Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1605 Critical: firefox security update 7 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Red Hat Operating System: Red Hat Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-12395 CVE-2020-12392 CVE-2020-12387 CVE-2020-6831 Reference: ESB-2020.1602 ESB-2020.1600 ESB-2020.1599 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2036 https://access.redhat.com/errata/RHSA-2020:2033 https://access.redhat.com/errata/RHSA-2020:2037 https://access.redhat.com/errata/RHSA-2020:2031 https://access.redhat.com/errata/RHSA-2020:2032 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:2036-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2036 Issue date: 2020-05-06 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.8.0 ESR. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: firefox-68.8.0-1.el6_10.src.rpm i386: firefox-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm x86_64: firefox-68.8.0-1.el6_10.x86_64.rpm firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): x86_64: firefox-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: firefox-68.8.0-1.el6_10.src.rpm x86_64: firefox-68.8.0-1.el6_10.i686.rpm firefox-68.8.0-1.el6_10.x86_64.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: firefox-68.8.0-1.el6_10.src.rpm i386: firefox-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm ppc64: firefox-68.8.0-1.el6_10.ppc64.rpm firefox-debuginfo-68.8.0-1.el6_10.ppc64.rpm s390x: firefox-68.8.0-1.el6_10.s390x.rpm firefox-debuginfo-68.8.0-1.el6_10.s390x.rpm x86_64: firefox-68.8.0-1.el6_10.x86_64.rpm firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): x86_64: firefox-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: firefox-68.8.0-1.el6_10.src.rpm i386: firefox-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm x86_64: firefox-68.8.0-1.el6_10.x86_64.rpm firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): x86_64: firefox-68.8.0-1.el6_10.i686.rpm firefox-debuginfo-68.8.0-1.el6_10.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrKVatzjgjWX9erEAQh+Xw//dZUaxqqbDkNE7POX10N8J0CMlgMY70dH gM7Cqwo9y7s9V3bu4pevz7h+4SaQbCn1o2Q4BXlM+bK04V9GSnEEimmy5/NywxBt 3fNgNT7/WnLwLSohO5JcVAZ3uPzucHSGrUa8ZxNGJbmlTwl2W8qiSiWkVMqAHN6I +1eX9IohbfHbBYPQPvxnlGmSK0UKA9N3nTiRB8fvg0p/0xJRnWaJXyRuMu5OilTv bNgRUtWaoWR6ua0/ZnuBx++ZCz4nKjlLKkqspTilKlPVXDoiso58K+dCLSuJw4AL 8Q76TkL+vHeIyyRIdwO5Ot5S/Tdv2xFDlje5b7W8KFHRVqXPQEk4JgBawm7GfIva jqnvJQQnfGtMIKOzMLVSgUi8V4PNIY6N5en9gewUxxhSgJdg8SjrOHnZWJpS9ZjV molYtuHuIm5VH1YEL1Ceo2U6nYTECuzfrib7hgaeBYuKcT5o7PgXI5a0D0rGKweZ iI4DnpMdgYK4vOIkwkwdMBfTMhqNqehdj+79Ga/dHVFXthHzz4sqCyHcUb4VvH63 IoYU5n6p+dNpDXsDKP1SdgyX0h+bqOOieZ6Z3St4MKUHDKXdfyhJjdOen+Sg9l2l 6lPTdjTjXk2IFTJFXaZbHyMEt3tEsbIGQ37/rBX9Pw+2+MA3plUAZMhst2LRhFsa cTKjoD+h/+U= =TTbo - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- Subject: [RHSA-2020:2037-01] Critical: firefox security update From: "Security announcements for all Red Hat products and services." <rhsa-announce@redhat.com> Reply-To: rhsa-announce@redhat.com Date: Wed, 6 May 2020 06:43:06 -0400 To: rhsa-announce@redhat.com - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:2037-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2037 Issue date: 2020-05-06 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.8.0 ESR. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: firefox-68.8.0-1.el7_8.src.rpm x86_64: firefox-68.8.0-1.el7_8.x86_64.rpm firefox-debuginfo-68.8.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-68.8.0-1.el7_8.i686.rpm firefox-debuginfo-68.8.0-1.el7_8.i686.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-68.8.0-1.el7_8.src.rpm ppc64: firefox-68.8.0-1.el7_8.ppc64.rpm firefox-debuginfo-68.8.0-1.el7_8.ppc64.rpm ppc64le: firefox-68.8.0-1.el7_8.ppc64le.rpm firefox-debuginfo-68.8.0-1.el7_8.ppc64le.rpm s390x: firefox-68.8.0-1.el7_8.s390x.rpm firefox-debuginfo-68.8.0-1.el7_8.s390x.rpm x86_64: firefox-68.8.0-1.el7_8.x86_64.rpm firefox-debuginfo-68.8.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): x86_64: firefox-68.8.0-1.el7_8.i686.rpm firefox-debuginfo-68.8.0-1.el7_8.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-68.8.0-1.el7_8.src.rpm x86_64: firefox-68.8.0-1.el7_8.x86_64.rpm firefox-debuginfo-68.8.0-1.el7_8.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-68.8.0-1.el7_8.i686.rpm firefox-debuginfo-68.8.0-1.el7_8.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrKUt9zjgjWX9erEAQiRdw/+OF/n1a6dSEQegXBgc5Ns2yHWYT/t28Vf aF1or5+ljVM17BGJg4M6P8jYj29Sli2ZAFybabeVnF62NzZDNzLYlUr8pkZuJSdb A7FqmmfqEaTEI+VVKnPqnazOL/pf4woFogt1HSkj+9BNkLcrMgDyDIfz+RmhzN00 G5oeVK1JDZq5DAt9Th9+Sk/4T9MKtsCPQyti2DPpCzByuT0U1FzVKPgotfBrSVUC ajRjtfbw0dwI8OijpPyQYbaqStTtqbm+iQWayfwh8hYV7jyJXqW/MKuLfUSGZnXb YUWHB79yQZ+ZeLgoL38yA6aDeScBCgbWfOte3o8IQ+EXfiIKo/oy+ZlmYlIoBDYZ Ct29mhZXvyW8l4/OuAso/8vbRZdOA86ib0FlXE8ywk0ZRdg7LhGBk3hqZpV9/1Hl ql6PEkf/7k0JAIMUNua4TWdTdlYNpzuLgbF08a7IyOy+pFDOaRz4kgek04lLtbPx znGLrR5ZT+8sCBuq39rCiLbc2OKhit4K4h8MJoljUnPM8wy4PpaAqUnJG+HO3MIx cz8myQp/3gwVyymRkfzb99So6yK5MGUF/ITR84xlQRmNyCXiCqOc8Pn2SEB7pq65 3Adx+voN+eg0yf9i4il8+ooUbTbK+WKC+dZg+JrFMKFiQVxzq8nz+pW42UY844C4 GatPWTXCYT8= =u6Rh - -----END PGP SIGNATURE----- - -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:2031-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2031 Issue date: 2020-05-06 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.8.0 ESR. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: firefox-68.8.0-1.el8_2.src.rpm aarch64: firefox-68.8.0-1.el8_2.aarch64.rpm firefox-debuginfo-68.8.0-1.el8_2.aarch64.rpm firefox-debugsource-68.8.0-1.el8_2.aarch64.rpm ppc64le: firefox-68.8.0-1.el8_2.ppc64le.rpm firefox-debuginfo-68.8.0-1.el8_2.ppc64le.rpm firefox-debugsource-68.8.0-1.el8_2.ppc64le.rpm s390x: firefox-68.8.0-1.el8_2.s390x.rpm firefox-debuginfo-68.8.0-1.el8_2.s390x.rpm firefox-debugsource-68.8.0-1.el8_2.s390x.rpm x86_64: firefox-68.8.0-1.el8_2.x86_64.rpm firefox-debuginfo-68.8.0-1.el8_2.x86_64.rpm firefox-debugsource-68.8.0-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrJ40tzjgjWX9erEAQhPEg/5AV9V68w1Pwr0fBV0sldXKFnPF+xJ2/2r eV9Bv46+Tb0gOlak7cLqmbL3FCNhNH2qV2b48UKrvfHZgWu/bIozLyq+JmCeExrk o0II7XaKja5hBdvKqlKX/4q5sm9PWR+Oay6kX6cR6PwZg91mbJ81QdRuCWBqvCXM 251NMmjzaFBnlLmfhBq/5cRxiNB36UMwn3RTB3Ai0z94WG3XYIEIVujBOjMlaxEq hn78HOUz34AuCu+kvaJwH3/L3Qtqu2FChlT56bk+TmYx+02mezS6ivhF7+gmal47 379sI7tKEY7CgqFWctrxAeGLzKI/zVR0ucoY9AFrJA1YaY36d6RTsdAQlrX76S6z 4SjhXXKNSnWlGqLkJtIu5oBFPXeGs6zUm8bvWLutQXPmQcUL1CwsCV72BTzzAHIm zxOE04EU0b3f2UWObI3VUYjbtOxj+YUEyBNdNRaN42JEJgq+S1XjHx+nsdBfXJqY HZ28fJ8ddzfDiGzkbczrYd8aKcIBIQ6qSbt0kT2ddg4Zm+TYHCk7f0nLGp00Fhwe k3RjH2q9f+8s/D/XcHjoOvgJaZ4gispSLdxRM6vZeHoS4whcH5mbaCDeU7IMUU+J s03BH0QOOz5ShDaIpuWzMYitQi5SwZCoxhvtKOSJio2ejhiIY8A+aBirfV0BfsIh NOHKwK5q/UY= =XmB/ - -----END PGP SIGNATURE----- - -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:2032-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2032 Issue date: 2020-05-06 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.8.0 ESR. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: firefox-68.8.0-1.el8_1.src.rpm aarch64: firefox-68.8.0-1.el8_1.aarch64.rpm firefox-debuginfo-68.8.0-1.el8_1.aarch64.rpm firefox-debugsource-68.8.0-1.el8_1.aarch64.rpm ppc64le: firefox-68.8.0-1.el8_1.ppc64le.rpm firefox-debuginfo-68.8.0-1.el8_1.ppc64le.rpm firefox-debugsource-68.8.0-1.el8_1.ppc64le.rpm s390x: firefox-68.8.0-1.el8_1.s390x.rpm firefox-debuginfo-68.8.0-1.el8_1.s390x.rpm firefox-debugsource-68.8.0-1.el8_1.s390x.rpm x86_64: firefox-68.8.0-1.el8_1.x86_64.rpm firefox-debuginfo-68.8.0-1.el8_1.x86_64.rpm firefox-debugsource-68.8.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrJ01tzjgjWX9erEAQhTMA//TVwCs+i8ol8X5CEKmAQFZhrAVsG9V2i7 ZYUaRXFG+zQA08IUqCqTLGMSqcdocw6fHQwpsPTDU8DmDwmYy7Si/VfsEvVESQ2S 3ghpfuHpOqJNlYofv1s7NLCcqh6f1q3Y0O8RtIthOOGt4/sM0SZMLG4ADxMymzM8 y/RZHDb73AMDiTiZOP4Y5+rRnLqTTpZiQYS/sbsUaQTawdH2uwznEsdzjgqOxmtU RauwPkMiWbLH2HElzYXrIbj+jtas6NhmsmTSOTRdkrLbnQVbwL5mcMWGGrvx2jhT V9l5E7CgG8tgJqmBWIIPAWASmVITgWthH9N3ftr6jFwWTqfTUGzLUOoe+2vMlVgS EyZpY1xSaR3tAsGvim/IGcepI1ybSOTVfUdWpOnjP9deA2HbQtfRMgGmrALeyGJt 6sIUncNT6pOkB3GAaDTdn83Alcpq8Onjc7wTTBqO4fMfxJqtjr3MZgidF5A27mi3 sp2ioTfdhrmDTYCmX2WLqO1UU3DC0k7OTUJtuS+0xnVwpv0Bmr9waAhW9juw/Sls 4FVOBzSowG6VItOkcDzYIK6GmqO7+yXIX8WZ0DhgXfC2zmtb4BUmP+MwqGxZGBMR dAJmlWRYI79sXMGsATtEKxetZkBurRbhI7xlgsCNmQ2iXzzqrOYn9aVCGFBX56um OzVfCyer8cY= =XAve - -----END PGP SIGNATURE----- - -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:2033-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2033 Issue date: 2020-05-06 CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.8.0 ESR. Security Fix(es): * Mozilla: Use-after-free during worker shutdown (CVE-2020-12387) * Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 (CVE-2020-12395) * Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831) * Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown 1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation 1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL' 1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: firefox-68.8.0-1.el8_0.src.rpm aarch64: firefox-68.8.0-1.el8_0.aarch64.rpm firefox-debuginfo-68.8.0-1.el8_0.aarch64.rpm firefox-debugsource-68.8.0-1.el8_0.aarch64.rpm ppc64le: firefox-68.8.0-1.el8_0.ppc64le.rpm firefox-debuginfo-68.8.0-1.el8_0.ppc64le.rpm firefox-debugsource-68.8.0-1.el8_0.ppc64le.rpm s390x: firefox-68.8.0-1.el8_0.s390x.rpm firefox-debuginfo-68.8.0-1.el8_0.s390x.rpm firefox-debugsource-68.8.0-1.el8_0.s390x.rpm x86_64: firefox-68.8.0-1.el8_0.x86_64.rpm firefox-debuginfo-68.8.0-1.el8_0.x86_64.rpm firefox-debugsource-68.8.0-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-6831 https://access.redhat.com/security/cve/CVE-2020-12387 https://access.redhat.com/security/cve/CVE-2020-12392 https://access.redhat.com/security/cve/CVE-2020-12395 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrJxF9zjgjWX9erEAQiu0Q/9GkO4R63/ylh8LCgUWaP0tHDXtr4SYkwQ t6BMLYTJix7Hy7ZUBueIn+tu/LNbiII/VqZNSUlNFIn3U9r4wcYt/iiiBeqsePbM X9855cVn1453tQYe0+/zwR2FHsG12GwsgHpdtygnRuZCInJzdoyTxA/4H44wvL+y En22hWlmalNxd8k3+AiNK8UNFwr5/zstVDBy9HVM+c9A6jCZnq8aniE1DXd05d36 GiN3rKPYT5Y3fWfcAL9M0Q2o1Ln+Xwd22FlfCfMVMIu0fza2/QzupVL5Jp0ycG4L afZK7xAV+itrqu73DAB76HJPQ1HV1a06b4i96eEibLZni8FzoTYsSwdatgtpBN8V mtJPJyRVlOzM6Yex5lDqcGjtu13bQnBpoAPSR5nRstad3E78GdM+lt2r1r1KjWgW 5udBka3nQFJOmVZpIlfyv6CJ4LATFzOOi+X2feIhoCaCa+0UU9Pj+fM6Dq0viiwL T5QgOg14rvdSfL+W20U0zCnsRmcfuLrT3qvg4BGtZuJxBOHVNPO2TTK4wUq4vDCs tk7mU3dsCbG8/zdvRkzr22ym72WqkDAZk0wx/hS3DJaFgWklSfowjdQi9m/LXnGl stPn8uV9vDPDKHOu5Y7qGAf4Lk8BCfnWUIMLNoFI1dMKGMbjHLG/f6RZgI0VTpnK iyHqwhGkBRM= =FNDm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrNNXmaOgq3Tt24GAQjNxA/9Hy3IJiQYD892AlzOOpiNsDI8bfbku37G iNB09AUEdQdtQqg+xgdMDaj+pMSPbMMUYOIcyrywKcBY2r63xxwG1qnz74avHves df0uw5JcBWWeCh71or36Z6qnnkYLmi+7iPWOqxil/gtNHHpgtjv32d0V6//XjBGM cuDF9bHi1JC5lI277b/NSeGAUd2RyDpdhYxeAq7QUPT0qIdighG/ZXrgPv9K6r8f xzpwyb650g2tbrObzYZBeIS5oCaPD3t9JJAEcywH4Y9IRMq1e8FSdO1N9QG25t07 uAUycCm52Gn96pCJFY0B1ddk+7DHG7HqEffF16rZ4oBpyxGb1yfTw1AhWJ2EwWc3 BG636P7dYgFzr3/27+1HaO5PsZ1QR51oE+vITwVjGXNMY86zDSZdnyB9xb2te3pK fTubUU4eZQJVeuAKXjsTPHgFuGrm6uZWM+lAYMF1dZk18xQiVfOTjZ45YkVTtznD ANNNL6CMVaQhrJkDzu7iw+wO09OMiaOkObAY641oekDlMAutosd2sbkAW7y5tEML O29Q289ND+qGD57kHnpGVWux/ZKkf3lXL94M6Ci8HBG0rvkCFqsxzABidAtGHh8R Czzd/ZoNE7zyvleZXaWHCDsyc1jWAl1MBt0Aq5leb8hE5NjSUVwVyb+2U9vOH1Lf hBkG8w0Cnec= =YGoQ -----END PGP SIGNATURE-----