Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4079
firefox security update
18 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26950
Reference: ESB-2020.4069
ESB-2020.4056
ESB-2020.4038
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:5135
https://access.redhat.com/errata/RHSA-2020:5138
https://access.redhat.com/errata/RHSA-2020:5139
Comment: This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:5135-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5135
Issue date: 2020-11-17
CVE Names: CVE-2020-26950
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.4.1 ESR.
Security Fix(es):
* Mozilla: Write side effects in MCallGetProperty opcode not accounted for
(CVE-2020-26950)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
firefox-78.4.1-1.el8_1.src.rpm
aarch64:
firefox-78.4.1-1.el8_1.aarch64.rpm
firefox-debuginfo-78.4.1-1.el8_1.aarch64.rpm
firefox-debugsource-78.4.1-1.el8_1.aarch64.rpm
ppc64le:
firefox-78.4.1-1.el8_1.ppc64le.rpm
firefox-debuginfo-78.4.1-1.el8_1.ppc64le.rpm
firefox-debugsource-78.4.1-1.el8_1.ppc64le.rpm
s390x:
firefox-78.4.1-1.el8_1.s390x.rpm
firefox-debuginfo-78.4.1-1.el8_1.s390x.rpm
firefox-debugsource-78.4.1-1.el8_1.s390x.rpm
x86_64:
firefox-78.4.1-1.el8_1.x86_64.rpm
firefox-debuginfo-78.4.1-1.el8_1.x86_64.rpm
firefox-debugsource-78.4.1-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-26950
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX7P7xtzjgjWX9erEAQicYQ/8DWg/CkdASNjLtnjdSNHAhKWqV93YVSoI
DIKKjydvZ3Ty9yW1LTR/qpPh/aEIunuyTnSUcBxpjRyBA5ilhGMNjF6eZeYWlivP
2vnGXxX2Z9EdUib9ENalN+Ujx/Cw0D6eMqXI0MIN/AJZqR1UF8AKLeHvcLhvdlI8
drVEcXCuw6ABrZprJ/oyP9AbZ0L1y8FzAlZ8n5XNcXC7RAZRc3TJO+g9yQuYR0gv
YnXZ1+nSoyFdZjZZsOV02m2WBfmt7DTydmx+tCzRJ2x50y3zxV8z7lBUGfu6QR9L
PMQ0CvALHMFkSiVk6zLR5TmbxHTwg8FA6PLm8+SNfVc/Pl6oQfEcrHhcJDYLd6ZT
18Msb6+bfXTaPwqT1hJ3QVJSGgM+bqQDsJPAt1XbIjg1OADHFGc/gAq9Gqpel5K4
s2sPrPBZ56Cl5YB57Skn42MqPXDGxhOilt3qJuHNiETWTG5v2MDhyAcd3JPvBS7Z
x4c0sxJLxgpyPi1KZF5Cu34trSqhQfmVdbqd3G09TlM9QI4mR0lAZ9v8OOhRzLi8
ymWZlxlW2MdtfvbwsaZBOpB3wFoOfOeZnqf99ESBwQa2bM88cBwJvyvzJ92sL6pE
NO3SEEj2z2fHBW47vM71G1CHaLEuiTJkc3Z4eFOIufYFskzJXX+aSYbZMfSV+SoC
A2C64pMCVmc=
=Ttbf
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:5138-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5138
Issue date: 2020-11-17
CVE Names: CVE-2020-26950
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.4.1 ESR.
Security Fix(es):
* Mozilla: Write side effects in MCallGetProperty opcode not accounted for
(CVE-2020-26950)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
6. Package List:
Red Hat Enterprise Linux AppStream E4S (v. 8.0):
Source:
firefox-78.4.1-1.el8_0.src.rpm
aarch64:
firefox-78.4.1-1.el8_0.aarch64.rpm
firefox-debuginfo-78.4.1-1.el8_0.aarch64.rpm
firefox-debugsource-78.4.1-1.el8_0.aarch64.rpm
ppc64le:
firefox-78.4.1-1.el8_0.ppc64le.rpm
firefox-debuginfo-78.4.1-1.el8_0.ppc64le.rpm
firefox-debugsource-78.4.1-1.el8_0.ppc64le.rpm
s390x:
firefox-78.4.1-1.el8_0.s390x.rpm
firefox-debuginfo-78.4.1-1.el8_0.s390x.rpm
firefox-debugsource-78.4.1-1.el8_0.s390x.rpm
x86_64:
firefox-78.4.1-1.el8_0.x86_64.rpm
firefox-debuginfo-78.4.1-1.el8_0.x86_64.rpm
firefox-debugsource-78.4.1-1.el8_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-26950
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX7QGjtzjgjWX9erEAQgfaBAAj5/WJ6aGh1NmgojmMKnmq5T4EgmiADnS
0tq5Fr5A3/OIrjMmxYO8oIcLbM14+gDWnURgykz5pmUwHuGseD8DfJ5x7q6tqbCA
1RjCLyRpKfrqShrblLnfxHf6iqKKUKMOUA/MsFSlQ/ZJhXdAYy/TbA5k8n2BfiYm
lQFZ212znSFsOfk+KXO+R9V0omQ6q5VmuldD8VtwCrXTeofdKn67N/2qnbd9UYl1
kAbnpxo6yrGh1+JsI1WucHj+/qaRABZ7MGR61mV12qftU/W2Ur+zdEcHGgsmaCdP
V7qaHhEsX+IF9yGm9Xgoivf4ZrrWACjyCse2rRlVfM5vcc3Orj02T10C6MMtBokF
NBhKhB/0381e5ZoK/Qt5+CIrWLlt5pf5TQQ4KtMn+jBiACgFMLBHI6gx+EdxZqoi
Inf0nMCp1HaglhL9K/HIVbknKBqzNLKG/Jgr7nIiaCj5D4jJU/TPSdNydLNJrPzJ
GhXx68A22oR4o5c3qF5sRqdjCGY4aBZA+WrFhNXV5PqA5GkIq7WTppJJtwDkBmbd
QlIy0E8XA2D/VbkcExZZEDwb7d/awvxFkz41BVDDUtCT8JwIdHE6l2pqZlBJAteS
NSMbDu6jjaFEK6tpGJTimmtl/sJWageRiucoJ9Z1v/ZtFxbczSAwJmLiHv6P67bs
6f+xN9wxPe0=
=YhmC
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2020:5139-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5139
Issue date: 2020-11-17
CVE Names: CVE-2020-26950
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.4.1 ESR.
Security Fix(es):
* Mozilla: Write side effects in MCallGetProperty opcode not accounted for
(CVE-2020-26950)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1896306 - CVE-2020-26950 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.2):
Source:
firefox-78.4.1-1.el8_2.src.rpm
aarch64:
firefox-78.4.1-1.el8_2.aarch64.rpm
firefox-debuginfo-78.4.1-1.el8_2.aarch64.rpm
firefox-debugsource-78.4.1-1.el8_2.aarch64.rpm
ppc64le:
firefox-78.4.1-1.el8_2.ppc64le.rpm
firefox-debuginfo-78.4.1-1.el8_2.ppc64le.rpm
firefox-debugsource-78.4.1-1.el8_2.ppc64le.rpm
s390x:
firefox-78.4.1-1.el8_2.s390x.rpm
firefox-debuginfo-78.4.1-1.el8_2.s390x.rpm
firefox-debugsource-78.4.1-1.el8_2.s390x.rpm
x86_64:
firefox-78.4.1-1.el8_2.x86_64.rpm
firefox-debuginfo-78.4.1-1.el8_2.x86_64.rpm
firefox-debugsource-78.4.1-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-26950
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX7QhvtzjgjWX9erEAQj/Gg/+Pita6C0jG95zfjpiTHX/0CDw0IOWAqYt
SzEF+YYIWGjrqcjzJx+NUaBIQeJgeSilAMgPq2FRIh83u1eiXg8RomYny2ZAh1ps
dCK8IC/vOJ+GE6aV0dk3BtS88IEM65SfeEpdu/voOrzXU57ZVrKVukyFbCRBujqr
IgAEkEeLWuaBEd2+qTeRWJNgNIKn8RBJdbwuq6RSkN0FWJ+fkcxFWHnlOIO8XfXQ
qPCbKUNT2pSYQ3TlIr7+UaW6nVWMOAxKKW3deaZq06ZLpqWXs8uxsa5MEJiq9rGy
Olf0D2lgTfgeuaxnrcT6UMJzlpwCdav/IWRyucEY1hBl+tdAA38LpmYIUjyFO0TD
Vu2vHth8g0e/UxsmS2fy8kIpU7Ea8bKXlkywzXcyY3uVb4ukyw6v/WGYqa5EFqLE
wwC1348kRa/NOgIWfhH1D+vbGYqW3rU3FA8+Kh541c2yULkcgMXIMxr01zi+LhEd
2Ugl2CgXAEEiwHu2/uz3HrYY8wh2S6gpP2z3+ElyEcKMu2Di4//frefokhXiPR21
t9WZHP//pvlbfujXGmTJSDOHVmfATfwbXRGrIXRYtMJZjGGoyX/23hYiaWldD/bt
kAY8QUsegeukqtSBB8b0nFwFy8hk23FKsqhVpjAdVL7OnUy/Fr/RvK1dqpmEZMmd
IYF/gku9kUs=
=EHdS
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7RoEeNLKJtyKPYoAQidbxAAgVBMlQPsDHIeAO5FVzlwjiziHM/W8c8T
q57LQqCNV2rhsdSJRlXdLLTG3vuNqcKsIlk+6qIaTQ7xBG/2jxEVMHSCgDgyB/q+
rAdK23GJWmTbWKncmiW8NsQsxmB7OrvwOg7FbBhQdTuI2qzBCrIx1sApJ7xhp1r3
tlzGR+hSMjPk316F8l3MeTDqkwwG2pUfN5RLTzbr+P3K4vbxeJsiIyjafgfIZHKh
NapBhbkvFrMCad121hgiYcTRb0w+SXjH+GkuzyfCZ+xnFICGli30JQExTDnoDrH6
HbCd3UkNmEc4gFHRHb8wv/s91wtfslV7GaECtnGfRyJF7cGIODSe1GUWV67PiVXY
Po7gmdNVKkzeQtyKWG35TaozOezsMgycvm/esr5oDfzqHMr92zKbHRKS9ARmAh78
FErY14tDhKoY/dj8NCBtBpGJUL55xPFrVGu6VxxM0KUbxfyvIXTunjoFZp7Ld0kB
zmEMIYnEnpfFDfmQfXHc2uWIxm5flU1aqVQVI+cGswB0reB+0m8m20EL+eT3L5FK
jMtC0zppGXn1m704pGitWJd5hYBV4so0kXZ9ZOReJRjbrVS/Z32aChARjwBUPwDs
UoinNohNdzThgh48oBhlesI4ERepI9gPPWsWSFNLZUO6mduZXGb7pxtRsJUPI6Oz
KVMjfcC/hzA=
=Ai9J
-----END PGP SIGNATURE-----