Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1404
firefox security update
27 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firefox
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29946 CVE-2021-29945 CVE-2021-24002
CVE-2021-23999 CVE-2021-23998 CVE-2021-23995
CVE-2021-23994 CVE-2021-23961
Reference: ESB-2021.1393
ESB-2021.1390
ESB-2021.1327
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1360
https://access.redhat.com/errata/RHSA-2021:1361
https://access.redhat.com/errata/RHSA-2021:1362
https://access.redhat.com/errata/RHSA-2021:1363
Comment: This bulletin contains four (4) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2021:1360-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1360
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.10.0 ESR.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
6. Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
firefox-78.10.0-1.el8_3.src.rpm
aarch64:
firefox-78.10.0-1.el8_3.aarch64.rpm
firefox-debuginfo-78.10.0-1.el8_3.aarch64.rpm
firefox-debugsource-78.10.0-1.el8_3.aarch64.rpm
ppc64le:
firefox-78.10.0-1.el8_3.ppc64le.rpm
firefox-debuginfo-78.10.0-1.el8_3.ppc64le.rpm
firefox-debugsource-78.10.0-1.el8_3.ppc64le.rpm
s390x:
firefox-78.10.0-1.el8_3.s390x.rpm
firefox-debuginfo-78.10.0-1.el8_3.s390x.rpm
firefox-debugsource-78.10.0-1.el8_3.s390x.rpm
x86_64:
firefox-78.10.0-1.el8_3.x86_64.rpm
firefox-debuginfo-78.10.0-1.el8_3.x86_64.rpm
firefox-debugsource-78.10.0-1.el8_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIahPtzjgjWX9erEAQizTg//ccaflllRZhoozYES3WC8jRTpTW2Hewre
Hhoh2Qr328yH4f7sUr6IGsW/7+ta0oYD7x2sI+X/Xd3Y3hE7nEkwKG9nbjoiorK9
qZoGffWIYLih49o/Yd7jQ4ruqQlLiiqv3atikpnwxsgyEFglvfZ1bRVJMyb7rSHx
ivYIuZtLxnXVDjQLzL+3EawsZeen6SVCJ/Wr0eYSzXsj/RUtQPeSxeQm6/8y7ckA
5ab5eDf2dBsGwUqgInEJhTn/r08pVwmMifKkPYDhmLhEGw86s+XXEvqzaLqr0zDa
8aiRyruRTkxce+3PCgEfzEXE76iwp0+oCmzgCp2M0012bqWImZX7HlRn67F/FkAF
yXidsEPe9dfMfOcjUV6hhajxh6hZIpSY5Aq+CarxRK5Qu1ng57hrZn4VzHNhu5ee
Qq+aWRMKU43um768d2W7e7RM/OTKRS8Kl5yH3k6UR9w04PKcFEMMUEdlZu4oiAKg
uZx9Ij25Dnl/FRrBxMrCh/M+cndoMI5H6B9GkGGJypsvETIbMiedJUYD3kSCXkF7
94UkShwn4v+3Ko543N65FxjFHjCf+zG8HfVhsZyFVhE6PZllGJxP7NpLvT69Ib0M
x1oYhpfw6PXY+HgqXaQc7/iyn2/EFgtMIiYvLSxoroB/tjiROte0NchIcJ+tjYEh
6kcqGeaOe24=
=NvLu
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2021:1361-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1361
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.10.0 ESR.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.2):
Source:
firefox-78.10.0-1.el8_2.src.rpm
aarch64:
firefox-78.10.0-1.el8_2.aarch64.rpm
firefox-debuginfo-78.10.0-1.el8_2.aarch64.rpm
firefox-debugsource-78.10.0-1.el8_2.aarch64.rpm
ppc64le:
firefox-78.10.0-1.el8_2.ppc64le.rpm
firefox-debuginfo-78.10.0-1.el8_2.ppc64le.rpm
firefox-debugsource-78.10.0-1.el8_2.ppc64le.rpm
s390x:
firefox-78.10.0-1.el8_2.s390x.rpm
firefox-debuginfo-78.10.0-1.el8_2.s390x.rpm
firefox-debugsource-78.10.0-1.el8_2.s390x.rpm
x86_64:
firefox-78.10.0-1.el8_2.x86_64.rpm
firefox-debuginfo-78.10.0-1.el8_2.x86_64.rpm
firefox-debugsource-78.10.0-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIak/tzjgjWX9erEAQhfBA/9EmBBuAYkmUjm10Eg6Ym/DiQTNybKS/UC
iZR7AIy5jR8xAvhfGzloW2axl0BUk4BYt8X4WkEmf4Q6GNvTcplurmCDuBYD3C0z
j3EVgsn/Axpfr7xL8eaObKsc0qWUkB2e86DgnmJ2zz2JUguPTVkJWk9NV7KYiqnv
DGwN7FuhGnFwrkSzJcBFTm1Pp4dgwqeJr8a/iCYvwm842/lnO2nXYXBTrXxiLINS
8DQJ5vEcqTP2QFWd2axBoukoF03zkTtU7WVAQU0Cs9PB3TZGGYRuCpZsdfgUkjmk
oOYA6Y3lT3afQ2dK5HaT8E/F7jmnWVzchB3zP/yMrYPvdOl3Weo2/HpYpSdTjlLu
NMdpX0GKNdFzyixZ22K7hSFQPJNgsq6+zuJWxajBF5fNEOoI9X8eQgA3/8VV0HiA
qi3Tn70KYlTfjodcFxAc17pHjZ0UiakeSbAZ9QZ4ltV89qVXsbI2Zf8EPuoZN+Dv
5MA0IJOZaLAiaVz8oNoGXt6M5yBFGeSME9HD0RHicQPcfWWISJglWlk9oQnMnUWv
CoFHHKrMCQ9q2ty/DPZKi31tc7dQVhf/dcm+NlFa9Uix7e2wIXsVPoUYZh3cTnfx
p9xdlzD/8pCSGA72gMsGL9b34I+17kNwOOw9lobecpU5X3+YLr7uKMSL0t7g6W6r
khzJopw4knc=
=ZyGQ
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2021:1362-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1362
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.10.0 ESR.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
firefox-78.10.0-1.el8_1.src.rpm
aarch64:
firefox-78.10.0-1.el8_1.aarch64.rpm
firefox-debuginfo-78.10.0-1.el8_1.aarch64.rpm
firefox-debugsource-78.10.0-1.el8_1.aarch64.rpm
ppc64le:
firefox-78.10.0-1.el8_1.ppc64le.rpm
firefox-debuginfo-78.10.0-1.el8_1.ppc64le.rpm
firefox-debugsource-78.10.0-1.el8_1.ppc64le.rpm
s390x:
firefox-78.10.0-1.el8_1.s390x.rpm
firefox-debuginfo-78.10.0-1.el8_1.s390x.rpm
firefox-debugsource-78.10.0-1.el8_1.s390x.rpm
x86_64:
firefox-78.10.0-1.el8_1.x86_64.rpm
firefox-debuginfo-78.10.0-1.el8_1.x86_64.rpm
firefox-debugsource-78.10.0-1.el8_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIahA9zjgjWX9erEAQjUmQ/9HW1avsMCMSDH5mBkJLBoCii1+7W+KxzQ
8opEZUkdZtRlWEILIvvZQq9ebJChZib8nkKQV2InLDZQcg5MOkjPrRgTRjQAzap4
hl3oYgfKKFL+hSSUNJAgoapCPznC7o5KpSOBiKrH85SlcqfPmNBgGoa9HvAkQ+49
hGo363dwLKvkTTeuG3CCA7tPF2A5kwocUaFadVvD08rJu+8vA06+Dsy0ltSZQEtC
9ise1HrImxEqnDqq8+fNvjzXRg5RkUd0VsOcmBhjD7mtRNYcNZc1vDINlcNjy/gX
fO/lfME/tgZR0KfmmQ3nF1XAl+1cru/nwVVDeG79LuBOFzPsBXryUXEpn6PI7qhq
9fXfFfkfcelo/lTqzsVj0Eb89eMgRfOr4HJ0/MEOybHTfbbeKBWYpH0Dd4sOdELT
uBvnBAmFPuwN5RN16KNnIhvhTti4+/f/IQs4AIUO+EafgIyk+UDhRQ2iRVbBSEJF
HtQ8P4CDmMM5s7EqKIuY3T6S0CXG0PzkbeXDry3c6GkG7tRMvzdlV8nFKCSe0mGJ
I6tUV660fMPQ/AX1fUmaeKFwKbUcqy8v6ez+ITyN+dVoApKaG8S6kSFn2Xdd5178
DXfgCLHPDslNhSVMyIXbydO0q/RkPVV7B6AwQN0Cs1FPwUYDCrIikJ2yX3Swn0uu
7MDNLBukpzM=
=xfHz
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: firefox security update
Advisory ID: RHSA-2021:1363-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1363
Issue date: 2021-04-26
CVE Names: CVE-2021-23961 CVE-2021-23994 CVE-2021-23995
CVE-2021-23998 CVE-2021-23999 CVE-2021-24002
CVE-2021-29945 CVE-2021-29946
=====================================================================
1. Summary:
An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.
This update upgrades Firefox to version 78.10.0 ESR.
Security Fix(es):
* Mozilla: Out of bound write due to lazy initialization (CVE-2021-23994)
* Mozilla: Use-after-free in Responsive Design Mode (CVE-2021-23995)
* Mozilla: More internal network hosts could have been probed by a
malicious webpage (CVE-2021-23961)
* Mozilla: Secure Lock icon could have been spoofed (CVE-2021-23998)
* Mozilla: Blob URLs may have been granted additional privileges
(CVE-2021-23999)
* Mozilla: Arbitrary FTP command execution on FTP servers using an encoded
URL (CVE-2021-24002)
* Mozilla: Incorrect size computation in WebAssembly JIT could lead to
null-reads (CVE-2021-29945)
* Mozilla: Port blocking could be bypassed (CVE-2021-29946)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1951364 - CVE-2021-23994 Mozilla: Out of bound write due to lazy initialization
1951365 - CVE-2021-23995 Mozilla: Use-after-free in Responsive Design Mode
1951366 - CVE-2021-23998 Mozilla: Secure Lock icon could have been spoofed
1951367 - CVE-2021-23961 Mozilla: More internal network hosts could have been probed by a malicious webpage
1951368 - CVE-2021-23999 Mozilla: Blob URLs may have been granted additional privileges
1951369 - CVE-2021-24002 Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
1951370 - CVE-2021-29945 Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
1951371 - CVE-2021-29946 Mozilla: Port blocking could be bypassed
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
firefox-78.10.0-1.el7_9.src.rpm
x86_64:
firefox-78.10.0-1.el7_9.x86_64.rpm
firefox-debuginfo-78.10.0-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
firefox-78.10.0-1.el7_9.i686.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
firefox-78.10.0-1.el7_9.src.rpm
ppc64:
firefox-78.10.0-1.el7_9.ppc64.rpm
firefox-debuginfo-78.10.0-1.el7_9.ppc64.rpm
ppc64le:
firefox-78.10.0-1.el7_9.ppc64le.rpm
firefox-debuginfo-78.10.0-1.el7_9.ppc64le.rpm
s390x:
firefox-78.10.0-1.el7_9.s390x.rpm
firefox-debuginfo-78.10.0-1.el7_9.s390x.rpm
x86_64:
firefox-78.10.0-1.el7_9.x86_64.rpm
firefox-debuginfo-78.10.0-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
x86_64:
firefox-78.10.0-1.el7_9.i686.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
firefox-78.10.0-1.el7_9.src.rpm
x86_64:
firefox-78.10.0-1.el7_9.x86_64.rpm
firefox-debuginfo-78.10.0-1.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
firefox-78.10.0-1.el7_9.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23961
https://access.redhat.com/security/cve/CVE-2021-23994
https://access.redhat.com/security/cve/CVE-2021-23995
https://access.redhat.com/security/cve/CVE-2021-23998
https://access.redhat.com/security/cve/CVE-2021-23999
https://access.redhat.com/security/cve/CVE-2021-24002
https://access.redhat.com/security/cve/CVE-2021-29945
https://access.redhat.com/security/cve/CVE-2021-29946
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIao+tzjgjWX9erEAQhzmQ/8DhtWDBfzXnyfQdPYghi3dH/nSeN5IYQZ
7RVywLz0EITJPS0peSM1ufBu9raeAe7M7Zx92usePp7ceTYXdGu3tUPDahVGRo6y
A+c9VGiK8SGPfwYc8QvG7DLkjZXrmmSrP8TFB7fChe6yeJVNPc5+FCoiMEdiv4l8
99VsuUeMlkhgtI0B0KmcKeqO6gziKnb42mCsOCt6vf7CDLNN/eL3FHR/YW5DJmzm
A7VBogIh94m936RJQfCq+MTY6R1+kjo698FqoNX0Nz95oJlzgVQVwzH60z/vGJFO
isanqciJ76p7yoUr0Yvv7CzZiXH22WazFKzQovd72SSNEj2ZRLLlNFCWhPyPyB4F
wFJC/ndcYcfFEP+0aJ5UMS32YlT5v32qDHY3Ti8YTsUqZtwmJgnK6YlAuJLQUTUU
IVHLbx9dNWrsrrW6SFAByhdnRh4lQcvsPmXWUye2t7BVF3eOCiPSo8c0ctIjLkri
TRZr23e+55DlAWGXCvgQMXMIlf60+vGFW1J6wA9I2J1E09Jj0q9RCqnEWecddVBM
n2KmROd9ZrU+RNiW+cv23roRg6We7fgCURXKWMOHmlX37WOfSZ5ZWAb4T9DICZw0
ad/8LyVCalZlOpignUfAxsC/htothdQJ7pL2rCm4nw7Q4U+IW9c9KZfMQAknvbgB
TXe44sBy4Ik=
=G+j3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIdnHeNLKJtyKPYoAQhLDRAAkg+rtfM+QYZAYHBNdo7pkvAwrM8qwObE
POpmEctwlFYL1aAfmysoN6207hThs62cGPlme8qrpEaqKADPB57KYya8L7r77xhs
Dj+uJkhTR1+Sl+Hhn7QYo/TO0MjzqPRsjaziVCpoxbOdGPCLYYkkqQe7Akp6ZAGI
h8onu/HodLhAs9v8cGcRl9Mn1pyixd5U4k2864N2n/07ips1q5OsVkpp5O+heKDd
YEis01bwYyA2pBUqRlngRRzcdvanAOh61NXSLb8AEc6n7XSbShRIjyaejtS/vIH8
NJGiLxH3+Z94P4cHT6kPygptUsOCkmLax9xC931vfj/UU1Ycx5sRr6D5hToBfZSw
nJD/b66Tv5mdQ8VVmdpSSlbgdelWFZkhXTip4ltSGGiuglJWc9UvZ5tdMmxJXYdJ
A4ttxJHLdIrpyXIPyxYRROJtjsxZDSdq5B7KjqLpAyJ6HlVUGzPH0cQq/R6fyQM1
G7X6WImdxEFv+2ZhZdLMXkszgBCkr5JSCXXqjujnudHveqcuFChPu6OeIU53yfY2
eMLEBzvbjaQwT+ZZRwbbMfya+a0+6jUxWOlI/XuwJUjgEToSmgWmAxVt2cVblfhE
Wi2MG98DbiFC3+VPHrOD0VwixFsNpLCAG1yDC7q7Dbs7I+Bqy81gOpxrnF0Lq/b/
OIsGY61i6kI=
=SNou
-----END PGP SIGNATURE-----