Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4079 firefox security update 18 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firefox Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-26950 Reference: ESB-2020.4069 ESB-2020.4056 ESB-2020.4038 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:5135 https://access.redhat.com/errata/RHSA-2020:5138 https://access.redhat.com/errata/RHSA-2020:5139 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5135-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5135 Issue date: 2020-11-17 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: firefox-78.4.1-1.el8_1.src.rpm aarch64: firefox-78.4.1-1.el8_1.aarch64.rpm firefox-debuginfo-78.4.1-1.el8_1.aarch64.rpm firefox-debugsource-78.4.1-1.el8_1.aarch64.rpm ppc64le: firefox-78.4.1-1.el8_1.ppc64le.rpm firefox-debuginfo-78.4.1-1.el8_1.ppc64le.rpm firefox-debugsource-78.4.1-1.el8_1.ppc64le.rpm s390x: firefox-78.4.1-1.el8_1.s390x.rpm firefox-debuginfo-78.4.1-1.el8_1.s390x.rpm firefox-debugsource-78.4.1-1.el8_1.s390x.rpm x86_64: firefox-78.4.1-1.el8_1.x86_64.rpm firefox-debuginfo-78.4.1-1.el8_1.x86_64.rpm firefox-debugsource-78.4.1-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX7P7xtzjgjWX9erEAQicYQ/8DWg/CkdASNjLtnjdSNHAhKWqV93YVSoI DIKKjydvZ3Ty9yW1LTR/qpPh/aEIunuyTnSUcBxpjRyBA5ilhGMNjF6eZeYWlivP 2vnGXxX2Z9EdUib9ENalN+Ujx/Cw0D6eMqXI0MIN/AJZqR1UF8AKLeHvcLhvdlI8 drVEcXCuw6ABrZprJ/oyP9AbZ0L1y8FzAlZ8n5XNcXC7RAZRc3TJO+g9yQuYR0gv YnXZ1+nSoyFdZjZZsOV02m2WBfmt7DTydmx+tCzRJ2x50y3zxV8z7lBUGfu6QR9L PMQ0CvALHMFkSiVk6zLR5TmbxHTwg8FA6PLm8+SNfVc/Pl6oQfEcrHhcJDYLd6ZT 18Msb6+bfXTaPwqT1hJ3QVJSGgM+bqQDsJPAt1XbIjg1OADHFGc/gAq9Gqpel5K4 s2sPrPBZ56Cl5YB57Skn42MqPXDGxhOilt3qJuHNiETWTG5v2MDhyAcd3JPvBS7Z x4c0sxJLxgpyPi1KZF5Cu34trSqhQfmVdbqd3G09TlM9QI4mR0lAZ9v8OOhRzLi8 ymWZlxlW2MdtfvbwsaZBOpB3wFoOfOeZnqf99ESBwQa2bM88cBwJvyvzJ92sL6pE NO3SEEj2z2fHBW47vM71G1CHaLEuiTJkc3Z4eFOIufYFskzJXX+aSYbZMfSV+SoC A2C64pMCVmc= =Ttbf - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5138-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5138 Issue date: 2020-11-17 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: firefox-78.4.1-1.el8_0.src.rpm aarch64: firefox-78.4.1-1.el8_0.aarch64.rpm firefox-debuginfo-78.4.1-1.el8_0.aarch64.rpm firefox-debugsource-78.4.1-1.el8_0.aarch64.rpm ppc64le: firefox-78.4.1-1.el8_0.ppc64le.rpm firefox-debuginfo-78.4.1-1.el8_0.ppc64le.rpm firefox-debugsource-78.4.1-1.el8_0.ppc64le.rpm s390x: firefox-78.4.1-1.el8_0.s390x.rpm firefox-debuginfo-78.4.1-1.el8_0.s390x.rpm firefox-debugsource-78.4.1-1.el8_0.s390x.rpm x86_64: firefox-78.4.1-1.el8_0.x86_64.rpm firefox-debuginfo-78.4.1-1.el8_0.x86_64.rpm firefox-debugsource-78.4.1-1.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX7QGjtzjgjWX9erEAQgfaBAAj5/WJ6aGh1NmgojmMKnmq5T4EgmiADnS 0tq5Fr5A3/OIrjMmxYO8oIcLbM14+gDWnURgykz5pmUwHuGseD8DfJ5x7q6tqbCA 1RjCLyRpKfrqShrblLnfxHf6iqKKUKMOUA/MsFSlQ/ZJhXdAYy/TbA5k8n2BfiYm lQFZ212znSFsOfk+KXO+R9V0omQ6q5VmuldD8VtwCrXTeofdKn67N/2qnbd9UYl1 kAbnpxo6yrGh1+JsI1WucHj+/qaRABZ7MGR61mV12qftU/W2Ur+zdEcHGgsmaCdP V7qaHhEsX+IF9yGm9Xgoivf4ZrrWACjyCse2rRlVfM5vcc3Orj02T10C6MMtBokF NBhKhB/0381e5ZoK/Qt5+CIrWLlt5pf5TQQ4KtMn+jBiACgFMLBHI6gx+EdxZqoi Inf0nMCp1HaglhL9K/HIVbknKBqzNLKG/Jgr7nIiaCj5D4jJU/TPSdNydLNJrPzJ GhXx68A22oR4o5c3qF5sRqdjCGY4aBZA+WrFhNXV5PqA5GkIq7WTppJJtwDkBmbd QlIy0E8XA2D/VbkcExZZEDwb7d/awvxFkz41BVDDUtCT8JwIdHE6l2pqZlBJAteS NSMbDu6jjaFEK6tpGJTimmtl/sJWageRiucoJ9Z1v/ZtFxbczSAwJmLiHv6P67bs 6f+xN9wxPe0= =YhmC - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2020:5139-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:5139 Issue date: 2020-11-17 CVE Names: CVE-2020-26950 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.4.1 ESR. Security Fix(es): * Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.2): Source: firefox-78.4.1-1.el8_2.src.rpm aarch64: firefox-78.4.1-1.el8_2.aarch64.rpm firefox-debuginfo-78.4.1-1.el8_2.aarch64.rpm firefox-debugsource-78.4.1-1.el8_2.aarch64.rpm ppc64le: firefox-78.4.1-1.el8_2.ppc64le.rpm firefox-debuginfo-78.4.1-1.el8_2.ppc64le.rpm firefox-debugsource-78.4.1-1.el8_2.ppc64le.rpm s390x: firefox-78.4.1-1.el8_2.s390x.rpm firefox-debuginfo-78.4.1-1.el8_2.s390x.rpm firefox-debugsource-78.4.1-1.el8_2.s390x.rpm x86_64: firefox-78.4.1-1.el8_2.x86_64.rpm firefox-debuginfo-78.4.1-1.el8_2.x86_64.rpm firefox-debugsource-78.4.1-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26950 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX7QhvtzjgjWX9erEAQj/Gg/+Pita6C0jG95zfjpiTHX/0CDw0IOWAqYt SzEF+YYIWGjrqcjzJx+NUaBIQeJgeSilAMgPq2FRIh83u1eiXg8RomYny2ZAh1ps dCK8IC/vOJ+GE6aV0dk3BtS88IEM65SfeEpdu/voOrzXU57ZVrKVukyFbCRBujqr IgAEkEeLWuaBEd2+qTeRWJNgNIKn8RBJdbwuq6RSkN0FWJ+fkcxFWHnlOIO8XfXQ qPCbKUNT2pSYQ3TlIr7+UaW6nVWMOAxKKW3deaZq06ZLpqWXs8uxsa5MEJiq9rGy Olf0D2lgTfgeuaxnrcT6UMJzlpwCdav/IWRyucEY1hBl+tdAA38LpmYIUjyFO0TD Vu2vHth8g0e/UxsmS2fy8kIpU7Ea8bKXlkywzXcyY3uVb4ukyw6v/WGYqa5EFqLE wwC1348kRa/NOgIWfhH1D+vbGYqW3rU3FA8+Kh541c2yULkcgMXIMxr01zi+LhEd 2Ugl2CgXAEEiwHu2/uz3HrYY8wh2S6gpP2z3+ElyEcKMu2Di4//frefokhXiPR21 t9WZHP//pvlbfujXGmTJSDOHVmfATfwbXRGrIXRYtMJZjGGoyX/23hYiaWldD/bt kAY8QUsegeukqtSBB8b0nFwFy8hk23FKsqhVpjAdVL7OnUy/Fr/RvK1dqpmEZMmd IYF/gku9kUs= =EHdS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7RoEeNLKJtyKPYoAQidbxAAgVBMlQPsDHIeAO5FVzlwjiziHM/W8c8T q57LQqCNV2rhsdSJRlXdLLTG3vuNqcKsIlk+6qIaTQ7xBG/2jxEVMHSCgDgyB/q+ rAdK23GJWmTbWKncmiW8NsQsxmB7OrvwOg7FbBhQdTuI2qzBCrIx1sApJ7xhp1r3 tlzGR+hSMjPk316F8l3MeTDqkwwG2pUfN5RLTzbr+P3K4vbxeJsiIyjafgfIZHKh NapBhbkvFrMCad121hgiYcTRb0w+SXjH+GkuzyfCZ+xnFICGli30JQExTDnoDrH6 HbCd3UkNmEc4gFHRHb8wv/s91wtfslV7GaECtnGfRyJF7cGIODSe1GUWV67PiVXY Po7gmdNVKkzeQtyKWG35TaozOezsMgycvm/esr5oDfzqHMr92zKbHRKS9ARmAh78 FErY14tDhKoY/dj8NCBtBpGJUL55xPFrVGu6VxxM0KUbxfyvIXTunjoFZp7Ld0kB zmEMIYnEnpfFDfmQfXHc2uWIxm5flU1aqVQVI+cGswB0reB+0m8m20EL+eT3L5FK jMtC0zppGXn1m704pGitWJd5hYBV4so0kXZ9ZOReJRjbrVS/Z32aChARjwBUPwDs UoinNohNdzThgh48oBhlesI4ERepI9gPPWsWSFNLZUO6mduZXGb7pxtRsJUPI6Oz KVMjfcC/hzA= =Ai9J -----END PGP SIGNATURE-----