Red Hat Security Advisory 2020-5234-01

Red Hat Security Advisory 2020-5234-01: Posted Nov 30, 2020; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2020-5234-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.5.0 ESR. Issues addressed include bypass, cross site scripting, and use-after-free vulnerabilities.; tags | advisory, web, vulnerability, xss; systems | linux, redhat; advisories | CVE-2020-16012, CVE-2020-26951, CVE-2020-26953, CVE-2020-26956, CVE-2020-26958, CVE-2020-26959, CVE-2020-26960, CVE-2020-26961, CVE-2020-26965, CVE-2020-26968; SHA-256 | 56a7aaae67fca7cf1fb4905b8e07ce739d03cdd7e0e5cabd3e6691ae9b21858d; Download | Favorite | View

Red Hat Security Advisory 2020-5234-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: firefox security update
Advisory ID:       RHSA-2020:5234-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5234
Issue date:        2020-11-30
CVE Names:         CVE-2020-16012 CVE-2020-26951 CVE-2020-26953
                   CVE-2020-26956 CVE-2020-26958 CVE-2020-26959
                   CVE-2020-26960 CVE-2020-26961 CVE-2020-26965
                   CVE-2020-26968
====================================================================
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 78.5.0 ESR.

Security Fix(es):

* Mozilla: Parsing mismatches could confuse and bypass security sanitizer
for chrome privileged code (CVE-2020-26951)

* Mozilla: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
(CVE-2020-26968)

* Mozilla: Variable time processing of cross-origin images during drawImage
calls (CVE-2020-16012)

* Mozilla: Fullscreen could be enabled without displaying the security UI
(CVE-2020-26953)

* Mozilla: XSS through paste (manual and clipboard API) (CVE-2020-26956)

* Mozilla: Requests intercepted through ServiceWorkers lacked MIME type
restrictions (CVE-2020-26958)

* Mozilla: Use-after-free in WebRequestService (CVE-2020-26959)

* Mozilla: Potential use-after-free in uses of nsTArray (CVE-2020-26960)

* Mozilla: DoH did not filter IPv4 mapped IP Addresses (CVE-2020-26961)

* Mozilla: Software keyboards may have remembered typed passwords
(CVE-2020-26965)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1898731 - CVE-2020-26951 Mozilla: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
1898732 - CVE-2020-16012 Mozilla: Variable time processing of cross-origin images during drawImage calls
1898733 - CVE-2020-26953 Mozilla: Fullscreen could be enabled without displaying the security UI
1898734 - CVE-2020-26956 Mozilla: XSS through paste (manual and clipboard API)
1898735 - CVE-2020-26958 Mozilla: Requests intercepted through ServiceWorkers lacked MIME type restrictions
1898736 - CVE-2020-26959 Mozilla: Use-after-free in WebRequestService
1898737 - CVE-2020-26960 Mozilla: Potential use-after-free in uses of nsTArray
1898738 - CVE-2020-26961 Mozilla: DoH did not filter IPv4 mapped IP Addresses
1898739 - CVE-2020-26965 Mozilla: Software keyboards may have remembered typed passwords
1898741 - CVE-2020-26968 Mozilla: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:
firefox-78.5.0-1.el8_2.src.rpm

aarch64:
firefox-78.5.0-1.el8_2.aarch64.rpm
firefox-debuginfo-78.5.0-1.el8_2.aarch64.rpm
firefox-debugsource-78.5.0-1.el8_2.aarch64.rpm

ppc64le:
firefox-78.5.0-1.el8_2.ppc64le.rpm
firefox-debuginfo-78.5.0-1.el8_2.ppc64le.rpm
firefox-debugsource-78.5.0-1.el8_2.ppc64le.rpm

s390x:
firefox-78.5.0-1.el8_2.s390x.rpm
firefox-debuginfo-78.5.0-1.el8_2.s390x.rpm
firefox-debugsource-78.5.0-1.el8_2.s390x.rpm

x86_64:
firefox-78.5.0-1.el8_2.x86_64.rpm
firefox-debuginfo-78.5.0-1.el8_2.x86_64.rpm
firefox-debugsource-78.5.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-16012
https://access.redhat.com/security/cve/CVE-2020-26951
https://access.redhat.com/security/cve/CVE-2020-26953
https://access.redhat.com/security/cve/CVE-2020-26956
https://access.redhat.com/security/cve/CVE-2020-26958
https://access.redhat.com/security/cve/CVE-2020-26959
https://access.redhat.com/security/cve/CVE-2020-26960
https://access.redhat.com/security/cve/CVE-2020-26961
https://access.redhat.com/security/cve/CVE-2020-26965
https://access.redhat.com/security/cve/CVE-2020-26968
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX8S0gNzjgjWX9erEAQjehg/7BPLqtvuEZxu0wOKChvHN8JOYrOPWB3R3
eI5JE32WRO1LG3xKHxpfrERdPJ4Qa9RON/PYBig7I7u5Cn/NoS9r5HywTOWdOP8M
kK+AgVWsC/4TczLHv9xp0vjbiXyg24tSzxWf/GmV+BFbjsMpyuW8+NBhfthRNkBY
6jYC8v8N0RaDKcrmMwWEN8Pkp5YDy4B6FD5PuhFmXAamwNKZoveqpb7B6QjcfOK6
JjmzDAseVpauB/IPsvTQJk2lRueLhnBPlhsyYkWgX5sJsCS9pDwL07qGuCiNyJkU
dT6BNxL0A/zmETPd77Lw6C9uQA7xFpWVJdAMyeeerx7LtpcdtXb5HXGgHI3Cqplq
OHbgfvSCMwPB2lMqgCDHRYTu9e/K2mdAB5xIY/UBnrNGnWZ0Zp18dF5bTuMt9kxr
FvXzZYzeg072yqPVauM2yPj0NS9ZsXsY60ILvk8CQ0mMn7t7kMBNDe4z20/oNeAV
M+0C3u6yC3ZdgAGOhBx8kNJytmu1Ij36Bt1TW/H8gzf//YnpCFCwf+jFn/hSjgLk
lebQnkc9xyuye0VehUIr5w8US+bfCmVIA/rNsT+e52kaPp2vjXPEwXDrSAHLgscS
/0fZ2ktSkL9dRMa1tYHhshl3808B70K6GB7IH4/d3YgKQ7XBwyU8nHpw1B0vYihr
eGYuePM/eDU=Iv7c
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Red Hat Security Advisory 2020-5234-01

Red Hat Security Advisory 2020-5234-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2020-5234-01

Share This

Red Hat Security Advisory 2020-5234-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems