Red Hat Security Advisory 2020-5237-01

Red Hat Security Advisory 2020-5237-01: Posted Nov 30, 2020; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2020-5237-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.5.0 ESR. Issues addressed include bypass, cross site scripting, and use-after-free vulnerabilities.; tags | advisory, web, vulnerability, xss; systems | linux, redhat; advisories | CVE-2020-16012, CVE-2020-26951, CVE-2020-26953, CVE-2020-26956, CVE-2020-26958, CVE-2020-26959, CVE-2020-26960, CVE-2020-26961, CVE-2020-26965, CVE-2020-26968; SHA-256 | 57cad10063be658cb01b40344f1ad6de810ff1e15e20a993ecfcc28448f759e1; Download | Favorite | View

Red Hat Security Advisory 2020-5237-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: firefox security update
Advisory ID:       RHSA-2020:5237-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5237
Issue date:        2020-11-30
CVE Names:         CVE-2020-16012 CVE-2020-26951 CVE-2020-26953
                   CVE-2020-26956 CVE-2020-26958 CVE-2020-26959
                   CVE-2020-26960 CVE-2020-26961 CVE-2020-26965
                   CVE-2020-26968
====================================================================
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance, and portability.

This update upgrades Firefox to version 78.5.0 ESR.

Security Fix(es):

* Mozilla: Parsing mismatches could confuse and bypass security sanitizer
for chrome privileged code (CVE-2020-26951)

* Mozilla: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
(CVE-2020-26968)

* Mozilla: Variable time processing of cross-origin images during drawImage
calls (CVE-2020-16012)

* Mozilla: Fullscreen could be enabled without displaying the security UI
(CVE-2020-26953)

* Mozilla: XSS through paste (manual and clipboard API) (CVE-2020-26956)

* Mozilla: Requests intercepted through ServiceWorkers lacked MIME type
restrictions (CVE-2020-26958)

* Mozilla: Use-after-free in WebRequestService (CVE-2020-26959)

* Mozilla: Potential use-after-free in uses of nsTArray (CVE-2020-26960)

* Mozilla: DoH did not filter IPv4 mapped IP Addresses (CVE-2020-26961)

* Mozilla: Software keyboards may have remembered typed passwords
(CVE-2020-26965)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1898731 - CVE-2020-26951 Mozilla: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
1898732 - CVE-2020-16012 Mozilla: Variable time processing of cross-origin images during drawImage calls
1898733 - CVE-2020-26953 Mozilla: Fullscreen could be enabled without displaying the security UI
1898734 - CVE-2020-26956 Mozilla: XSS through paste (manual and clipboard API)
1898735 - CVE-2020-26958 Mozilla: Requests intercepted through ServiceWorkers lacked MIME type restrictions
1898736 - CVE-2020-26959 Mozilla: Use-after-free in WebRequestService
1898737 - CVE-2020-26960 Mozilla: Potential use-after-free in uses of nsTArray
1898738 - CVE-2020-26961 Mozilla: DoH did not filter IPv4 mapped IP Addresses
1898739 - CVE-2020-26965 Mozilla: Software keyboards may have remembered typed passwords
1898741 - CVE-2020-26968 Mozilla: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
firefox-78.5.0-1.el8_3.src.rpm

aarch64:
firefox-78.5.0-1.el8_3.aarch64.rpm
firefox-debuginfo-78.5.0-1.el8_3.aarch64.rpm
firefox-debugsource-78.5.0-1.el8_3.aarch64.rpm

ppc64le:
firefox-78.5.0-1.el8_3.ppc64le.rpm
firefox-debuginfo-78.5.0-1.el8_3.ppc64le.rpm
firefox-debugsource-78.5.0-1.el8_3.ppc64le.rpm

s390x:
firefox-78.5.0-1.el8_3.s390x.rpm
firefox-debuginfo-78.5.0-1.el8_3.s390x.rpm
firefox-debugsource-78.5.0-1.el8_3.s390x.rpm

x86_64:
firefox-78.5.0-1.el8_3.x86_64.rpm
firefox-debuginfo-78.5.0-1.el8_3.x86_64.rpm
firefox-debugsource-78.5.0-1.el8_3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-16012
https://access.redhat.com/security/cve/CVE-2020-26951
https://access.redhat.com/security/cve/CVE-2020-26953
https://access.redhat.com/security/cve/CVE-2020-26956
https://access.redhat.com/security/cve/CVE-2020-26958
https://access.redhat.com/security/cve/CVE-2020-26959
https://access.redhat.com/security/cve/CVE-2020-26960
https://access.redhat.com/security/cve/CVE-2020-26961
https://access.redhat.com/security/cve/CVE-2020-26965
https://access.redhat.com/security/cve/CVE-2020-26968
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX8TL1tzjgjWX9erEAQhOMhAAj3ob+3tP9JRJ2YVdhP1jM97JiyuZa2Td
loHsYhz6+2RZMqjmTAvoj7dzGdsQh0/aFgafbOemlhnsTOMaU+N9WbZzDFlYr+Yd
jgr5zgWnfqPjo7aUmRuPnijvWYrasuVZTvFVk7eu7QdlOYj//VtK2k2zFGJbP5Bv
+dpKzOHnwQHIvHw8Dvynxvymtuf1ElEAGh1bCsFH9byRSOaCOQF5vOIEDjvHkHcv
Qj/f1Ja74y0u5Eo5N2L0DC2MRXGc2vDomE3j4ntguU9RfcxwWB90OTNb9vVqfR70
Q3sww3Gsh9T+riTqD7bXLTe6/r6V990YV8Y+qOZLqCJIGI4pNH9qqqoOVo3Mtyuk
tKVpFTKOlqHdc0I3vUoKr9HBIzqBtwzRHbLyuoXNYNEVjw3sEYOZxv5qK9NHrE3s
sAzWn0RsxFhgVl825FNPEzLJFKio791K+94gu6Hv2a68dojKW81G/rJ7+Kcf/S60
Ch8hkD4kzOLOfcId5vZgT/stfOgwcu8OBoA7ErTA1xoLp5k9NGbLw4Uzg+MA1Rsl
uPt6luO/H/iUGCpdZsVuSRM22bz+oFFlJMx9DXRWHLJKXX9KvYBLJZHihItls0bz
XGvsvIOodFbehl7L/LydEvTEO331LXeIOs759R5BWdS8c8MKZEVDO93k8RHwVIGK
2MS/nLiouJk\zi
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 61 files
Debian 20 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,160)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,842)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,249)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,975)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Red Hat Security Advisory 2020-5237-01

Red Hat Security Advisory 2020-5237-01

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2020-5237-01

Share This

Red Hat Security Advisory 2020-5237-01

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems