Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 31 articles for you...
202
security advisoryimportantbrowser exploitopenSUSE: Chromium Important Update for Browser Issues CVE-2025-14372
An update that fixes two vulnerabilities is now available.. openSUSE Security Update: Security update for chromium ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0470-1 Rating: important References: #1254776 Cross-References: CVE-2025-14372 CVE-2025-14373 Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for chromium fixes the following issues: - Chromium 143.0.7499.109 (boo#1254776): * CVE-2025-14372: Use after free in Password Manager * CVE-2025-14373: Inappropriate implementation in Toolbar * third issue with an exploit is known to exist in the wild Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2025-470=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 ppc64le x86_64): chromedriver-143.0.7499.109-bp157.2.91.1 chromium-143.0.7499.109-bp157.2.91.1 References: https://www.suse.com/security/cve/CVE-2025-14372.html https://www.suse.com/security/cve/CVE-2025-14373.html https://bugzilla.suse.com/1254776 . Security update for openSUSE's chromium fixes critical vulnerabilities impacting browser functionality. Act now!. openSUSE Chromium Update, browser security patch, important security advisory. . Severity: Important. LinuxSecurity.com Team
Dec 16, 2025
•Important
OpenSUSE
203
security advisorycriticalcross-site scriptingMageia 9: 2025-0201 critical: Firefox multiple security issues
CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. CVE-2025-6425: An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing . MGASA-2025-0201 - Updated rootcerts, nss & firefox packages fix security vulnerabilities Publication date: 02 Jul 2025 URL: https://advisories.mageia.org/MGASA-2025-0201.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-6424, CVE-2025-6425, CVE-2025-6429, CVE-2025-6430 CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. CVE-2025-6425: An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. CVE-2025-6429: Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. CVE-2025-6430: When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a or tag, potentially making a website vulnerable to a cross-site scripting attack. We can't yet ship this update to the armv7hl architecture; we are investigating the issue and will try to update firefox for armv7hl as soon as possible. References: - https://bugs.mageia.org/show_bug.cgi?id=34393 - https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113.html - https://www.firefox.com/en-US/firefox/128.12.0/releasenotes/?redirect_source=mozilla-org - https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/ - https://www.cve.org/CVERecord?id=CVE-2025-6424 - https://www.cve.org/CVERecord?id=CVE-2025-6425 - https://www.cve.org/CVERecord?id=CVE-2025-6429 -https://www.cve.org/CVERecord?id=CVE-2025-6430 SRPMS: - 9/core/firefox-128.12.0-1.1.mga9 - 9/core/firefox-l10n-128.12.0-1.1.mga9 - 9/core/rootcerts-20250613.00-1.mga9 - 9/core/nss-3.113.0-1.mga9 . The latest Mageia 9 updates for Firefox address significant vulnerabilities, including critical patches for various security flaws such as cross-origin scripting.. Firefox Updates, Mageia Security, Exploit Mitigations, Browser Vulnerabilities, NSS Fixes. . Severity: Critical. LinuxSecurity.com Team
Jul 02, 2025
•Critical
Mageia
172
security advisorydenial of serviceUbuntuUbuntu 20.04 LTS USN-6562-1 critical: firefox denial of service
Several security issues were fixed in Firefox.. ========================================================================== Ubuntu Security Notice USN-6562-1 January 02, 2024 firefox vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code.(CVE-2023-6865, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6866, CVE-2023-6867, CVE-2023-6861, CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6863, CVE-2023-6864, CVE-2023-6873) DoHyun Lee discovered that Firefox did not properly manage memory when used on systems with the Mesa VM driver. An attacker could potentially exploit this issue to execute arbitrary code. (CVE-2023-6856) George Pantela and Hubert Kario discovered that Firefox using multiple NSS NIST curves which were susceptible to a side-channel attack known as "Minerva". An attacker could potentially exploit this issue to obtain sensitive information. (CVE-2023-6135) Andrew Osmond discovered that Firefox did not properly validate the textures produced by remote decoders. An attacker could potentially exploit this issue to escape the sandbox. (CVE-2023-6860) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: firefox 121.0+build1-0ubuntu0.20.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6562-1 CVE-2023-6135, CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859,CVE-2023-6860, CVE-2023-6861, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6866, CVE-2023-6867, CVE-2023-6869, CVE-2023-6871, CVE-2023-6872, CVE-2023-6873 Package Information: https://launchpad.net/ubuntu/+source/firefox/121.0+build1-0ubuntu0.20.04.1 . Security flaws patched in Firefox for Ubuntu 20.04 LTS. Please consult this notice for update directions.. Ubuntu Firefox Security Update, Denial of Service Threat, Browser Exploits. . Severity: Critical. LinuxSecurity.com Team
Jan 02, 2024
•Critical
Ubuntu
89
security advisorysecurity issuefedoraFedora 38: FEDORA-2023-f8e94641dc moderate: chromium browser exploit
update to 116.0.5845.96. Fixes following security issues: CVE-2023-2312 CVE-2023-4349 CVE-2023-4350 CVE-2023-4351 CVE-2023-4352 CVE-2023-4353 CVE-2023-4354 CVE-2023-4355 CVE-2023-4356 CVE-2023-4357 CVE-2023-4358 CVE-2023-4359 CVE-2023-4360 CVE-2023-4361 CVE-2023-4362. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-f8e94641dc 2023-08-20 00:48:10.269342 -------------------------------------------------------------------------------- Name : chromium Product : Fedora 38 Version : 116.0.5845.96 Release : 1.fc38 URL : https://www.chromium.org/Home/ Summary : A WebKit (Blink) powered web browser that Google doesn't want you to use Description : Chromium is an open-source web browser, powered by WebKit (Blink). -------------------------------------------------------------------------------- Update Information: update to 116.0.5845.96. Fixes following security issues: CVE-2023-2312 CVE-2023-4349 CVE-2023-4350 CVE-2023-4351 CVE-2023-4352 CVE-2023-4353 CVE-2023-4354 CVE-2023-4355 CVE-2023-4356 CVE-2023-4357 CVE-2023-4358 CVE-2023-4359 CVE-2023-4360 CVE-2023-4361 CVE-2023-4362 -------------------------------------------------------------------------------- ChangeLog: * Tue Aug 15 2023 Than Ngo - 116.0.5845.96-1 - update to 116.0.5845.96 * Wed Aug 9 2023 Than Ngo - 115.0.5790.170-2 - set use_all_cpus=1 for aarch64 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2232176 - CVE-2023-2312 chromium-browser: Use after free in Offline https://bugzilla.redhat.com/show_bug.cgi?id=2232176 [ 2 ] Bug #2232177 - CVE-2023-4349 chromium-browser: Use after free in Device Trust Connectors https://bugzilla.redhat.com/show_bug.cgi?id=2232177 [ 3 ] Bug #2232178 - CVE-2023-4350 chromium-browser: Inappropriate implementation in Fullscreen https://bugzilla.redhat.com/show_bug.cgi?id=2232178 [ 4 ] Bug#2232179 - CVE-2023-4351 chromium-browser: Use after free in Network https://bugzilla.redhat.com/show_bug.cgi?id=2232179 [ 5 ] Bug #2232180 - CVE-2023-4352 chromium-browser: Type Confusion in V8 https://bugzilla.redhat.com/show_bug.cgi?id=2232180 [ 6 ] Bug #2232181 - CVE-2023-4353 chromium-browser: Heap buffer overflow in ANGLE https://bugzilla.redhat.com/show_bug.cgi?id=2232181 [ 7 ] Bug #2232182 - CVE-2023-4354 chromium-browser: Heap buffer overflow in Skia https://bugzilla.redhat.com/show_bug.cgi?id=2232182 [ 8 ] Bug #2232183 - CVE-2023-4355 chromium-browser: Out of bounds memory access in V8 https://bugzilla.redhat.com/show_bug.cgi?id=2232183 [ 9 ] Bug #2232184 - CVE-2023-4356 chromium-browser: Use after free in Audio https://bugzilla.redhat.com/show_bug.cgi?id=2232184 [ 10 ] Bug #2232185 - CVE-2023-4357 chromium-browser: Insufficient validation of untrusted input in XML https://bugzilla.redhat.com/show_bug.cgi?id=2232185 [ 11 ] Bug #2232186 - CVE-2023-4358 chromium-browser: Use after free in DNS https://bugzilla.redhat.com/show_bug.cgi?id=2232186 [ 12 ] Bug #2232187 - CVE-2023-4359 chromium-browser: Inappropriate implementation in App Launcher https://bugzilla.redhat.com/show_bug.cgi?id=2232187 [ 13 ] Bug #2232188 - CVE-2023-4360 chromium-browser: Inappropriate implementation in Color https://bugzilla.redhat.com/show_bug.cgi?id=2232188 [ 14 ] Bug #2232189 - CVE-2023-4361 chromium-browser: Inappropriate implementation in Autofill https://bugzilla.redhat.com/show_bug.cgi?id=2232189 [ 15 ] Bug #2232190 - CVE-2023-4362 chromium-browser: Heap buffer overflow in Mojom IDL https://bugzilla.redhat.com/show_bug.cgi?id=2232190 [ 16 ] Bug #2232191 - CVE-2023-4363 chromium-browser: Inappropriate implementation in WebShare https://bugzilla.redhat.com/show_bug.cgi?id=2232191 [ 17 ] Bug #2232192 - CVE-2023-4364 chromium-browser: Inappropriate implementation inPermission Prompts https://bugzilla.redhat.com/show_bug.cgi?id=2232192 [ 18 ] Bug #2232193 - CVE-2023-4365 chromium-browser: Inappropriate implementation in Fullscreen https://bugzilla.redhat.com/show_bug.cgi?id=2232193 [ 19 ] Bug #2232194 - CVE-2023-4366 chromium-browser: Use after free in Extensions https://bugzilla.redhat.com/show_bug.cgi?id=2232194 [ 20 ] Bug #2232195 - CVE-2023-4367 chromium-browser: Insufficient policy enforcement in Extensions API https://bugzilla.redhat.com/show_bug.cgi?id=2232195 [ 21 ] Bug #2232196 - CVE-2023-4368 chromium-browser: Insufficient policy enforcement in Extensions API https://bugzilla.redhat.com/show_bug.cgi?id=2232196 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-f8e94641dc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Aug 20, 2023
Fedora
172
security advisorydenial of servicecritical issueUbuntu 21.10: USN-5475-1 Critical Firefox Security Issue Exploits
Firefox could be made to crash or run programs as your login if it opened a malicious website.. =========================================================================Ubuntu Security Notice USN-5475-1 June 13, 2022 firefox vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Firefox could be made to crash or run programs as your login if it opened a malicious website. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, spoof the browser UI, conduct cross-site scripting (XSS) attacks, bypass content security policy (CSP) restrictions, or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: firefox 101.0.1+build1-0ubuntu0.21.10.1 Ubuntu 20.04 LTS: firefox 101.0.1+build1-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: firefox 101.0.1+build1-0ubuntu0.18.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5475-1 CVE-2022-1919, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31743, CVE-2022-31744, CVE-2022-31745, CVE-2022-31747, CVE-2022-31748 Package Information: https://launchpad.net/ubuntu/+source/firefox/101.0.1+build1-0ubuntu0.21.10.1 https://launchpad.net/ubuntu/+source/firefox/101.0.1+build1-0ubuntu0.20.04.1 https://launchpad.net/ubuntu/+source/firefox/101.0.1+build1-0ubuntu0.18.04.1 . Ubuntu Security NoticeUSN-5475-1 tackles vulnerabilities in Firefox; severe problems could result in crashes and execution of unwanted code.. Firefox Exploit, Ubuntu Update, Mozilla Browser Security. . Severity: Critical. LinuxSecurity.com Team
Jun 13, 2022
•Critical
Ubuntu
98
security advisorysecurity issueRed HatRed Hat 8.1 RHSA-2022:0815-01 Critical: Firefox Update Security Threat
An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2022:0815-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0815 Issue date: 2022-03-10 CVE Names: CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 CVE-2022-26381 CVE-2022-26383 CVE-2022-26384 CVE-2022-26386 CVE-2022-26387 CVE-2022-26485 CVE-2022-26486 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.7.0 ESR. Security Fix(es): * Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485) * Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486) * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) * expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236) * expat: Integeroverflow in storeRawNames() (CVE-2022-25315) * Mozilla: Use-after-free in text reflows (CVE-2022-26381) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383) * Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384) * Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387) * Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames() 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution 2061735 - CVE-2022-26486 Mozilla: Use-after-free in WebGPU IPC Framework 2061736 - CVE-2022-26485 Mozilla: Use-after-free in XSLT parameter processing 2062220 - CVE-2022-26383 Mozilla: Browser window spoof using fullscreen mode 2062221 - CVE-2022-26384 Mozilla: iframe allow-scripts sandbox bypass 2062222 - CVE-2022-26387 Mozilla: Time-of-check time-of-use bug when verifying add-on signatures 2062223 - CVE-2022-26381 Mozilla: Use-after-free in text reflows 2062224 - CVE-2022-26386 Mozilla: Temporary files downloaded to /tmp and accessible by other local users 6. Package List: Red Hat Enterprise Linux AppStream E4S (v.8.1): Source: firefox-91.7.0-3.el8_1.src.rpm ppc64le: firefox-91.7.0-3.el8_1.ppc64le.rpm firefox-debuginfo-91.7.0-3.el8_1.ppc64le.rpm firefox-debugsource-91.7.0-3.el8_1.ppc64le.rpm x86_64: firefox-91.7.0-3.el8_1.x86_64.rpm firefox-debuginfo-91.7.0-3.el8_1.x86_64.rpm firefox-debugsource-91.7.0-3.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 https://access.redhat.com/security/cve/CVE-2022-26381 https://access.redhat.com/security/cve/CVE-2022-26383 https://access.redhat.com/security/cve/CVE-2022-26384 https://access.redhat.com/security/cve/CVE-2022-26386 https://access.redhat.com/security/cve/CVE-2022-26387 https://access.redhat.com/security/cve/CVE-2022-26485 https://access.redhat.com/security/cve/CVE-2022-26486 https://access.redhat.com/security/updates/classification#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYipp3tzjgjWX9erEAQhWJw/9Hhv87p0SDEmosnVwGdvefofe4+u/OCEN MmIPQ38zyq7eoN08IZtznSu1XSxvC0gjKla2VovQCWDLcPMnKxQDk9+PwlvQc5Nx 4HpJdBMYZbCPP2kVxUq6GrRlgHj5Mbzu7biz2Lg5t7PX5v/V/1h7pkmkrgUK1fXF kNjv/D5GZmMvF9aiRfngZzXgaCKOX8pkmdYTsbjFarTzUJwduAdR3stz3IXFt542 KASQBaou6PTTVcFQeeNqPloRW6H5vG2zAaVplyGTG6LHNlzUrxlf515URZug3f3g OZkSs+wNm2ZcK3kafMx0LJkn0AjSMxOEfCHbAGT9csSw04/vxxc92Qp3N7BBGYf5 L+AnZSj1bGqUrNW+6s0w53wCGO9OVvlj005oRJFWAALSnCgT6YQxbNRHe8mfCWxB JWPoM/G0k70Vlnk2qEmGMh4dM6DIfQuUM0J0AZz720uNfS9uC+uDF98xXrA+qMCL 52eLpH6G0FMH8HOedZB9ACpA3D4/wBpT9yYRMCSI8y1hcsVt7C3+uZgzWRtpSHi4 DSCT0QSwg8lZig02lh7aUuQMc6qxxzX/7luSTd7vhqh3ItxLSFwrF5PY/AJMVAbC +FYC7wKnxuHiV5JcXLfmejb/TQbncUish3S/7rmoCHEOR8D4VR6vl+70bHmnD73t UvgOiS61ES4=syNx -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Mar 10, 2022
•Critical
Red Hat
98
security advisorysecurity issueRed Hat Enterprise LinuxRed Hat: RHSA-2022:0513-01 Important: Firefox Security Update
An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2022:0513-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0513 Issue date: 2022-02-14 CVE Names: CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Security Fix(es): * Mozilla: Extensions could have bypassed permission confirmation during update (CVE-2022-22754) * Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 (CVE-2022-22764) * Mozilla: Drag and dropping an image could have resulted in the dropped object being an executable (CVE-2022-22756) * Mozilla: Sandboxed iframes could have executed script if the parent appended elements (CVE-2022-22759) * Mozilla: Cross-Origin responses could bedistinguished between script and non-script content-types (CVE-2022-22760) * Mozilla: frame-ancestors Content Security Policy directive was not enforced for framed extension pages (CVE-2022-22761) * Mozilla: Script Execution during invalid object state (CVE-2022-22763) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2053236 - CVE-2022-22754 Mozilla: Extensions could have bypassed permission confirmation during update 2053237 - CVE-2022-22756 Mozilla: Drag and dropping an image could have resulted in the dropped object being an executable 2053238 - CVE-2022-22760 Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types 2053239 - CVE-2022-22761 Mozilla: frame-ancestors Content Security Policy directive was not enforced for framed extension pages 2053240 - CVE-2022-22763 Mozilla: Script Execution during invalid object state 2053242 - CVE-2022-22759 Mozilla: Sandboxed iframes could have executed script if the parent appended elements 2053243 - CVE-2022-22764 Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.1): Source: firefox-91.6.0-1.el8_1.src.rpm ppc64le: firefox-91.6.0-1.el8_1.ppc64le.rpm firefox-debuginfo-91.6.0-1.el8_1.ppc64le.rpm firefox-debugsource-91.6.0-1.el8_1.ppc64le.rpm x86_64: firefox-91.6.0-1.el8_1.x86_64.rpm firefox-debuginfo-91.6.0-1.el8_1.x86_64.rpm firefox-debugsource-91.6.0-1.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are availablefrom https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-22754 https://access.redhat.com/security/cve/CVE-2022-22756 https://access.redhat.com/security/cve/CVE-2022-22759 https://access.redhat.com/security/cve/CVE-2022-22760 https://access.redhat.com/security/cve/CVE-2022-22761 https://access.redhat.com/security/cve/CVE-2022-22763 https://access.redhat.com/security/cve/CVE-2022-22764 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYgorONzjgjWX9erEAQjyJQ/9ExPCG8hG64i67FOm4K9AuczBClFiwR47 ESt40+EcN8uC9ZNmKqfyCg1JT4lw2zyG2C9nve88qT/tloRReFZyJTWsj8o2Hzf3 xqn63effvrz0JZsOp5IUTugVc3COyFxhlECj0fQDuKXs9b4rUw3+Aoqtep6ImMme Cn+iKj5LuvB+UWKsAq133zJophsbEWpP83ZGdw1TBSOccyPGvZxPUHqf7e/Xk6hC 7uQuHKzkOZ2q7RKhz3gqdNBj4Q8q/cEftZv3H5uE9w3CltYg0ypVWKsZ0itQPClF 2Kyts+S84hnKoDtLsdyfFtqfTRfV5yN6mY3wOQYiYiQMD9Oo2QHQ4FsQWMoiAw6o jPeagtuaIGZahrsrpnW+zfY661OxLskvOlKSf72aLOkYjnYdsjfB5Cowu91WNDIJ Fe1F2e/7J0C68+fsKG1LJySJOJPPVNjCj2CfTATcnQoGhCHQDHdaxZTKUQvXHJXe J4sQl5LBxhCIiKizYUQ1EQAfrQvw6xw4yDCu3uRhoOENVhXy+1o01geVtt3xAfGi 3saxT3vDAtW84Mq4DXSan3ANGXy2pa2a+EUfiI/b6ZVXstpjnHsK7L9gr1j5/fLn itUJoRecO/QcRAUo0/czi+20/1EDe2RJK4Ai1nZ85HXCkUfbhN4nNpzKvic3H3lx p9xjRV4txjk=5AdE -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 14, 2022
•Important
Red Hat
98
security advisorysecurity issuered hatRedHat: RHSA-2022-0126-01 Important: Firefox Security Issues
An update for firefox is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2022:0126-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0126 Issue date: 2022-01-12 CVE Names: CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.5.0 ESR. Security Fix(es): * Mozilla: Iframe sandbox bypass with XSLT (CVE-2021-4140) * Mozilla: Race condition when playing audio files (CVE-2022-22737) * Mozilla: Heap-buffer-overflow in blendGaussianBlur (CVE-2022-22738) * Mozilla: Use-after-free of ChannelEventQueue::mOwner (CVE-2022-22740) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22741) * Mozilla: Out-of-boundsmemory access when inserting text in edit mode (CVE-2022-22742) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22743) * Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 (CVE-2022-22751) * Mozilla: Leaking cross-origin URLs through securitypolicyviolation event (CVE-2022-22745) * Mozilla: Spoofed origin on external protocol launch dialog (CVE-2022-22748) * Mozilla: Missing throttling on external protocol launch dialog (CVE-2022-22739) * Mozilla: Crash when handling empty pkcs7 sequence (CVE-2022-22747) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2039561 - CVE-2022-22743 Mozilla: Browser window spoof using fullscreen mode 2039563 - CVE-2022-22742 Mozilla: Out-of-bounds memory access when inserting text in edit mode 2039564 - CVE-2022-22741 Mozilla: Browser window spoof using fullscreen mode 2039565 - CVE-2022-22740 Mozilla: Use-after-free of ChannelEventQueue::mOwner 2039566 - CVE-2022-22738 Mozilla: Heap-buffer-overflow in blendGaussianBlur 2039567 - CVE-2022-22737 Mozilla: Race condition when playing audio files 2039568 - CVE-2021-4140 Mozilla: Iframe sandbox bypass with XSLT 2039569 - CVE-2022-22748 Mozilla: Spoofed origin on external protocol launch dialog 2039570 - CVE-2022-22745 Mozilla: Leaking cross-origin URLs through securitypolicyviolation event 2039572 - CVE-2022-22747 Mozilla: Crash when handling empty pkcs7 sequence 2039573 - CVE-2022-22739 Mozilla: Missing throttling on external protocol launch dialog 2039574 - CVE-2022-22751 Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 6. Package List: Red HatEnterprise Linux AppStream EUS (v.8.4): Source: firefox-91.5.0-1.el8_4.src.rpm aarch64: firefox-91.5.0-1.el8_4.aarch64.rpm firefox-debuginfo-91.5.0-1.el8_4.aarch64.rpm firefox-debugsource-91.5.0-1.el8_4.aarch64.rpm ppc64le: firefox-91.5.0-1.el8_4.ppc64le.rpm firefox-debuginfo-91.5.0-1.el8_4.ppc64le.rpm firefox-debugsource-91.5.0-1.el8_4.ppc64le.rpm s390x: firefox-91.5.0-1.el8_4.s390x.rpm firefox-debuginfo-91.5.0-1.el8_4.s390x.rpm firefox-debugsource-91.5.0-1.el8_4.s390x.rpm x86_64: firefox-91.5.0-1.el8_4.x86_64.rpm firefox-debuginfo-91.5.0-1.el8_4.x86_64.rpm firefox-debugsource-91.5.0-1.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4140 https://access.redhat.com/security/cve/CVE-2022-22737 https://access.redhat.com/security/cve/CVE-2022-22738 https://access.redhat.com/security/cve/CVE-2022-22739 https://access.redhat.com/security/cve/CVE-2022-22740 https://access.redhat.com/security/cve/CVE-2022-22741 https://access.redhat.com/security/cve/CVE-2022-22742 https://access.redhat.com/security/cve/CVE-2022-22743 https://access.redhat.com/security/cve/CVE-2022-22745 https://access.redhat.com/security/cve/CVE-2022-22747 https://access.redhat.com/security/cve/CVE-2022-22748 https://access.redhat.com/security/cve/CVE-2022-22751 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYd/YONzjgjWX9erEAQhuHA//fpp6oewFZK1W42TyLZ2QbDe1KdDNNACh 9/5FJYfSuhYDPrSZRczhq33aI8PUMrE1DYEwZy17rssxSN7ei4M1HBtwbbqg/q0K FkZc8Zt+KgcQX/h64AKUV3SuPki6A+76T8pXifWm7sbpkK0d4eFHPibMHvZ2P9Eh 1mHs/bCR7UO4Qt5KK7Si7gsLAU0GUGYEtO+nWpXTmbVrPm48hdVZziR4V/sJApe2 E7q0aoaT3prwxmS+/2l5tfnlYd8faWGt4hpX/D9WjBqXIxN7oPktHMYzCC6inajf vkNWcr1FFQBakVUyYJANyP9ME7OqYYW0ihicts07sqoOfHa9WcfuyiCxXV4yw6l9 ncBW3bKpLBwcl4I25fCDUl4nd4Eq1V+VuCdBoNV5TrTAYsH8I64ZR2tHv86KcgCJ tcj2HBS0wShChSwrizHd1WQFa8zk5c8ZyEO1hu8c1Yj6EqvjmYgWk6AH3/37eYTx fC/b4UNHSV+qTfhcs3YBBMgyuD9U/q4vfaxx4VoDHNvAbMYxwJKvFzhRadNWjmof jfMP8rhR4iVuhlY3EnlVzpaFQxfst4v9mna85ozUWpdojuVGtoIwvWJTfunI/lDc KZ/FU/TlU9AjQdLWTkrDZKo8JpbgY3fVN7HSulL93RYBeW/UqBTrSFzlfODjcFBL 6L/y4LBuclg=pZoe -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jan 13, 2022
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!