You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa firefox

Sigurnosni nedostaci programskog paketa firefox

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3835-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3835
Issue date: 2020-09-24
CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677
CVE-2020-15678
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) – i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) – x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) – x86_64
Red Hat Enterprise Linux Server (v. 6) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) – x86_64
Red Hat Enterprise Linux Workstation (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) – x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 78.3.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
(CVE-2020-15673)

* Mozilla: XSS when pasting attacker-controlled data into a contenteditable
element (CVE-2020-15676)

* Mozilla: Download origin spoofing via redirect (CVE-2020-15677)

* Mozilla: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
(CVE-2020-15678)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1881664 – CVE-2020-15677 Mozilla: Download origin spoofing via redirect
1881665 – CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element
1881666 – CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
1881667 – CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
firefox-78.3.0-1.el6_10.src.rpm

i386:
firefox-78.3.0-1.el6_10.i686.rpm

x86_64:
firefox-78.3.0-1.el6_10.x86_64.rpm
firefox-debuginfo-78.3.0-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

x86_64:
firefox-78.3.0-1.el6_10.i686.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
firefox-78.3.0-1.el6_10.src.rpm

x86_64:
firefox-78.3.0-1.el6_10.i686.rpm
firefox-78.3.0-1.el6_10.x86_64.rpm
firefox-debuginfo-78.3.0-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
firefox-78.3.0-1.el6_10.src.rpm

i386:
firefox-78.3.0-1.el6_10.i686.rpm

ppc64:
firefox-78.3.0-1.el6_10.ppc64.rpm
firefox-debuginfo-78.3.0-1.el6_10.ppc64.rpm

s390x:
firefox-78.3.0-1.el6_10.s390x.rpm
firefox-debuginfo-78.3.0-1.el6_10.s390x.rpm

x86_64:
firefox-78.3.0-1.el6_10.x86_64.rpm
firefox-debuginfo-78.3.0-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

x86_64:
firefox-78.3.0-1.el6_10.i686.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
firefox-78.3.0-1.el6_10.src.rpm

i386:
firefox-78.3.0-1.el6_10.i686.rpm

x86_64:
firefox-78.3.0-1.el6_10.x86_64.rpm
firefox-debuginfo-78.3.0-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

x86_64:
firefox-78.3.0-1.el6_10.i686.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15673
https://access.redhat.com/security/cve/CVE-2020-15676
https://access.redhat.com/security/cve/CVE-2020-15677
https://access.redhat.com/security/cve/CVE-2020-15678
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX2xxPtzjgjWX9erEAQjKpA/+JK6zf6vCauJ51jsWXaTUOkZcjp4OlYyO
1iyzwZP2YmJVtmQ96dZ5RIdKFr5i7l/FQgXIOugNJHJVLYH6Tv1Ll2mlmiiV3IFj
2OL7+89jA4d3PnsxjaVQ8XJ5kY/cLXUm5tbbg5ojC6Vs5QZQMgEBq1HCqyhzTHAe
H9/ReEbNJvF0d3Y2GfHfnM7bKMulHt9AJ0rBNrAM7y1QlA+TjkbPx01MKK6+WTHK
3QXeerpyEnrMLe6Awnn8ZjGx2DFvFk+k7IDbbHNbX7RKFOI44H+O6TlEY5RKFQLV
icYwfS4n0T0UGpDx7nR46KGNn0CVw9/1lMwPia5omWxExEI51bDmxGl7VHnKK2Fx
oxNioBqKy2jfFCc84abxo48Ecf5rcFyEr5Fu24tTUUFBhJvCdzPUKJgFdGJItrXg
e+UEFdC3tZYi89/FA051Y8V6eYkcbZDRGoj0CxX5dvalQs/vWMKZDCFVmNlnEf2O
9BrdoCsdCjNxVA6mYps6d+clGJdpfIN1X9nD5CjKJiPSaX4dlKeImpGipubFYW0p
Q0p3pNrJT+k5YTKWWH0QU/VJ5DiMF6IiuORKA0656X7sj4p+rXWXJg/ERtjsMF9x
U9a31x+KLm808Re5EGzTVbqlshy9B4iHP+giakmJJV2p7aSr2tSMzDHxt+q4thZG
GeuJoYBF700=
=hBLB
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3832-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3832
Issue date: 2020-09-24
CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677
CVE-2020-15678
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) – aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 78.3.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
(CVE-2020-15673)

* Mozilla: XSS when pasting attacker-controlled data into a contenteditable
element (CVE-2020-15676)

* Mozilla: Download origin spoofing via redirect (CVE-2020-15677)

* Mozilla: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
(CVE-2020-15678)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1881664 – CVE-2020-15677 Mozilla: Download origin spoofing via redirect
1881665 – CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element
1881666 – CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
1881667 – CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
firefox-78.3.0-1.el8_2.src.rpm

aarch64:
firefox-78.3.0-1.el8_2.aarch64.rpm
firefox-debuginfo-78.3.0-1.el8_2.aarch64.rpm
firefox-debugsource-78.3.0-1.el8_2.aarch64.rpm

ppc64le:
firefox-78.3.0-1.el8_2.ppc64le.rpm
firefox-debuginfo-78.3.0-1.el8_2.ppc64le.rpm
firefox-debugsource-78.3.0-1.el8_2.ppc64le.rpm

s390x:
firefox-78.3.0-1.el8_2.s390x.rpm
firefox-debuginfo-78.3.0-1.el8_2.s390x.rpm
firefox-debugsource-78.3.0-1.el8_2.s390x.rpm

x86_64:
firefox-78.3.0-1.el8_2.x86_64.rpm
firefox-debuginfo-78.3.0-1.el8_2.x86_64.rpm
firefox-debugsource-78.3.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15673
https://access.redhat.com/security/cve/CVE-2020-15676
https://access.redhat.com/security/cve/CVE-2020-15677
https://access.redhat.com/security/cve/CVE-2020-15678
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX2xwTtzjgjWX9erEAQhnew//ZqzWw/sZNheMXKIYSQg87UZquuWUAnLA
KIhY//ApxzQutx/rrvAqmLMCdzrdhzM/QgJE4nCoLapUBldUwRpkB0fQaQ64KUmk
OrVf5q1/683Tp5NwXc1loHF8/HZEiG59Un30wdgyaW63PQ6SV4bObC6EJMG4P/yV
UsH9igeiRS6JjOKOWGH2G2JYIjy//EfgM8yyDwgpsPSv9oTkGGt0yLzHHjNsRjlQ
3n+vG1eLAz65o7IvBZuuh1ZOsA/xbqY2uQbGHDCq0Uq7VXcPy2UlVskFq9GMCzQa
AsbEqnHtObhCoBdbOLdsa17ijeyaFXAy1XKbGg1KzspvPMz7+cetsk2SgEJ+rph+
PQHrMbOIPO2JULp4G1txe5UP/ERVDS9+uA/8BhOztaBkwO9HJX1+n8ewwaTckLNV
fa9CgzV+r0dzH2w6bYEnVVqFSokTNDFB14uoUUD91jEf2hvMHLQcsTgie0LgDCQn
RfLCkzAcgpbw6EdGC2q2mapMnVxIUDwtayINwzspqCNcl6MHObpixpDRgqL3Zdfg
MWBa9V5tsKbyboY1Zvfqks73nuaSgbzcTMCOpDqVP3wPmOSjhJod7uNM1NqLkT9F
3sjTOrz+G2sAn+V3UO5NNvcILp6IxXYm3OBtuzu1ZDKjPnsAbKjQ881F7Rdl4YX/
cGlM8SZsaHM=
=2c5S
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3833-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3833
Issue date: 2020-09-24
CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677
CVE-2020-15678
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) – aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 78.3.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
(CVE-2020-15673)

* Mozilla: XSS when pasting attacker-controlled data into a contenteditable
element (CVE-2020-15676)

* Mozilla: Download origin spoofing via redirect (CVE-2020-15677)

* Mozilla: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
(CVE-2020-15678)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1881664 – CVE-2020-15677 Mozilla: Download origin spoofing via redirect
1881665 – CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element
1881666 – CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
1881667 – CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
firefox-78.3.0-1.el8_1.src.rpm

aarch64:
firefox-78.3.0-1.el8_1.aarch64.rpm
firefox-debuginfo-78.3.0-1.el8_1.aarch64.rpm
firefox-debugsource-78.3.0-1.el8_1.aarch64.rpm

ppc64le:
firefox-78.3.0-1.el8_1.ppc64le.rpm
firefox-debuginfo-78.3.0-1.el8_1.ppc64le.rpm
firefox-debugsource-78.3.0-1.el8_1.ppc64le.rpm

s390x:
firefox-78.3.0-1.el8_1.s390x.rpm
firefox-debuginfo-78.3.0-1.el8_1.s390x.rpm
firefox-debugsource-78.3.0-1.el8_1.s390x.rpm

x86_64:
firefox-78.3.0-1.el8_1.x86_64.rpm
firefox-debuginfo-78.3.0-1.el8_1.x86_64.rpm
firefox-debugsource-78.3.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15673
https://access.redhat.com/security/cve/CVE-2020-15676
https://access.redhat.com/security/cve/CVE-2020-15677
https://access.redhat.com/security/cve/CVE-2020-15678
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX2xuM9zjgjWX9erEAQgoHg/+L3H+wUneU44xvAuSaYMMdjOk7uSDJ93+
MlpiM4Eu6oUlV2JJ1NICvXxc5SW3X3gnKsLNRjB+w4iSWF6xo3+rUUN4vm42PP7f
XyX64Ypaz0C+WoiMOQUrirp5i/hfMnHR98X4TRTHpUiK/Gdyl1HYwm+krDz8CY/Z
ttPiQTv5/naCGGI5bNgyD+M04Q4TzaCxW8mD1Mv0wV2pqRGUNpXlf/P199P0T7Hr
6g5t9xO8HmO/MXEr0WSmBZErSrh1upmjRUhR8+KTbnjODKIgv9jZVm3pmyeD5bJO
lnX/dUzBMuIURYe+99WAemWLHE9VZ5Qo6uV21R1C6ZGK1XQoHQnT2llk97LcHNjP
z7mvTxoD6ZZN8TAtkljDXxh1PDUFuvja2R6il3+XBrEz27n1KJw+tb6LfZXKspsG
lXRLo0XeTEYAbkKwFqhO9D4iSy8ISqrBL7c6zUF78mH1lGd6O8HoKgmorAFIX9Aa
K0OXTZ0dSWOxdhOzcjGW4XrZ6K1TRHMhMHUO3AfzNIn/qpEOXDsODQCSNNWWRSrB
2NIWzuSVUdUF6yCliUVa/OdTaQCIBxzFuqdTBUnSsPDxmx3aH759Lg3FBMNyQs5e
DxXzP/43Jt/gYqu0INKMBX0RdZ4vD/LR+C8S3M7Nmnrhq9jnPyF44mAn9IdmwCYl
qINxXFyzQiA=
=wLzH
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: kernel security update
Advisory ID: RHSA-2020:3836-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3836
Issue date: 2020-09-24
CVE Names: CVE-2017-2647
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 6.6
Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 6.6) – noarch, x86_64
Red Hat Enterprise Linux Server Optional AUS (v. 6.6) – x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fix(es):

* kernel: Null pointer dereference in search_keyring (CVE-2017-2647)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1428353 – CVE-2017-2647 kernel: Null pointer dereference in search_keyring

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 6.6):

Source:
kernel-2.6.32-504.84.1.el6.src.rpm

noarch:
kernel-abi-whitelists-2.6.32-504.84.1.el6.noarch.rpm
kernel-doc-2.6.32-504.84.1.el6.noarch.rpm
kernel-firmware-2.6.32-504.84.1.el6.noarch.rpm

x86_64:
kernel-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debug-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debug-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-504.84.1.el6.x86_64.rpm
kernel-devel-2.6.32-504.84.1.el6.x86_64.rpm
kernel-headers-2.6.32-504.84.1.el6.x86_64.rpm
perf-2.6.32-504.84.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 6.6):

x86_64:
kernel-debug-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm
kernel-debuginfo-common-x86_64-2.6.32-504.84.1.el6.x86_64.rpm
perf-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm
python-perf-2.6.32-504.84.1.el6.x86_64.rpm
python-perf-debuginfo-2.6.32-504.84.1.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2647
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX2xtftzjgjWX9erEAQiZNQ//fRZuk8gfIn2B/kvnSwZInktVhGrJCw+r
cJ0g2xLO5LVP4AEsORIkB8q6LfRFS/fpmn2MVm+BSEmNAA+EY4QVoOJyjeVYAsL6
W2/OKdM7zCxjpIb5qQze5RfSMRG3rpAPaOWj0pj4U8MMBSVbyCcbkOaO4LPaswQw
DudwdOvFJ5t67MoK5SAfvXn1yUSrkcojZzQNXnBN7UsHguDIRP+yXYSTS3hKFqDL
aOeFhKQYvCAlE3pdAZUmvw1gWifjwpx1FkyO7q3DRw+WO7b4olDk8yi3qx829uei
KVte/P0FwRXCEvRYY7LJpakqS+H7uC6Ew6lbDaDSrWWKeRmFPA6PXZ6HUNj/kTkx
r6Ey65897LOSWnyWX1mwN32Cj905b4p6aYG6U1urezP88+LF5dPtBE+bUD7vslC5
c3KrnOewg0F2HE+OUgeSxGmrAMrcIHAOUYdvTdflX11+UFdO+EMXlwS2WGQf2ySC
AtVCOhTLGSw208TqJUjJ+LnUyIzY+vjMpe81fIdEI08noaKHqfpRAfAqRiDfhKpQ
tfrFXaRKjghq5idLXfEh1/hEqJ9L3bQzgSLZTfCt/2LOA+eEYzCfA4WnDh5EA2rX
c0/9VVddHTm+UC0/QlE+1oYJr2UTENxQGB0rnaotH3qlEHEyCa7m7l1lJ4ooIkG3
LSo4VY2O71Y=
=pcfN
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: firefox security update
Advisory ID: RHSA-2020:3834-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3834
Issue date: 2020-09-24
CVE Names: CVE-2020-15673 CVE-2020-15676 CVE-2020-15677
CVE-2020-15678
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.0) – aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 78.3.0 ESR.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
(CVE-2020-15673)

* Mozilla: XSS when pasting attacker-controlled data into a contenteditable
element (CVE-2020-15676)

* Mozilla: Download origin spoofing via redirect (CVE-2020-15677)

* Mozilla: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
(CVE-2020-15678)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1881664 – CVE-2020-15677 Mozilla: Download origin spoofing via redirect
1881665 – CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element
1881666 – CVE-2020-15678 Mozilla: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
1881667 – CVE-2020-15673 Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.0):

Source:
firefox-78.3.0-1.el8_0.src.rpm

aarch64:
firefox-78.3.0-1.el8_0.aarch64.rpm
firefox-debuginfo-78.3.0-1.el8_0.aarch64.rpm
firefox-debugsource-78.3.0-1.el8_0.aarch64.rpm

ppc64le:
firefox-78.3.0-1.el8_0.ppc64le.rpm
firefox-debuginfo-78.3.0-1.el8_0.ppc64le.rpm
firefox-debugsource-78.3.0-1.el8_0.ppc64le.rpm

s390x:
firefox-78.3.0-1.el8_0.s390x.rpm
firefox-debuginfo-78.3.0-1.el8_0.s390x.rpm
firefox-debugsource-78.3.0-1.el8_0.s390x.rpm

x86_64:
firefox-78.3.0-1.el8_0.x86_64.rpm
firefox-debuginfo-78.3.0-1.el8_0.x86_64.rpm
firefox-debugsource-78.3.0-1.el8_0.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-15673
https://access.redhat.com/security/cve/CVE-2020-15676
https://access.redhat.com/security/cve/CVE-2020-15677
https://access.redhat.com/security/cve/CVE-2020-15678
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBX2xsytzjgjWX9erEAQiqnw//bKyabd7BQKnsVoachGvytBLWnE4FV0fx
RZxWv1FMzcejAgWrtGtVjE86Xc56/M/KUHtxTlfQaixM58+/9n+3Zy1fC6xw67HS
l+/S8AuKdzprOQPTib3LDv1PyrQMWW88QV35Brd5Moq7S3W9aT0Zf6GOPzqM3WJK
BxcoZBeRL0zyLhwREdwXY4o7YkxNE57zmxMZFy6RiPy2vn99kK6ULesn1sehiyax
WiSTrq6qGwQTtS7YvDiO9XNNHKoxLxq5sIDE88bWqoxgXpSWH97k2HNvCeS6K24S
r9j9y14/Y9l8vf3ocIDPdvc5nw9KrtC3XeODbL06ikv8C5EwqHey6kF+5KKhYqZ4
4a4BJrh++hifDkD7ZG/c6ssbdAn7D09hFaPloyY4YAgRpHRTeftpL6LLTqr2aaUg
43XnMcDrrvpJvr9UDv/gReyRktqNiYsxeudm0iSqaKSnErmxfrbVa0+gs9eWPPRO
jIA3rGtoAD6qe2aVbInpdWGTJtAW9yuV3NxGeA7dYJAL8NEpyJOL07p/rcVqbv64
zJhZQSTvU71YlgOdH7dAM3s0syVNVn7Dl1h7BoDJV0f3KQO7g3tSwzaU6+X2Fo7t
sJoerFTzswiihc5sDqm5ExdxfFpcnmj8z/NTD1B8ft8/Vj2VSc5w52sZIcZd5Ka2
VFGYAGdKBuE=
=8Blb
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostatak programske biblioteke rdflib

Otkriven je sigurnosni nedostatak programske biblioteke rdflib za operacijski sustav Ubuntu. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog koda....

Close