Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2605
firefox security update
31 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Red Hat Enterprise Linux Server 8
Red Hat Enterprise Linux WS/Desktop 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-15659 CVE-2020-15652 CVE-2020-6514
CVE-2020-6463
Reference: ESB-2020.2598
ESB-2020.2597
ESB-2020.2596
ESB-2020.2594
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:3241
https://access.redhat.com/errata/RHSA-2020:3253
https://access.redhat.com/errata/RHSA-2020:3254
Comment: This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3241-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3241
Issue date: 2020-07-30
CVE Names: CVE-2020-6463 CVE-2020-6514 CVE-2020-15652
CVE-2020-15659
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.11.0 ESR.
Security Fix(es):
* chromium-browser: Use after free in ANGLE (CVE-2020-6463)
* chromium-browser: Inappropriate implementation in WebRTC (CVE-2020-6514)
* Mozilla: Potential leak of redirect targets when loading scripts in a
worker (CVE-2020-15652)
* Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
(CVE-2020-15659)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1840893 - CVE-2020-6463 chromium-browser: Use after free in ANGLE
1857349 - CVE-2020-6514 chromium-browser: Inappropriate implementation in WebRTC
1861570 - CVE-2020-15652 Mozilla: Potential leak of redirect targets when loading scripts in a worker
1861572 - CVE-2020-15659 Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
firefox-68.11.0-1.el8_2.src.rpm
aarch64:
firefox-68.11.0-1.el8_2.aarch64.rpm
firefox-debuginfo-68.11.0-1.el8_2.aarch64.rpm
firefox-debugsource-68.11.0-1.el8_2.aarch64.rpm
ppc64le:
firefox-68.11.0-1.el8_2.ppc64le.rpm
firefox-debuginfo-68.11.0-1.el8_2.ppc64le.rpm
firefox-debugsource-68.11.0-1.el8_2.ppc64le.rpm
s390x:
firefox-68.11.0-1.el8_2.s390x.rpm
firefox-debuginfo-68.11.0-1.el8_2.s390x.rpm
firefox-debugsource-68.11.0-1.el8_2.s390x.rpm
x86_64:
firefox-68.11.0-1.el8_2.x86_64.rpm
firefox-debuginfo-68.11.0-1.el8_2.x86_64.rpm
firefox-debugsource-68.11.0-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6463
https://access.redhat.com/security/cve/CVE-2020-6514
https://access.redhat.com/security/cve/CVE-2020-15652
https://access.redhat.com/security/cve/CVE-2020-15659
https://access.redhat.com/security/updates/classification/#important
https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXyJ5J9zjgjWX9erEAQglyA/+KYo5ErwmU9Dd6XeOKFY0Pa7JeMMCqlY/
mS2KmJF2Y+iu9cOTs95zoyn3Bt07ezfisfOWot1SY7HiqxJYTlpcVzcG4vecSFR7
iVhxM2d4npfFRH6kw55TbR0k+gSGR1J7OJ8qMZXYbGAtaSq9anN6W3dTK2xl2r+x
SmKyzSf5yei4YyOKlZmbCrESPcCxS9f+isbqt4dXF5Ftn5Sv8AvUaKZrLpP/Zu46
uJub/9TFHlNPZfFHmPbguLdWYYW1AeOuQJ2iay11QjUWVWnBWDxnz6OH3MsbYTdU
dH9YRfbck+r5ZSEI7o3MlVZdTKN9ecg2fd0bxyVz5J16urnJ4Ihw3uJTnBlvnj1u
nydNOz+kecpM4qZ4+5m853LkXNvW7ZfXkpKCWAJjOST/Ne7HMU1dPDlrt+JUJubH
FoNiN0CmVzdMt4r7m6PwQO7P3J9oDuHinubuaIylATTcUSCsBm2ejwUiJ+iVhTtB
wl2a7gpSUwEQuM87huH4LCW/KjtXw12s+cVbIiMngK2qDCYAP8oyRjIcC+sjI57g
AEkNgsCiyPo4TPCdmhHSEB4MAG6BH3MZGUzLIQ59Bo0hUNS+3l60VmNAAR396QPv
T580Nxq/VgFtg23rXHZ1u8GQknMPNisLyrmO65Jz6SNZOKMz1CzXC08UHKSYIGe/
TfnT/2xwi3s=
=wb47
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3253-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3253
Issue date: 2020-07-30
CVE Names: CVE-2020-6463 CVE-2020-6514 CVE-2020-15652
CVE-2020-15659
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.11.0 ESR.
Security Fix(es):
* chromium-browser: Use after free in ANGLE (CVE-2020-6463)
* chromium-browser: Inappropriate implementation in WebRTC (CVE-2020-6514)
* Mozilla: Potential leak of redirect targets when loading scripts in a
worker (CVE-2020-15652)
* Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
(CVE-2020-15659)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1840893 - CVE-2020-6463 chromium-browser: Use after free in ANGLE
1857349 - CVE-2020-6514 chromium-browser: Inappropriate implementation in WebRTC
1861570 - CVE-2020-15652 Mozilla: Potential leak of redirect targets when loading scripts in a worker
1861572 - CVE-2020-15659 Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
firefox-68.11.0-1.el7_8.src.rpm
x86_64:
firefox-68.11.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.11.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
firefox-68.11.0-1.el7_8.i686.rpm
firefox-debuginfo-68.11.0-1.el7_8.i686.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
firefox-68.11.0-1.el7_8.src.rpm
ppc64:
firefox-68.11.0-1.el7_8.ppc64.rpm
firefox-debuginfo-68.11.0-1.el7_8.ppc64.rpm
ppc64le:
firefox-68.11.0-1.el7_8.ppc64le.rpm
firefox-debuginfo-68.11.0-1.el7_8.ppc64le.rpm
s390x:
firefox-68.11.0-1.el7_8.s390x.rpm
firefox-debuginfo-68.11.0-1.el7_8.s390x.rpm
x86_64:
firefox-68.11.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.11.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64:
firefox-68.11.0-1.el7_8.i686.rpm
firefox-debuginfo-68.11.0-1.el7_8.i686.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
firefox-68.11.0-1.el7_8.src.rpm
x86_64:
firefox-68.11.0-1.el7_8.x86_64.rpm
firefox-debuginfo-68.11.0-1.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
firefox-68.11.0-1.el7_8.i686.rpm
firefox-debuginfo-68.11.0-1.el7_8.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6463
https://access.redhat.com/security/cve/CVE-2020-6514
https://access.redhat.com/security/cve/CVE-2020-15652
https://access.redhat.com/security/cve/CVE-2020-15659
https://access.redhat.com/security/updates/classification/#important
https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXyMgu9zjgjWX9erEAQg1Lw//ThDhQNyzbi/DcKqRZ4oE2crnYGEpor13
fbkpiATllwswE+uVcroydKTdj+hFJ3kopnSxTL2uvtIqq2fNAVRQiCyRwR5Cza7X
i9khFoKJOoEtw4ZpkMOXEQxWBeAX9Jo8et1e3Fq0FP7SJvt+rTFJag380FKi+qUu
Ixy+ks3rKmFPUdvSbqm4OMIIPJUJa04xRtx9qrHgMSsxw88bwEUezckl0unJorCq
iGI2j9hjmiYGKhzr9TamTaQqRIKenn1E8J8gYrgHO5fBMaD5JaPchYM5KjPCsAyz
Tv97a31s16Vn+gUKbb8HGORbXd1V8JtzqYowyQJm+DIj6/K1g0Ahjui7wI1+HIvq
eQokM/2JHqulmG39kwfEze4X0T/AIiGKFxhLutRbih+YZ9XJ5utmhnJ02ueK7TWM
rRRlyWw/lmryGCK5zOL5+9tx4rJUHxwiaQSDcCzf5Dtf4mEPhsizT5KBJCbdd5ZO
AP+/eyAFnb5z/+Fsj35glsgF5mNuDb/DiYFKjrg11KKp/aViNx709ZVmi/jcGd6c
hoba26uGhr4Dn8oWI+r0M5R/+jfiyJ0Ay/xhQrjwnj/hNArf0+Re3wsqtCTbRVrA
PeesTMwXOBpuVJ7wCWtE1Ns2UdKy3COnBTla4xRE3U5JKSSD+Coi2HEwhZW0zUhH
EmDN6VjH+XE=
=JK3R
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3254-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3254
Issue date: 2020-07-30
CVE Names: CVE-2020-6463 CVE-2020-6514 CVE-2020-15652
CVE-2020-15659
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 68.11.0 ESR.
Security Fix(es):
* chromium-browser: Use after free in ANGLE (CVE-2020-6463)
* chromium-browser: Inappropriate implementation in WebRTC (CVE-2020-6514)
* Mozilla: Potential leak of redirect targets when loading scripts in a
worker (CVE-2020-15652)
* Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
(CVE-2020-15659)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1840893 - CVE-2020-6463 chromium-browser: Use after free in ANGLE
1857349 - CVE-2020-6514 chromium-browser: Inappropriate implementation in WebRTC
1861570 - CVE-2020-15652 Mozilla: Potential leak of redirect targets when loading scripts in a worker
1861572 - CVE-2020-15659 Mozilla: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
firefox-68.11.0-1.el8_1.src.rpm
aarch64:
firefox-68.11.0-1.el8_1.aarch64.rpm
firefox-debuginfo-68.11.0-1.el8_1.aarch64.rpm
firefox-debugsource-68.11.0-1.el8_1.aarch64.rpm
ppc64le:
firefox-68.11.0-1.el8_1.ppc64le.rpm
firefox-debuginfo-68.11.0-1.el8_1.ppc64le.rpm
firefox-debugsource-68.11.0-1.el8_1.ppc64le.rpm
s390x:
firefox-68.11.0-1.el8_1.s390x.rpm
firefox-debuginfo-68.11.0-1.el8_1.s390x.rpm
firefox-debugsource-68.11.0-1.el8_1.s390x.rpm
x86_64:
firefox-68.11.0-1.el8_1.x86_64.rpm
firefox-debuginfo-68.11.0-1.el8_1.x86_64.rpm
firefox-debugsource-68.11.0-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-6463
https://access.redhat.com/security/cve/CVE-2020-6514
https://access.redhat.com/security/cve/CVE-2020-15652
https://access.redhat.com/security/cve/CVE-2020-15659
https://access.redhat.com/security/updates/classification/#important
https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXyMe2tzjgjWX9erEAQiMVRAAmN/DzFFd3/qeFZqBRIqxtIY+lMZEMi0B
FnbXnuE/fGOiV/qNveQ5d/2HUjW+j5crVzh4TjcrFMuKHu6y6BWAHpT5+qR5LO9L
SvoOYMvfedrHqKSTbTJeeaWG5OI6sDCCj9ZM3YyjdNuuncSBdu15Zv+YYHJU4bUn
Sf103Wo5+YL0xpPYQhc6pbqws3uOgb7uQhJhesfY0O5uXU4jTIdRDXUg0PQTqs29
JQk2p2ka89S+hGTuzlFGRd5DudEXOVwJGyWg+/wQlkXTZIFif2Bxas+XE+eh/s/n
/+IRxA8qtqWBjogyMIrWU/iImdRbKCcL/qm4ZNbvc/6MalevIM501Py+TFZuB4mY
EyMs7E/YOOsuBmMUg15d3AlUayqS1kJy4oiLISlDY8yaZvheRvcNuMC+wZWXF7IY
H6vTRCRDViUGXVYkATeSYfCgESm1/kpxMWPXUPYXL59u5qaO7ERImXmHhrrF8NYx
UiRCs4aoQyIU9Vv8FrHfX/ZXlOLJX4vItdHI7kpbXhfNl4NFjfqPTDM4sxxeQLMJ
FMJ4uGeoag2068KYWwMYNHe1sqPt97YJ6CejZNOugW+jl6YDSg9SNvfQ68hkIeJV
lREUp5Ke3KTWit10eRAGlSnno/QMZcamz3ZNWEzprq3D6NnPZy3Dz735DghM4vfd
ENVFOrsrvrs=
=Mylk
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXyNly+NLKJtyKPYoAQi/Gw//eYMLzbH3TPMc9Lf+ytQ9r/3dG+eGVSJm
iJ//3tI48a75mvEDiwxxmhyej4bc+zGchNXurMlmQ4BSuhUiGAF58qESbn7RhNLq
NWUdV25FR9XnGTZcgPyp1/jInNU0WZY9Al37QsZQNaa1rFt9hqf5L7Dc/GMnzAX3
S70eZSrIpEXzgfP7w3m3IsuqoV6ElHrHnW6CoGDCbzVHRH54r2+hMd2TKbntnx8X
rE9KaknhYTTOn3tptnAOkoIDMPWVQVcFdzQEzaCdDqOfBVoQx1nuI+aipr82CKub
GBVPBBeZm8ikMe3Ye7aoxw6oy7bm/f/1AW2uj1lRLHxQMVZnmlNPwdv/SL2nMJFn
N8V+BPqWCmR8xzfMhbSruvkHWs3wurMsEb8ulgQftb9NdwhA6DBFJWM4o+HahPV5
WidxBjjbBzQ1MEZdg5qCDs/jA68r2magoyZVhcABA/mNX5jtcviBGd9PAwCStfp2
mAd5G0PQA6jGwhwquNlMole6j+OJgyN9GYU0Y1YcgiKwO4BsVg+MNyKyLXI+PksQ
BmyUTBusd2jFds4z8Qz8L18JXoGFqizUeWmu79pjahqwqa6IOLmGDrCqD6osIuM+
jzU9+HEUIV6jPmJXiEF6S4Z6gfS3CvykdwRL1IScXM+nrITPvrPyC3qxjNY4x9nd
AuLXUscKVf4=
=gwmo
-----END PGP SIGNATURE-----