Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1605
Critical: firefox security update
7 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux WS/Desktop 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12395 CVE-2020-12392 CVE-2020-12387
CVE-2020-6831
Reference: ESB-2020.1602
ESB-2020.1600
ESB-2020.1599
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2036
https://access.redhat.com/errata/RHSA-2020:2033
https://access.redhat.com/errata/RHSA-2020:2037
https://access.redhat.com/errata/RHSA-2020:2031
https://access.redhat.com/errata/RHSA-2020:2032
Comment: This bulletin contains five (5) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:2036-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2036
Issue date: 2020-05-06
CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392
CVE-2020-12395
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.8.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free during worker shutdown (CVE-2020-12387)
* Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
(CVE-2020-12395)
* Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831)
* Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown
1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation
1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL'
1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
firefox-68.8.0-1.el6_10.src.rpm
i386:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
x86_64:
firefox-68.8.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
x86_64:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
firefox-68.8.0-1.el6_10.src.rpm
x86_64:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-68.8.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
firefox-68.8.0-1.el6_10.src.rpm
i386:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
ppc64:
firefox-68.8.0-1.el6_10.ppc64.rpm
firefox-debuginfo-68.8.0-1.el6_10.ppc64.rpm
s390x:
firefox-68.8.0-1.el6_10.s390x.rpm
firefox-debuginfo-68.8.0-1.el6_10.s390x.rpm
x86_64:
firefox-68.8.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
x86_64:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
firefox-68.8.0-1.el6_10.src.rpm
i386:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
x86_64:
firefox-68.8.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.8.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
x86_64:
firefox-68.8.0-1.el6_10.i686.rpm
firefox-debuginfo-68.8.0-1.el6_10.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6831
https://access.redhat.com/security/cve/CVE-2020-12387
https://access.redhat.com/security/cve/CVE-2020-12392
https://access.redhat.com/security/cve/CVE-2020-12395
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrKVatzjgjWX9erEAQh+Xw//dZUaxqqbDkNE7POX10N8J0CMlgMY70dH
gM7Cqwo9y7s9V3bu4pevz7h+4SaQbCn1o2Q4BXlM+bK04V9GSnEEimmy5/NywxBt
3fNgNT7/WnLwLSohO5JcVAZ3uPzucHSGrUa8ZxNGJbmlTwl2W8qiSiWkVMqAHN6I
+1eX9IohbfHbBYPQPvxnlGmSK0UKA9N3nTiRB8fvg0p/0xJRnWaJXyRuMu5OilTv
bNgRUtWaoWR6ua0/ZnuBx++ZCz4nKjlLKkqspTilKlPVXDoiso58K+dCLSuJw4AL
8Q76TkL+vHeIyyRIdwO5Ot5S/Tdv2xFDlje5b7W8KFHRVqXPQEk4JgBawm7GfIva
jqnvJQQnfGtMIKOzMLVSgUi8V4PNIY6N5en9gewUxxhSgJdg8SjrOHnZWJpS9ZjV
molYtuHuIm5VH1YEL1Ceo2U6nYTECuzfrib7hgaeBYuKcT5o7PgXI5a0D0rGKweZ
iI4DnpMdgYK4vOIkwkwdMBfTMhqNqehdj+79Ga/dHVFXthHzz4sqCyHcUb4VvH63
IoYU5n6p+dNpDXsDKP1SdgyX0h+bqOOieZ6Z3St4MKUHDKXdfyhJjdOen+Sg9l2l
6lPTdjTjXk2IFTJFXaZbHyMEt3tEsbIGQ37/rBX9Pw+2+MA3plUAZMhst2LRhFsa
cTKjoD+h/+U=
=TTbo
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
Subject: [RHSA-2020:2037-01] Critical: firefox security update
From: "Security announcements for all Red Hat products and services." <rhsa-announce@redhat.com>
Reply-To: rhsa-announce@redhat.com
Date: Wed, 6 May 2020 06:43:06 -0400
To: rhsa-announce@redhat.com
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:2037-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2037
Issue date: 2020-05-06
CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392
CVE-2020-12395
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.8.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free during worker shutdown (CVE-2020-12387)
* Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
(CVE-2020-12395)
* Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831)
* Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown
1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation
1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL'
1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
firefox-68.8.0-1.el7_8.src.rpm
x86_64:
firefox-68.8.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.8.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
firefox-68.8.0-1.el7_8.i686.rpm
firefox-debuginfo-68.8.0-1.el7_8.i686.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
firefox-68.8.0-1.el7_8.src.rpm
ppc64:
firefox-68.8.0-1.el7_8.ppc64.rpm
firefox-debuginfo-68.8.0-1.el7_8.ppc64.rpm
ppc64le:
firefox-68.8.0-1.el7_8.ppc64le.rpm
firefox-debuginfo-68.8.0-1.el7_8.ppc64le.rpm
s390x:
firefox-68.8.0-1.el7_8.s390x.rpm
firefox-debuginfo-68.8.0-1.el7_8.s390x.rpm
x86_64:
firefox-68.8.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.8.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64:
firefox-68.8.0-1.el7_8.i686.rpm
firefox-debuginfo-68.8.0-1.el7_8.i686.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
firefox-68.8.0-1.el7_8.src.rpm
x86_64:
firefox-68.8.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.8.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
firefox-68.8.0-1.el7_8.i686.rpm
firefox-debuginfo-68.8.0-1.el7_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6831
https://access.redhat.com/security/cve/CVE-2020-12387
https://access.redhat.com/security/cve/CVE-2020-12392
https://access.redhat.com/security/cve/CVE-2020-12395
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrKUt9zjgjWX9erEAQiRdw/+OF/n1a6dSEQegXBgc5Ns2yHWYT/t28Vf
aF1or5+ljVM17BGJg4M6P8jYj29Sli2ZAFybabeVnF62NzZDNzLYlUr8pkZuJSdb
A7FqmmfqEaTEI+VVKnPqnazOL/pf4woFogt1HSkj+9BNkLcrMgDyDIfz+RmhzN00
G5oeVK1JDZq5DAt9Th9+Sk/4T9MKtsCPQyti2DPpCzByuT0U1FzVKPgotfBrSVUC
ajRjtfbw0dwI8OijpPyQYbaqStTtqbm+iQWayfwh8hYV7jyJXqW/MKuLfUSGZnXb
YUWHB79yQZ+ZeLgoL38yA6aDeScBCgbWfOte3o8IQ+EXfiIKo/oy+ZlmYlIoBDYZ
Ct29mhZXvyW8l4/OuAso/8vbRZdOA86ib0FlXE8ywk0ZRdg7LhGBk3hqZpV9/1Hl
ql6PEkf/7k0JAIMUNua4TWdTdlYNpzuLgbF08a7IyOy+pFDOaRz4kgek04lLtbPx
znGLrR5ZT+8sCBuq39rCiLbc2OKhit4K4h8MJoljUnPM8wy4PpaAqUnJG+HO3MIx
cz8myQp/3gwVyymRkfzb99So6yK5MGUF/ITR84xlQRmNyCXiCqOc8Pn2SEB7pq65
3Adx+voN+eg0yf9i4il8+ooUbTbK+WKC+dZg+JrFMKFiQVxzq8nz+pW42UY844C4
GatPWTXCYT8=
=u6Rh
- -----END PGP SIGNATURE-----
- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:2031-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2031
Issue date: 2020-05-06
CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392
CVE-2020-12395
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.8.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free during worker shutdown (CVE-2020-12387)
* Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
(CVE-2020-12395)
* Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831)
* Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown
1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation
1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL'
1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
firefox-68.8.0-1.el8_2.src.rpm
aarch64:
firefox-68.8.0-1.el8_2.aarch64.rpm
firefox-debuginfo-68.8.0-1.el8_2.aarch64.rpm
firefox-debugsource-68.8.0-1.el8_2.aarch64.rpm
ppc64le:
firefox-68.8.0-1.el8_2.ppc64le.rpm
firefox-debuginfo-68.8.0-1.el8_2.ppc64le.rpm
firefox-debugsource-68.8.0-1.el8_2.ppc64le.rpm
s390x:
firefox-68.8.0-1.el8_2.s390x.rpm
firefox-debuginfo-68.8.0-1.el8_2.s390x.rpm
firefox-debugsource-68.8.0-1.el8_2.s390x.rpm
x86_64:
firefox-68.8.0-1.el8_2.x86_64.rpm
firefox-debuginfo-68.8.0-1.el8_2.x86_64.rpm
firefox-debugsource-68.8.0-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6831
https://access.redhat.com/security/cve/CVE-2020-12387
https://access.redhat.com/security/cve/CVE-2020-12392
https://access.redhat.com/security/cve/CVE-2020-12395
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrJ40tzjgjWX9erEAQhPEg/5AV9V68w1Pwr0fBV0sldXKFnPF+xJ2/2r
eV9Bv46+Tb0gOlak7cLqmbL3FCNhNH2qV2b48UKrvfHZgWu/bIozLyq+JmCeExrk
o0II7XaKja5hBdvKqlKX/4q5sm9PWR+Oay6kX6cR6PwZg91mbJ81QdRuCWBqvCXM
251NMmjzaFBnlLmfhBq/5cRxiNB36UMwn3RTB3Ai0z94WG3XYIEIVujBOjMlaxEq
hn78HOUz34AuCu+kvaJwH3/L3Qtqu2FChlT56bk+TmYx+02mezS6ivhF7+gmal47
379sI7tKEY7CgqFWctrxAeGLzKI/zVR0ucoY9AFrJA1YaY36d6RTsdAQlrX76S6z
4SjhXXKNSnWlGqLkJtIu5oBFPXeGs6zUm8bvWLutQXPmQcUL1CwsCV72BTzzAHIm
zxOE04EU0b3f2UWObI3VUYjbtOxj+YUEyBNdNRaN42JEJgq+S1XjHx+nsdBfXJqY
HZ28fJ8ddzfDiGzkbczrYd8aKcIBIQ6qSbt0kT2ddg4Zm+TYHCk7f0nLGp00Fhwe
k3RjH2q9f+8s/D/XcHjoOvgJaZ4gispSLdxRM6vZeHoS4whcH5mbaCDeU7IMUU+J
s03BH0QOOz5ShDaIpuWzMYitQi5SwZCoxhvtKOSJio2ejhiIY8A+aBirfV0BfsIh
NOHKwK5q/UY=
=XmB/
- -----END PGP SIGNATURE-----
- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:2032-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2032
Issue date: 2020-05-06
CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392
CVE-2020-12395
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.8.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free during worker shutdown (CVE-2020-12387)
* Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
(CVE-2020-12395)
* Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831)
* Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown
1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation
1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL'
1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
firefox-68.8.0-1.el8_1.src.rpm
aarch64:
firefox-68.8.0-1.el8_1.aarch64.rpm
firefox-debuginfo-68.8.0-1.el8_1.aarch64.rpm
firefox-debugsource-68.8.0-1.el8_1.aarch64.rpm
ppc64le:
firefox-68.8.0-1.el8_1.ppc64le.rpm
firefox-debuginfo-68.8.0-1.el8_1.ppc64le.rpm
firefox-debugsource-68.8.0-1.el8_1.ppc64le.rpm
s390x:
firefox-68.8.0-1.el8_1.s390x.rpm
firefox-debuginfo-68.8.0-1.el8_1.s390x.rpm
firefox-debugsource-68.8.0-1.el8_1.s390x.rpm
x86_64:
firefox-68.8.0-1.el8_1.x86_64.rpm
firefox-debuginfo-68.8.0-1.el8_1.x86_64.rpm
firefox-debugsource-68.8.0-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6831
https://access.redhat.com/security/cve/CVE-2020-12387
https://access.redhat.com/security/cve/CVE-2020-12392
https://access.redhat.com/security/cve/CVE-2020-12395
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrJ01tzjgjWX9erEAQhTMA//TVwCs+i8ol8X5CEKmAQFZhrAVsG9V2i7
ZYUaRXFG+zQA08IUqCqTLGMSqcdocw6fHQwpsPTDU8DmDwmYy7Si/VfsEvVESQ2S
3ghpfuHpOqJNlYofv1s7NLCcqh6f1q3Y0O8RtIthOOGt4/sM0SZMLG4ADxMymzM8
y/RZHDb73AMDiTiZOP4Y5+rRnLqTTpZiQYS/sbsUaQTawdH2uwznEsdzjgqOxmtU
RauwPkMiWbLH2HElzYXrIbj+jtas6NhmsmTSOTRdkrLbnQVbwL5mcMWGGrvx2jhT
V9l5E7CgG8tgJqmBWIIPAWASmVITgWthH9N3ftr6jFwWTqfTUGzLUOoe+2vMlVgS
EyZpY1xSaR3tAsGvim/IGcepI1ybSOTVfUdWpOnjP9deA2HbQtfRMgGmrALeyGJt
6sIUncNT6pOkB3GAaDTdn83Alcpq8Onjc7wTTBqO4fMfxJqtjr3MZgidF5A27mi3
sp2ioTfdhrmDTYCmX2WLqO1UU3DC0k7OTUJtuS+0xnVwpv0Bmr9waAhW9juw/Sls
4FVOBzSowG6VItOkcDzYIK6GmqO7+yXIX8WZ0DhgXfC2zmtb4BUmP+MwqGxZGBMR
dAJmlWRYI79sXMGsATtEKxetZkBurRbhI7xlgsCNmQ2iXzzqrOYn9aVCGFBX56um
OzVfCyer8cY=
=XAve
- -----END PGP SIGNATURE-----
- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:2033-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2033
Issue date: 2020-05-06
CVE Names: CVE-2020-6831 CVE-2020-12387 CVE-2020-12392
CVE-2020-12395
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.8.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free during worker shutdown (CVE-2020-12387)
* Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
(CVE-2020-12395)
* Mozilla: Buffer overflow in SCTP chunk input validation (CVE-2020-6831)
* Mozilla: Arbitrary local file access with 'Copy as cURL' (CVE-2020-12392)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1831761 - CVE-2020-12387 Mozilla: Use-after-free during worker shutdown
1831763 - CVE-2020-6831 Mozilla: Buffer overflow in SCTP chunk input validation
1831764 - CVE-2020-12392 Mozilla: Arbitrary local file access with 'Copy as cURL'
1831765 - CVE-2020-12395 Mozilla: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
6. Package List:
Red Hat Enterprise Linux AppStream E4S (v. 8.0):
Source:
firefox-68.8.0-1.el8_0.src.rpm
aarch64:
firefox-68.8.0-1.el8_0.aarch64.rpm
firefox-debuginfo-68.8.0-1.el8_0.aarch64.rpm
firefox-debugsource-68.8.0-1.el8_0.aarch64.rpm
ppc64le:
firefox-68.8.0-1.el8_0.ppc64le.rpm
firefox-debuginfo-68.8.0-1.el8_0.ppc64le.rpm
firefox-debugsource-68.8.0-1.el8_0.ppc64le.rpm
s390x:
firefox-68.8.0-1.el8_0.s390x.rpm
firefox-debuginfo-68.8.0-1.el8_0.s390x.rpm
firefox-debugsource-68.8.0-1.el8_0.s390x.rpm
x86_64:
firefox-68.8.0-1.el8_0.x86_64.rpm
firefox-debuginfo-68.8.0-1.el8_0.x86_64.rpm
firefox-debugsource-68.8.0-1.el8_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6831
https://access.redhat.com/security/cve/CVE-2020-12387
https://access.redhat.com/security/cve/CVE-2020-12392
https://access.redhat.com/security/cve/CVE-2020-12395
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXrJxF9zjgjWX9erEAQiu0Q/9GkO4R63/ylh8LCgUWaP0tHDXtr4SYkwQ
t6BMLYTJix7Hy7ZUBueIn+tu/LNbiII/VqZNSUlNFIn3U9r4wcYt/iiiBeqsePbM
X9855cVn1453tQYe0+/zwR2FHsG12GwsgHpdtygnRuZCInJzdoyTxA/4H44wvL+y
En22hWlmalNxd8k3+AiNK8UNFwr5/zstVDBy9HVM+c9A6jCZnq8aniE1DXd05d36
GiN3rKPYT5Y3fWfcAL9M0Q2o1Ln+Xwd22FlfCfMVMIu0fza2/QzupVL5Jp0ycG4L
afZK7xAV+itrqu73DAB76HJPQ1HV1a06b4i96eEibLZni8FzoTYsSwdatgtpBN8V
mtJPJyRVlOzM6Yex5lDqcGjtu13bQnBpoAPSR5nRstad3E78GdM+lt2r1r1KjWgW
5udBka3nQFJOmVZpIlfyv6CJ4LATFzOOi+X2feIhoCaCa+0UU9Pj+fM6Dq0viiwL
T5QgOg14rvdSfL+W20U0zCnsRmcfuLrT3qvg4BGtZuJxBOHVNPO2TTK4wUq4vDCs
tk7mU3dsCbG8/zdvRkzr22ym72WqkDAZk0wx/hS3DJaFgWklSfowjdQi9m/LXnGl
stPn8uV9vDPDKHOu5Y7qGAf4Lk8BCfnWUIMLNoFI1dMKGMbjHLG/f6RZgI0VTpnK
iyHqwhGkBRM=
=FNDm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXrNNXmaOgq3Tt24GAQjNxA/9Hy3IJiQYD892AlzOOpiNsDI8bfbku37G
iNB09AUEdQdtQqg+xgdMDaj+pMSPbMMUYOIcyrywKcBY2r63xxwG1qnz74avHves
df0uw5JcBWWeCh71or36Z6qnnkYLmi+7iPWOqxil/gtNHHpgtjv32d0V6//XjBGM
cuDF9bHi1JC5lI277b/NSeGAUd2RyDpdhYxeAq7QUPT0qIdighG/ZXrgPv9K6r8f
xzpwyb650g2tbrObzYZBeIS5oCaPD3t9JJAEcywH4Y9IRMq1e8FSdO1N9QG25t07
uAUycCm52Gn96pCJFY0B1ddk+7DHG7HqEffF16rZ4oBpyxGb1yfTw1AhWJ2EwWc3
BG636P7dYgFzr3/27+1HaO5PsZ1QR51oE+vITwVjGXNMY86zDSZdnyB9xb2te3pK
fTubUU4eZQJVeuAKXjsTPHgFuGrm6uZWM+lAYMF1dZk18xQiVfOTjZ45YkVTtznD
ANNNL6CMVaQhrJkDzu7iw+wO09OMiaOkObAY641oekDlMAutosd2sbkAW7y5tEML
O29Q289ND+qGD57kHnpGVWux/ZKkf3lXL94M6Ci8HBG0rvkCFqsxzABidAtGHh8R
Czzd/ZoNE7zyvleZXaWHCDsyc1jWAl1MBt0Aq5leb8hE5NjSUVwVyb+2U9vOH1Lf
hBkG8w0Cnec=
=YGoQ
-----END PGP SIGNATURE-----