-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2019:2729-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2729 Issue date: 2019-09-11 CVE Names: CVE-2019-9812 CVE-2019-11733 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.9.0 ESR. Security Fix(es): * Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812) * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740) * Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742) * Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744) * Mozilla: Use-after-free while manipulating video (CVE-2019-11746) * Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752) * firefox: stored passwords in 'Saved Logins' can be copied without master password entry (CVE-2019-11733) * Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1745687 - CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry 1748652 - CVE-2019-11740 Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 1748653 - CVE-2019-11742 Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images 1748654 - CVE-2019-11743 Mozilla: Cross-origin access to unload event attributes 1748655 - CVE-2019-11744 Mozilla: XSS by breaking out of title and textarea elements using innerHTML 1748656 - CVE-2019-11746 Mozilla: Use-after-free while manipulating video 1748657 - CVE-2019-11752 Mozilla: Use-after-free while extracting a key value in IndexedDB 1748660 - CVE-2019-9812 Mozilla: Sandbox escape through Firefox Sync 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: firefox-60.9.0-1.el7_7.src.rpm x86_64: firefox-60.9.0-1.el7_7.x86_64.rpm firefox-debuginfo-60.9.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: firefox-60.9.0-1.el7_7.i686.rpm firefox-debuginfo-60.9.0-1.el7_7.i686.rpm Red Hat Enterprise Linux Server (v. 7): Source: firefox-60.9.0-1.el7_7.src.rpm ppc64: firefox-60.9.0-1.el7_7.ppc64.rpm firefox-debuginfo-60.9.0-1.el7_7.ppc64.rpm ppc64le: firefox-60.9.0-1.el7_7.ppc64le.rpm firefox-debuginfo-60.9.0-1.el7_7.ppc64le.rpm s390x: firefox-60.9.0-1.el7_7.s390x.rpm firefox-debuginfo-60.9.0-1.el7_7.s390x.rpm x86_64: firefox-60.9.0-1.el7_7.x86_64.rpm firefox-debuginfo-60.9.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): x86_64: firefox-60.9.0-1.el7_7.i686.rpm firefox-debuginfo-60.9.0-1.el7_7.i686.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: firefox-60.9.0-1.el7_7.src.rpm x86_64: firefox-60.9.0-1.el7_7.x86_64.rpm firefox-debuginfo-60.9.0-1.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: firefox-60.9.0-1.el7_7.i686.rpm firefox-debuginfo-60.9.0-1.el7_7.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-9812 https://access.redhat.com/security/cve/CVE-2019-11733 https://access.redhat.com/security/cve/CVE-2019-11740 https://access.redhat.com/security/cve/CVE-2019-11742 https://access.redhat.com/security/cve/CVE-2019-11743 https://access.redhat.com/security/cve/CVE-2019-11744 https://access.redhat.com/security/cve/CVE-2019-11746 https://access.redhat.com/security/cve/CVE-2019-11752 https://access.redhat.com/security/updates/classification/#critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXXjFL9zjgjWX9erEAQjCoRAAoHR6DaG8OOSGX1gshHU5/w93CrExSeRE iLUYmbPTMxwMK+6VLlpT2Htzt8U34uLLrhpgWIJQWnWKjkUuymU/oHZ0xOlTEJVb ENwTkCS4s2PupmfZXVtCPOR2kvhN5acNJjVWGN/LNdH+fYgi1xmWURyTmBCrHLzm 4DWG6C3ATt3/T9+RPWZ8Y9jTYqYTTQEoPmDwkRDSbymb19gfWFBTraSGkfgFoRJP MLvsh9M7elz/BuD57mGGyMpJJOotN9yh4DJEpKSREAoNe48WhVNAyxpgkM3ryN56 8Kgm6SIP0ww5lnt2gxh2RxRAYpzoM+UdwNfvATDPZXFzFuJfJKo9cYb5mxfvvgQz 4kJYclqteEqdEaUMowG9HPALjOey9bvqpmkj2aOlBs61u64UbB6gX9yrahmJFRAD 1W2XK/skEfE6x//Suy4bErRrYDVW+ydezDG8fDJsHY1VJFIwsvm/UatOfFsvTOkF mdVsCwtYLCFt3Sg7c/jlXpWZ0waojBPDXmVljGdSWxdGb/lUDi++Qj+PgqIuiSlj xYV7Pn5Duy+YbBxMgDYd+aWaBTkcnA9gPD2Kit6Y853O/tUVY8BXhe6dP125HjnJ Ep1Z7RWle6xJo4Dq/8HNxqYQf+mvSKxvravyiBiH747v5Urmey4RM6LQS8VgCyw6 9kGHhBdv7qs=RLlg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce