Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 501
Alerts This Week
Warning Icon 1 501

Red Hat Enterprise Linux 6: RHSA-2019:1267-01 Critical Firefox Update

red hat
Calendar Grey May 23, 2019
Dist Redhat Esm H88
Important Chromium security patch for CentOS 7 addresses significant buffer overflow vulnerabilities and stability concerns.
An update for firefox is now available for Red Hat Enterprise Linux 6

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Summary

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.
This update upgrades Firefox to version 60.7.0 ESR.
Security Fix(es):
* Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 (CVE-2019-9800)
* Mozilla: Cross-origin theft of images with createImageBitmap (CVE-2019-9797)
* Mozilla: Type confusion with object groups and UnboxedObjects (CVE-2019-9816)
* Mozilla: Stealing of cross-domain images using canvas (CVE-2019-9817)
* Mozilla: Compartment mismatch with fetch API (CVE-2019-9819)
* Mozilla: Use-after-free of ChromeEventHandler by DocShell (CVE-2019-9820)
* Mozilla: Use-after-free in XMLHttpRequest (CVE-2019-11691)
* Mozilla: Use-after-free removing listeners in the event listener manager (CVE-2019-11692)
* Mozilla: Buffer overflow in WebGL bufferdata on Linux (CVE-2019-11693)
* mozilla: Cross-origin theft of images with ImageBitmapRenderingContext (CVE-2018-18511)
* chromium-browser: Out of bounds read in Skia (CVE-2019-5798)
* Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks (CVE-2019-11698)
* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2018-18511 https://access.redhat.com/security/cve/CVE-2019-5798 https://access.redhat.com/security/cve/CVE-2019-7317 https://access.redhat.com/security/cve/CVE-2019-9797 https://access.redhat.com/security/cve/CVE-2019-9800 https://access.redhat.com/security/cve/CVE-2019-9816 https://access.redhat.com/security/cve/CVE-2019-9817 https://access.redhat.com/security/cve/CVE-2019-9819 https://access.redhat.com/security/cve/CVE-2019-9820 https://access.redhat.com/security/cve/CVE-2019-11691 https://access.redhat.com/security/cve/CVE-2019-11692 https://access.redhat.com/security/cve/CVE-2019-11693 https://access.redhat.com/security/cve/CVE-2019-11698 https://access.redhat.com/security/updates/classification/#critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/

Package List

Red Hat Enterprise Linux Desktop (v. 6):
Source: firefox-60.7.0-1.el6_10.src.rpm
i386: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm
x86_64: firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source: firefox-60.7.0-1.el6_10.src.rpm
x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: firefox-60.7.0-1.el6_10.src.rpm
i386: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm
ppc64: firefox-60.7.0-1.el6_10.ppc64.rpm firefox-debuginfo-60.7.0-1.el6_10.ppc64.rpm
s390x: firefox-60.7.0-1.el6_10.s390x.rpm firefox-debuginfo-60.7.0-1.el6_10.s390x.rpm
x86_64: firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: firefox-60.7.0-1.el6_10.src.rpm
i386:

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2019:1267-01
Product: Red Hat Enterprise Linux
Issue date: 2019-05-23

Topic

An update for firefox is now available for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64

Bugs Fixed

1672409 - CVE-2019-7317 libpng: use-after-free in png_image_free in png.c

1676997 - CVE-2018-18511 mozilla: Cross-origin theft of images with ImageBitmapRenderingContext

1688200 - CVE-2019-5798 chromium-browser: Out of bounds read in Skia

1712617 - CVE-2019-11691 Mozilla: Use-after-free in XMLHttpRequest

1712618 - CVE-2019-11692 Mozilla: Use-after-free removing listeners in the event listener manager

1712619 - CVE-2019-11693 Mozilla: Buffer overflow in WebGL bufferdata on Linux

1712621 - CVE-2019-11698 Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks

1712622 - CVE-2019-9797 Mozilla: Cross-origin theft of images with createImageBitmap

1712623 - CVE-2019-9800 Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7

1712625 - CVE-2019-9816 Mozilla: Type confusion with object groups and UnboxedObjects

1712626 - CVE-2019-9817 Mozilla: Stealing of cross-domain images using canvas

1712628 - CVE-2019-9819 Mozilla: Compartment mismatch with fetch API

1712629 - CVE-2019-9820 Mozilla: Use-after-free of ChromeEventHandler by DocShell

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.