Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4038 firefox security update 13 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-26950 Reference: ESB-2020.4030 ESB-2020.4024 ESB-2020.3977 ESB-2020.3944 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:5099 https://access.redhat.com/errata/RHSA-2020:5100 https://access.redhat.com/errata/RHSA-2020:5104 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5099-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5099 Issue date: 2020-11-12 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: firefox-78.4.1-1.el7_9.src.rpm x86_64: firefox-78.4.1-1.el7_9.x86_64.rpm firefox-debuginfo-78.4.1-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-78.4.1-1.el7_9.i686.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-78.4.1-1.el7_9.src.rpm ppc64: firefox-78.4.1-1.el7_9.ppc64.rpm firefox-debuginfo-78.4.1-1.el7_9.ppc64.rpm ppc64le: firefox-78.4.1-1.el7_9.ppc64le.rpm firefox-debuginfo-78.4.1-1.el7_9.ppc64le.rpm s390x: firefox-78.4.1-1.el7_9.s390x.rpm firefox-debuginfo-78.4.1-1.el7_9.s390x.rpm x86_64: firefox-78.4.1-1.el7_9.x86_64.rpm firefox-debuginfo-78.4.1-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): x86_64: firefox-78.4.1-1.el7_9.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-78.4.1-1.el7_9.src.rpm x86_64: firefox-78.4.1-1.el7_9.x86_64.rpm firefox-debuginfo-78.4.1-1.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-78.4.1-1.el7_9.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX61NitzjgjWX9erEAQg2Ww/+JR0kPXC0phiOuPRaOgPfhTyDIEhvd6Kk LkvbXXeI+GpN9H1kxT6E/D1koPpGAQHPOk+R8RvUTv4f206q8bfCNaK/P8OTFBA4 3WavkaJohKGRVouMwRWt57wXwhuos7thQLPcNoUm9vUZB8sVW9jKPnRhDDbryyLl U0JbLJEQ8WzCe4PgORfGZl2GAJQPjSkY7wrF9Et04A1rToCkFetfz0dcbQ4WeJ6B bLL+gVPlKMZEhSqLDrq74x8NjTOoFDu64Uxxc0IoOuFNg5V7DTGpbXbg5bunCd+O n7lb5WY8+UOLbiZCsAXBupq3wb8AQ8yV3OB7bOzgFiG08dCzyceJyMrVEatrqN3r AWEuSL1Syk9TG/+YeggL0++lpVbzpdaaYVpoZJFItk2pzjzB+tB0PwcVgULVzOrQ hGe6uWpaJvu6/e6NzUDGx4rRPADkS3uvf+fEh5J3+m/zLXqr26Mptqr88mCYe3CU jiaRt/fyeNqgId9zWld5542r3x2cAxEFOfh0ReVRaxSD7PeDYUPEzwn4mfLbmCNX OdsxJS1spcX/9ykkmfe0Lo8/UoKQEt/Q6RkwO9gw1Znv0jqBJF85dI5RDvXgv3jj 2sqFdFgr5U5G5DmmfVlixuM1+W1h42LJ35IDOgTDKYC2bpb7EB8aYh9MRs9nG7VZ 8GBZHZVr9nA= =WP1u - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5100-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5100 Issue date: 2020-11-12 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: firefox-78.4.1-1.el8_3.src.rpm aarch64: firefox-78.4.1-1.el8_3.aarch64.rpm firefox-debuginfo-78.4.1-1.el8_3.aarch64.rpm firefox-debugsource-78.4.1-1.el8_3.aarch64.rpm ppc64le: firefox-78.4.1-1.el8_3.ppc64le.rpm firefox-debuginfo-78.4.1-1.el8_3.ppc64le.rpm firefox-debugsource-78.4.1-1.el8_3.ppc64le.rpm s390x: firefox-78.4.1-1.el8_3.s390x.rpm firefox-debuginfo-78.4.1-1.el8_3.s390x.rpm firefox-debugsource-78.4.1-1.el8_3.s390x.rpm x86_64: firefox-78.4.1-1.el8_3.x86_64.rpm firefox-debuginfo-78.4.1-1.el8_3.x86_64.rpm firefox-debugsource-78.4.1-1.el8_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX61JUtzjgjWX9erEAQhLuw/+J4HXEDmXEZoK5YxupWz9cdGC+ei6N8GX mUDLYrBnc/CYegWd720bQsCe+BGNtC0GFkzUv8ThBvcGHFcpXG4S4Hg509cRBoKu cuw2/b5euA/QuXtyONtIsp1qU0Brl2Wne0QWCW6cjoWpcN384gVziTrnhzrKtrL7 djrLpWVCrr4ZeEhhDvBfB96JYUV4piivQjBg9fPeVMEJ20+H9+ZNHFJWKfeHrBr7 471GmCfy2lW6jx+9ew5Bj0XiJ7+GNlQUcaC0gJBX8wvfPLBeljzKQPE5ByVdD5df hsjuYepPBq7MUZzoX1rgWOds0Exqk3jPzbuXPHxMgRviyZ6bTZcSSSC891vCzriq lyDoYczo8KYmjJU7+Mu9qaWDQnuwGSoQ5UQDdRA5pV00K88yAc7guJZgxmATlpLu pwmvYEYFGXFkUbfx7rAE6SAiuz7VPjFikW31O7nQBNqE6gi6YDZIxe9qo4OCosn/ InIfoPYG2R97g/7OdEj9yTf9zgzbfdgL1MvEMHNHlGHW3NafLaG9JohE3J9Su3nr XmVJhEk79g2FCkSHuBC/AcvgJ6sb442XKr29q5+J3YhrEqZHQlDOeCeI7wgRGBXZ OY2Z4/3bGKMKXKLx/RqH6jjPHJx5UNiB3/9IXIgdHCuNeMSidDKIp/0ChLBs3jy6 Vf8ELhlxvTw= =gvBy - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5104-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5104 Issue date: 2020-11-12 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: firefox-78.4.1-1.el6_10.src.rpm i386: firefox-78.4.1-1.el6_10.i686.rpm x86_64: firefox-78.4.1-1.el6_10.x86_64.rpm firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: firefox-78.4.1-1.el6_10.src.rpm x86_64: firefox-78.4.1-1.el6_10.x86_64.rpm firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: firefox-78.4.1-1.el6_10.src.rpm i386: firefox-78.4.1-1.el6_10.i686.rpm ppc64: firefox-78.4.1-1.el6_10.ppc64.rpm firefox-debuginfo-78.4.1-1.el6_10.ppc64.rpm s390x: firefox-78.4.1-1.el6_10.s390x.rpm firefox-debuginfo-78.4.1-1.el6_10.s390x.rpm x86_64: firefox-78.4.1-1.el6_10.x86_64.rpm firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: firefox-78.4.1-1.el6_10.src.rpm i386: firefox-78.4.1-1.el6_10.i686.rpm x86_64: firefox-78.4.1-1.el6_10.x86_64.rpm firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX61Pp9zjgjWX9erEAQjF8hAAmXxWYcpKKaIauYZXrTfw9SthKMhK/6pv 9T/vlGGBsVEqgFuECQSp2RvsecBwKh01OyMH6Pw8p8qk9uAGcQAThH0nBcEb3vWb w4QFsQ0H/auVJfoQss5ZoAYA+bEELjd06Be9pxrUHB5NtLbXvEvpv89O4yuxEh1Q 3KKg8wTFquD6DrgFstB8HoyylVHn2ruybvK/FEGBWiG/60dSeQ/2SnvYIzKBXsaH lliBdCmebBnWd1PDxEaXxG33LGYNiFWcx6BgRWWA/rzp5p+K58AeLaneq8PNBfzb UtXUcg9muag1OuiccJzOYhH6PPn3WxPV8dEj7asCnzTHsrRz4A8USNkJdlRFkmv9 OywwAg7owT58Qi2gyUBDrf9OK8OePFk8R5vQtAycDAglMJJKxgV0s6tAlkC5gc3P xXE3pJUCEG0HUcCvANkWiGuiS8vb3sgmSPF7NTkMuPZa33sDgmP6axT4ScZi+uM9 E2+o0sbnoOKwR7qzxV3QK6cMu24ojyoa/ZyupwBdAbBK57LbOqOFp8I6ObHPgiiX dyfedYPX8I/DZ+JlCSekiQkwgOxfURh8zn4BECGEBMe6sng9R7xCTpfpuwyYZSfz qq2x//Oomn0xKjr8GYdey3ZKCsprOKF89VPmyxlf0PhCS4X3OkyndGWexonUfbRB R2wILLUFfz8= =jLaM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX63GyeNLKJtyKPYoAQgbfQ/9HNNjKWloptavMyU4GLF7FSmZDD+hj7Or j2LexJkYD4Yhujo6L7wCxKzHGfQedT2tvBp4ibVXybWviYmBXcxcXV/5te8K/p/J PgNTsiEco2bIk96tQYWWejIY7PcoNJANS0Ka+ZOCdkDZSkAsTgYyZGVPjaar9bVx nMI9xyW9yd68Tfe7zODcWroEidNWsOC1diYIkEVa7oNZBhdb9K8CL6c02f/6Wiu+ 2a7DHySy2koTx0/95Kj5hk2Thz7RQ/s73JiKjjVyO4QZrVZkrTssVyw+tKWtrt9r RqCNRoVxaQ2sKl+piNqzw2HQTCCNExdeN6W0WsKA8kHr64QT7lsliS/tFP7wIMtb ba/shEs5bpAv6IhtHKkKO3NWlArqSq8NUEp2kLJiZnqAhvhi5h5p0fW9iIZEBBc0 iPWSUeng0ppF8r/g1ZuMO8uhkxSTbIvtIXVqM1tYy8fUl3wD64bkwBlumAdOwdn8 YqX5BtffogjUgZRTyjzQabcwg8xkTa95CnS25OOik9KzMpazw62iAcwbtDm1vq3M daMeOrgzbC94MHwg6jJuH28NSi2lCWc99Fy6nE4cUbAIQlamppUkZ622D5oCfrsI QZ/53tQVFf9aY91ZMzaG/dSZq+at+gd38uiFagZphHsP6Vb3NFRDIwR3wHvJB49b IZ4EIHWdfhY= =JoXB -----END PGP SIGNATURE-----