Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1929
firefox security update
4 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux WS/Desktop 6
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Red Hat Enterprise Linux Server 8
Red Hat Enterprise Linux WS/Desktop 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12410 CVE-2020-12406 CVE-2020-12405
Reference: ESB-2020.1920
ESB-2020.1919
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2378
https://access.redhat.com/errata/RHSA-2020:2379
https://access.redhat.com/errata/RHSA-2020:2380
https://access.redhat.com/errata/RHSA-2020:2381
https://access.redhat.com/errata/RHSA-2020:2382
Comment: This bulletin contains five (5) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:2378-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2378
Issue date: 2020-06-03
CVE Names: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.9.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
firefox-68.9.0-1.el6_10.src.rpm
i386:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
x86_64:
firefox-68.9.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.9.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
x86_64:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
firefox-68.9.0-1.el6_10.src.rpm
x86_64:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-68.9.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
firefox-68.9.0-1.el6_10.src.rpm
i386:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
ppc64:
firefox-68.9.0-1.el6_10.ppc64.rpm
firefox-debuginfo-68.9.0-1.el6_10.ppc64.rpm
s390x:
firefox-68.9.0-1.el6_10.s390x.rpm
firefox-debuginfo-68.9.0-1.el6_10.s390x.rpm
x86_64:
firefox-68.9.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.9.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
x86_64:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
firefox-68.9.0-1.el6_10.src.rpm
i386:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
x86_64:
firefox-68.9.0-1.el6_10.x86_64.rpm
firefox-debuginfo-68.9.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
x86_64:
firefox-68.9.0-1.el6_10.i686.rpm
firefox-debuginfo-68.9.0-1.el6_10.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXtd36tzjgjWX9erEAQhgXA/7B45JvcDFS4meBXMCohjMzr/Hp2dknB2f
+O7uCtY55Mt4u2KSerFZ01vPtp5qlvohwETfqPhMSBE5MXvx6B2Z+KWdYKO72ht8
ey2Wz5Q0Z/IrDPq8/xdQAsfhP+uCX+1v7Eucz+hwHkK8W4NujXXtGhxFRDpBMPqr
NjXElQbcsN82jab7NYjOWGoEYGQITNk6B4ptyAq0Ql+V5f4eoJ9mdqx34xz+oL6j
z/WoxniKQ6HbRaOZklX7bGu5q9W3so9mH0pJcLvRMjEuy6XStHGF3eBbzIQWCYr6
ahRU2jliA/pXndhRPfU83ldh3ONbkdQWWMbSbqJykf7p1X1pZw7cIhTV244x0Z2u
WAmwKaPqUDSs4aX+7u0eQ18W9/t5QND9t0YFSIaUncJHKD88tN6Hd4hRXKehOCTY
C02lQ942RqHOGylLWbiNX0LSZdyaxhQJB+psgaz97UMf9KtZ9wItqI2MahCwB4gZ
kkXIEv53HAuzwxeH+fR+7SHN1COMnw2qLfpyMresZ68TLjxmTvFKOf4h4SHrqaKA
U0xCP0Et5mcA1svxCOlPi5h9UiZl/vEuOH+vmeVYPHioziMSKeWrN6c+guxi9/o6
/lSHHFY6xxWus2+IDIZ6L81O2Np742kTpZAAARTIRIwCSY5FFfmfP821hgD05rcs
jFHpF/9ZfRY=
=QMCf
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:2379-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2379
Issue date: 2020-06-03
CVE Names: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.9.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
firefox-68.9.0-1.el8_2.src.rpm
aarch64:
firefox-68.9.0-1.el8_2.aarch64.rpm
firefox-debuginfo-68.9.0-1.el8_2.aarch64.rpm
firefox-debugsource-68.9.0-1.el8_2.aarch64.rpm
ppc64le:
firefox-68.9.0-1.el8_2.ppc64le.rpm
firefox-debuginfo-68.9.0-1.el8_2.ppc64le.rpm
firefox-debugsource-68.9.0-1.el8_2.ppc64le.rpm
s390x:
firefox-68.9.0-1.el8_2.s390x.rpm
firefox-debuginfo-68.9.0-1.el8_2.s390x.rpm
firefox-debugsource-68.9.0-1.el8_2.s390x.rpm
x86_64:
firefox-68.9.0-1.el8_2.x86_64.rpm
firefox-debuginfo-68.9.0-1.el8_2.x86_64.rpm
firefox-debugsource-68.9.0-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXtdjhtzjgjWX9erEAQjg/g/+IQpJJl5Ee8dyGA6mL31Okp8gn4lYzInq
m+FtQuaz8mzAeNFkpXCP7LFpXSi4Cfszjvw6BYvntNNU9B+Wi0baDsA8uJPYCQJ1
tx/2qzSF3WXOyTXWD+mm1rAPCdbMcYM4+UfpYgwB7us8swnNVfatMpewbvb5idRf
T5z+LcU54/oQRQXjjWhdvwHP88BSnIAman3NbXzIQ7lgVMcqMBgLNupRYcujsvBL
Qm7FviECsMIgOJ0DmQ7903N3Rxm9l0NZTFe7n2ZGbIRL/9e0vnvTtIyvlD9yxisb
loEFfr9BZTLIMkEbotVftg4c+j7rd0QNiA9+QtHxwRgcyXbjRRkmxmNJ7QBtjUb/
H00PEGGtfRq3Zhn7jRKW3xE3eV5hU2MCE3cLueBaKNkXicU/Z/FIUYArSsCNjMHK
LsY9F/na99tbsXzlrwC7nE8J3J+8qZwyYJnAKs68K5AzTutD0xW71aRH7EHyVa1N
r/BMoaL2CYSWuzi7y47o3QMlHUPpDA6eIjQLvVM/nJQ7xy2Ui8NrMIEyFY1zjYZN
UiaWgDsiSonYogLxfwqdGcvOIiQjptlvO9rKRvDF2joy+5CCJJAys63W804H5xaX
dAWiRBoq3QSqFDiEGGroajzb9ToVARRPmVG9auB8E0tfj6HaE3N9KBSHMywuWWE9
dFFCySd3MH4=
=PkdX
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:2380-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2380
Issue date: 2020-06-03
CVE Names: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.9.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
firefox-68.9.0-1.el8_1.src.rpm
aarch64:
firefox-68.9.0-1.el8_1.aarch64.rpm
firefox-debuginfo-68.9.0-1.el8_1.aarch64.rpm
firefox-debugsource-68.9.0-1.el8_1.aarch64.rpm
ppc64le:
firefox-68.9.0-1.el8_1.ppc64le.rpm
firefox-debuginfo-68.9.0-1.el8_1.ppc64le.rpm
firefox-debugsource-68.9.0-1.el8_1.ppc64le.rpm
s390x:
firefox-68.9.0-1.el8_1.s390x.rpm
firefox-debuginfo-68.9.0-1.el8_1.s390x.rpm
firefox-debugsource-68.9.0-1.el8_1.s390x.rpm
x86_64:
firefox-68.9.0-1.el8_1.x86_64.rpm
firefox-debuginfo-68.9.0-1.el8_1.x86_64.rpm
firefox-debugsource-68.9.0-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXtdmktzjgjWX9erEAQiO3g/+NZxkSEuEBm6qDpxKAo2LnIU8AncKqs9M
7KBPUxtgmJFZUyEGLGPQ4g52f+v0/AvciH3gUAj6UvWr3twBuaspEDu+IvFaWPHd
w2OLX9tq9YS9xdSTkwpabMXBZTXkE+aOTiSzlc7iEx90tR2m8FR4aa4uDC8cfXQ0
4X8eg980CPXMprS9inifIVWtXdLN1oGToKKge5jBpzVi98kcCjh2hQquLEIJNtrK
GCYiH3X0V0XUa5fdOVX2kPQPDG2jG1wxOQI1dIi10FkBpXMDvKzkVndu+dUjut3T
ucCnLLOpiqT7PqcUK7rmZxx7NkccUVcv+kiQ57RkIr2ZKb5IAETZ/yH0GhCdoelK
8n4wgOUmyDPluXfaCqePzuWbxF4QGrbiRZmehSrV3VNExX6FMtcVlxzxhxIU9sDq
MWmHrUWqSYfXXLtkUCy/F22vnqchublKWe7E1Z7n0Nu23NA19eLxTpbEr2r5+rpa
FdTp4zhOIeKEcI9HBNqOubv1srcAO9E5/x8rNcc2B1pzu7qkDE/B0LM0XVMqjgTW
yztf/BRok9IAuQCF1ITifmD2oDmCCTxK0brGZlyN89I/scfakdAgtBziQMIUNSUt
ZmF3HS+ebL59uenqrzD+J3ZU5J6cR8J6wddJrjdlZ8T4CHG/9SJw4eXN807OqzrF
aGKRsBBEpbE=
=NJpK
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:2381-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2381
Issue date: 2020-06-03
CVE Names: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.9.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
firefox-68.9.0-1.el7_8.src.rpm
x86_64:
firefox-68.9.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.9.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
firefox-68.9.0-1.el7_8.i686.rpm
firefox-debuginfo-68.9.0-1.el7_8.i686.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
firefox-68.9.0-1.el7_8.src.rpm
ppc64:
firefox-68.9.0-1.el7_8.ppc64.rpm
firefox-debuginfo-68.9.0-1.el7_8.ppc64.rpm
ppc64le:
firefox-68.9.0-1.el7_8.ppc64le.rpm
firefox-debuginfo-68.9.0-1.el7_8.ppc64le.rpm
s390x:
firefox-68.9.0-1.el7_8.s390x.rpm
firefox-debuginfo-68.9.0-1.el7_8.s390x.rpm
x86_64:
firefox-68.9.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.9.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64:
firefox-68.9.0-1.el7_8.i686.rpm
firefox-debuginfo-68.9.0-1.el7_8.i686.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
firefox-68.9.0-1.el7_8.src.rpm
x86_64:
firefox-68.9.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.9.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
firefox-68.9.0-1.el7_8.i686.rpm
firefox-debuginfo-68.9.0-1.el7_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXtflXtzjgjWX9erEAQiTgg//VHwSOV3Dql6EjKDBMgIQwzfBJ06vSLkm
Cb4QDOOTCW0QynZTavR5nnaepln/66aMjmASQ2VD2aOdwiAS76nL1aLFr98RJnSK
AKHL8K7N74V/yDeB4NqgEFnaAyA6P9Ze9m24yr+kZkhhYUYB9ZW1D3pIiyByeACc
cw6gn/I7+trWV04Bz1SXeiTHakUA1aNa4yY2Tfy5WqN2+zcQ5bH36f66PjvmW7CJ
TUWfegRFEfTLfl8ridfXdRL/y6BFZe0KVqFvly/k8faW8aZZXACpcgl0a/ISRFzB
aJxfmoT44NucFlFPIdcBcX2Hs1hHdt01hC/D6Ba+MKGPz7QjlV8we8+rqa3MiEPX
ZRBrx4LjmDxPJ3naowrCj8V/t+GOT891fdlVljLu9VcLW7drm566mWM8B8KaMrMf
/TmW8yoSRmYGEjcAtXHbRK3AsG4rfAYIimwCkevpXvnn3aFI+t8QVAld0LPsWbWo
KzgNxSin4Vv4D4G2JEKt5enm7iE7sf2NcyxBAXj+CyQSAtIWPqjyA+yn/eA/yVJ9
3LWFmmvDtLMirSKIDR6nEItIU9ikvN7RN1T6/OWdgzwktk0FUhQingG0nICOHvlH
cP4amzyStRp09QbKHKBb5a56bTUNVW6Jxaqba1fAetcQETMSHlzCdJA6MCS0F1NG
TIlmSmvw28U=
=tMVH
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:2382-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2382
Issue date: 2020-06-03
CVE Names: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.9.0 ESR.
Security Fix(es):
* Mozilla: Use-after-free in SharedWorkerService (CVE-2020-12405)
* Mozilla: JavaScript Type confusion with NativeTypes (CVE-2020-12406)
* Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
(CVE-2020-12410)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1843030 - CVE-2020-12410 Mozilla: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
1843312 - CVE-2020-12406 Mozilla: JavaScript Type confusion with NativeTypes
1843313 - CVE-2020-12405 Mozilla: Use-after-free in SharedWorkerService
6. Package List:
Red Hat Enterprise Linux AppStream E4S (v. 8.0):
Source:
firefox-68.9.0-1.el8_0.src.rpm
aarch64:
firefox-68.9.0-1.el8_0.aarch64.rpm
firefox-debuginfo-68.9.0-1.el8_0.aarch64.rpm
firefox-debugsource-68.9.0-1.el8_0.aarch64.rpm
ppc64le:
firefox-68.9.0-1.el8_0.ppc64le.rpm
firefox-debuginfo-68.9.0-1.el8_0.ppc64le.rpm
firefox-debugsource-68.9.0-1.el8_0.ppc64le.rpm
s390x:
firefox-68.9.0-1.el8_0.s390x.rpm
firefox-debuginfo-68.9.0-1.el8_0.s390x.rpm
firefox-debugsource-68.9.0-1.el8_0.s390x.rpm
x86_64:
firefox-68.9.0-1.el8_0.x86_64.rpm
firefox-debuginfo-68.9.0-1.el8_0.x86_64.rpm
firefox-debugsource-68.9.0-1.el8_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-12405
https://access.redhat.com/security/cve/CVE-2020-12406
https://access.redhat.com/security/cve/CVE-2020-12410
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXtefStzjgjWX9erEAQhJow/9GUOLe3fNW4ID8z3k28w4hewj7b9oZsnJ
jJbiPKOuNHO13In8kwCNBkci3zuhuUpLztVBZSrEaLkfQwmv3VLthtvs19GnB2J1
br4DhRQFrWXOwHaz+n5+pFu4OKxp9LBlTY+++eOuD4osrPuPgIsUYsR8k9FP1hJ+
mN2Gee11yUtRubw3/Z2+TM2dYYWp5/d8jW49eOV8nzgrKge1qZ2rVJaUXEYoYECE
TeqDWK1jc2BaAin4x8m8B8Nt3Cicbbul53mHrln6cTLjAnorchbe4BSc5zK1XS3t
2INYgUyd/rNh2MqoLe0YnJZdBmHlwgkJSWmM9l6BKwysoZuHUQt0+xGa0DQRJFLw
tf4zkM4Gzbf0jaDr1zkIAI6WhaIt0SbUCcd4B/hsymXqCxFbc/jQAlSHibrkDnfS
wYSauScvyuBGkoqJZHKgNNRbUf9P1oCHhMx0hwEvcyhB+D06QUcxOikgbo2MC63K
zeF4ugiuoot52a199kEnb3YN8jMIwHP5xHsDgQPhIZvt2wegdS77J7GKyJatHuvg
q8/R4Z3rHzgdnIMiu1U0sI5hmI6mwF2qyo4z3X7McdymuRnWvPrxQ3ydUYEIu7Nt
svHoAL24h1Fwv2EYqm+5W0SUTQguX712vJY7ZC7zV7NDLbKKmwutidbtD8mK9fGZ
oSHWBSLw6Dk=
=3Erx
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXtg8luNLKJtyKPYoAQhi9xAAqSicn0rbgtt6i0Ch77XcUdkeOBfaMiQK
97+wpe8G0rUTS8xbBQ09BwhbxURgqeFeT2tyQp4CAmaN7u9tjMvZDRPV9PEb675d
XUuJYTbV1V/Lv6TfqQRm5qocjYCt3CKKE266l8d/wS+geHhhN7ClgrOSMcUhGR1b
P4uEvtyqxplkUFaaCQoLai9E4hTkql9AjPsG6W6gpW/nqoeYgvM7PWZs+OGhlIrE
j3hKoX0ZsWzfK7qsZ4hW91LmBV65cYQN6Ub6vhdeSR5uSYJ5L/LYo8LJFwzH8/SH
J7B4IqSzlvm3o2xaWvwS2nPQAdc+hGP05EY5Ljd1kOVEQKWEGjcndaLO7qIqwTp1
GP7LZQiPujsFUaPbgEFId1keGnY/S8DTRkc/lShcHxZ6UKHfWhSBpt3ZN+wCkFrC
7L33q6KHFRZeIDE1CDkhvBvxlEIul1RBGMFKSBIQGkyGSH4PhHFuEJk7yo+TYeI3
Hy/G29SPLQNJEs4HWsKHvgFe9bJITBZj7jytqLfPhfWdgJIHlb1lmpjcELD5gTGw
wokv24Vc4ReKLmGnaPz4f0MopStMFfYUVovvGNOc03jcNKD1NyFvZu05+wEJNIzx
4W+p2duQNmxVPui5U8y3qxgDTQwB4Viu3irZ9WO1srpCIgk7bjRNCAuIApU+eq2e
Zyto4o2G+oE=
=XlFu
-----END PGP SIGNATURE-----