBVYzPeBQa3IQ V4wv2gWIDMAuzhKyNAk67DLWffIFkqsbb/K+Ax//NZFYkaEw1y1trrOR+lKZF93f vjiC7Ib5LaS5M0X3ZNrRJcW9S8UokhLa6ODpqQEeysQc+zbjCjUxWLTk5GwMGuGO aDtjFLC/NNuErd1OBytP021pmKP3OOuywzGlEaBaLo9E8A0ylPFeuj3uIUMd4dA4 IMAdia3Lt2c/F4wi724o0/NwyJUYLdd4ROIAIIWvJtFSScMnS9ds+KvQDOBgLut0 R8VyuSVZc8hDfwN/zOhdkA94/tXRYi8zM3/2jmdVttdlk2KGfiRVi7nEQiBqVT05 TgZBjzTdW7+Q0vHqhus2ck+ZumQgj50gUca/2bm8JQVmzTwe2z/GBC1BRa/fNjjN 6M69UsNabGEUy5BJAqD9zKxT6G5/z9St9WN4DO5jlykPpvNn8oeZqf1aN52AEhVj WP6+zSpTPWazYZrooTjJQlVzi7+91A5jyJu29k7WTmRn3K/NGGZjekEW+b1XCpUO ejJ3IDa91EA= =jEvx -----END PGP SIGNATURE-----