Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4038
firefox security update
13 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26950
Reference: ESB-2020.4030
ESB-2020.4024
ESB-2020.3977
ESB-2020.3944
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:5099
https://access.redhat.com/errata/RHSA-2020:5100
https://access.redhat.com/errata/RHSA-2020:5104
Comment: This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:5099-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5099
Issue date: 2020-11-12
CVE Names: CVE-2020-26950
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.4.1 ESR.
Security Fix(es):
* Mozilla: Write side effects in MCallGetProperty opcode not accounted for
(CVE-2020-26950)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
firefox-78.4.1-1.el7_9.src.rpm
x86_64:
firefox-78.4.1-1.el7_9.x86_64.rpm
firefox-debuginfo-78.4.1-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
firefox-78.4.1-1.el7_9.i686.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
firefox-78.4.1-1.el7_9.src.rpm
ppc64:
firefox-78.4.1-1.el7_9.ppc64.rpm
firefox-debuginfo-78.4.1-1.el7_9.ppc64.rpm
ppc64le:
firefox-78.4.1-1.el7_9.ppc64le.rpm
firefox-debuginfo-78.4.1-1.el7_9.ppc64le.rpm
s390x:
firefox-78.4.1-1.el7_9.s390x.rpm
firefox-debuginfo-78.4.1-1.el7_9.s390x.rpm
x86_64:
firefox-78.4.1-1.el7_9.x86_64.rpm
firefox-debuginfo-78.4.1-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64:
firefox-78.4.1-1.el7_9.i686.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
firefox-78.4.1-1.el7_9.src.rpm
x86_64:
firefox-78.4.1-1.el7_9.x86_64.rpm
firefox-debuginfo-78.4.1-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
firefox-78.4.1-1.el7_9.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-26950
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX61NitzjgjWX9erEAQg2Ww/+JR0kPXC0phiOuPRaOgPfhTyDIEhvd6Kk
LkvbXXeI+GpN9H1kxT6E/D1koPpGAQHPOk+R8RvUTv4f206q8bfCNaK/P8OTFBA4
3WavkaJohKGRVouMwRWt57wXwhuos7thQLPcNoUm9vUZB8sVW9jKPnRhDDbryyLl
U0JbLJEQ8WzCe4PgORfGZl2GAJQPjSkY7wrF9Et04A1rToCkFetfz0dcbQ4WeJ6B
bLL+gVPlKMZEhSqLDrq74x8NjTOoFDu64Uxxc0IoOuFNg5V7DTGpbXbg5bunCd+O
n7lb5WY8+UOLbiZCsAXBupq3wb8AQ8yV3OB7bOzgFiG08dCzyceJyMrVEatrqN3r
AWEuSL1Syk9TG/+YeggL0++lpVbzpdaaYVpoZJFItk2pzjzB+tB0PwcVgULVzOrQ
hGe6uWpaJvu6/e6NzUDGx4rRPADkS3uvf+fEh5J3+m/zLXqr26Mptqr88mCYe3CU
jiaRt/fyeNqgId9zWld5542r3x2cAxEFOfh0ReVRaxSD7PeDYUPEzwn4mfLbmCNX
OdsxJS1spcX/9ykkmfe0Lo8/UoKQEt/Q6RkwO9gw1Znv0jqBJF85dI5RDvXgv3jj
2sqFdFgr5U5G5DmmfVlixuM1+W1h42LJ35IDOgTDKYC2bpb7EB8aYh9MRs9nG7VZ
8GBZHZVr9nA=
=WP1u
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:5100-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5100
Issue date: 2020-11-12
CVE Names: CVE-2020-26950
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.4.1 ESR.
Security Fix(es):
* Mozilla: Write side effects in MCallGetProperty opcode not accounted for
(CVE-2020-26950)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
firefox-78.4.1-1.el8_3.src.rpm
aarch64:
firefox-78.4.1-1.el8_3.aarch64.rpm
firefox-debuginfo-78.4.1-1.el8_3.aarch64.rpm
firefox-debugsource-78.4.1-1.el8_3.aarch64.rpm
ppc64le:
firefox-78.4.1-1.el8_3.ppc64le.rpm
firefox-debuginfo-78.4.1-1.el8_3.ppc64le.rpm
firefox-debugsource-78.4.1-1.el8_3.ppc64le.rpm
s390x:
firefox-78.4.1-1.el8_3.s390x.rpm
firefox-debuginfo-78.4.1-1.el8_3.s390x.rpm
firefox-debugsource-78.4.1-1.el8_3.s390x.rpm
x86_64:
firefox-78.4.1-1.el8_3.x86_64.rpm
firefox-debuginfo-78.4.1-1.el8_3.x86_64.rpm
firefox-debugsource-78.4.1-1.el8_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-26950
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX61JUtzjgjWX9erEAQhLuw/+J4HXEDmXEZoK5YxupWz9cdGC+ei6N8GX
mUDLYrBnc/CYegWd720bQsCe+BGNtC0GFkzUv8ThBvcGHFcpXG4S4Hg509cRBoKu
cuw2/b5euA/QuXtyONtIsp1qU0Brl2Wne0QWCW6cjoWpcN384gVziTrnhzrKtrL7
djrLpWVCrr4ZeEhhDvBfB96JYUV4piivQjBg9fPeVMEJ20+H9+ZNHFJWKfeHrBr7
471GmCfy2lW6jx+9ew5Bj0XiJ7+GNlQUcaC0gJBX8wvfPLBeljzKQPE5ByVdD5df
hsjuYepPBq7MUZzoX1rgWOds0Exqk3jPzbuXPHxMgRviyZ6bTZcSSSC891vCzriq
lyDoYczo8KYmjJU7+Mu9qaWDQnuwGSoQ5UQDdRA5pV00K88yAc7guJZgxmATlpLu
pwmvYEYFGXFkUbfx7rAE6SAiuz7VPjFikW31O7nQBNqE6gi6YDZIxe9qo4OCosn/
InIfoPYG2R97g/7OdEj9yTf9zgzbfdgL1MvEMHNHlGHW3NafLaG9JohE3J9Su3nr
XmVJhEk79g2FCkSHuBC/AcvgJ6sb442XKr29q5+J3YhrEqZHQlDOeCeI7wgRGBXZ
OY2Z4/3bGKMKXKLx/RqH6jjPHJx5UNiB3/9IXIgdHCuNeMSidDKIp/0ChLBs3jy6
Vf8ELhlxvTw=
=gvBy
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:5104-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5104
Issue date: 2020-11-12
CVE Names: CVE-2020-26950
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.4.1 ESR.
Security Fix(es):
* Mozilla: Write side effects in MCallGetProperty opcode not accounted for
(CVE-2020-26950)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
firefox-78.4.1-1.el6_10.src.rpm
i386:
firefox-78.4.1-1.el6_10.i686.rpm
x86_64:
firefox-78.4.1-1.el6_10.x86_64.rpm
firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
firefox-78.4.1-1.el6_10.src.rpm
x86_64:
firefox-78.4.1-1.el6_10.x86_64.rpm
firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
firefox-78.4.1-1.el6_10.src.rpm
i386:
firefox-78.4.1-1.el6_10.i686.rpm
ppc64:
firefox-78.4.1-1.el6_10.ppc64.rpm
firefox-debuginfo-78.4.1-1.el6_10.ppc64.rpm
s390x:
firefox-78.4.1-1.el6_10.s390x.rpm
firefox-debuginfo-78.4.1-1.el6_10.s390x.rpm
x86_64:
firefox-78.4.1-1.el6_10.x86_64.rpm
firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
firefox-78.4.1-1.el6_10.src.rpm
i386:
firefox-78.4.1-1.el6_10.i686.rpm
x86_64:
firefox-78.4.1-1.el6_10.x86_64.rpm
firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-26950
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX61Pp9zjgjWX9erEAQjF8hAAmXxWYcpKKaIauYZXrTfw9SthKMhK/6pv
9T/vlGGBsVEqgFuECQSp2RvsecBwKh01OyMH6Pw8p8qk9uAGcQAThH0nBcEb3vWb
w4QFsQ0H/auVJfoQss5ZoAYA+bEELjd06Be9pxrUHB5NtLbXvEvpv89O4yuxEh1Q
3KKg8wTFquD6DrgFstB8HoyylVHn2ruybvK/FEGBWiG/60dSeQ/2SnvYIzKBXsaH
lliBdCmebBnWd1PDxEaXxG33LGYNiFWcx6BgRWWA/rzp5p+K58AeLaneq8PNBfzb
UtXUcg9muag1OuiccJzOYhH6PPn3WxPV8dEj7asCnzTHsrRz4A8USNkJdlRFkmv9
OywwAg7owT58Qi2gyUBDrf9OK8OePFk8R5vQtAycDAglMJJKxgV0s6tAlkC5gc3P
xXE3pJUCEG0HUcCvANkWiGuiS8vb3sgmSPF7NTkMuPZa33sDgmP6axT4ScZi+uM9
E2+o0sbnoOKwR7qzxV3QK6cMu24ojyoa/ZyupwBdAbBK57LbOqOFp8I6ObHPgiiX
dyfedYPX8I/DZ+JlCSekiQkwgOxfURh8zn4BECGEBMe6sng9R7xCTpfpuwyYZSfz
qq2x//Oomn0xKjr8GYdey3ZKCsprOKF89VPmyxlf0PhCS4X3OkyndGWexonUfbRB
R2wILLUFfz8=
=jLaM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX63GyeNLKJtyKPYoAQgbfQ/9HNNjKWloptavMyU4GLF7FSmZDD+hj7Or
j2LexJkYD4Yhujo6L7wCxKzHGfQedT2tvBp4ibVXybWviYmBXcxcXV/5te8K/p/J
PgNTsiEco2bIk96tQYWWejIY7PcoNJANS0Ka+ZOCdkDZSkAsTgYyZGVPjaar9bVx
nMI9xyW9yd68Tfe7zODcWroEidNWsOC1diYIkEVa7oNZBhdb9K8CL6c02f/6Wiu+
2a7DHySy2koTx0/95Kj5hk2Thz7RQ/s73JiKjjVyO4QZrVZkrTssVyw+tKWtrt9r
RqCNRoVxaQ2sKl+piNqzw2HQTCCNExdeN6W0WsKA8kHr64QT7lsliS/tFP7wIMtb
ba/shEs5bpAv6IhtHKkKO3NWlArqSq8NUEp2kLJiZnqAhvhi5h5p0fW9iIZEBBc0
iPWSUeng0ppF8r/g1ZuMO8uhkxSTbIvtIXVqM1tYy8fUl3wD64bkwBlumAdOwdn8
YqX5BtffogjUgZRTyjzQabcwg8xkTa95CnS25OOik9KzMpazw62iAcwbtDm1vq3M
daMeOrgzbC94MHwg6jJuH28NSi2lCWc99Fy6nE4cUbAIQlamppUkZ622D5oCfrsI
QZ/53tQVFf9aY91ZMzaG/dSZq+at+gd38uiFagZphHsP6Vb3NFRDIwR3wHvJB49b
IZ4EIHWdfhY=
=JoXB
-----END PGP SIGNATURE-----