9.3 - RHSA-2019:2663

Problem Description:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 68.1.0 ESR.

Security Fix(es):

* Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812)

* Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 (CVE-2019-11735)

* Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740)

* Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742)

* Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744)

* Mozilla: Use-after-free while manipulating video (CVE-2019-11746)

* Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752)

* Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743)

* Mozilla: Persistence of WebRTC permissions in a third party context (CVE-2019-11748)

* Mozilla: Camera information available without prompting using getUserMedia (CVE-2019-11749)

* Mozilla: Type confusion in Spidermonkey (CVE-2019-11750)

* Mozilla: Content security policy bypass through hash-based sources in directives (CVE-2019-11738)

* Mozilla: 'Forget about this site' removes sites from pre-loaded HSTS list (CVE-2019-11747)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1748652 - CVE-2019-11740 Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 1748653 - CVE-2019-11742 Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images 1748654 - CVE-2019-11743 Mozilla: Cross-origin access to unload event attributes 1748655 - CVE-2019-11744 Mozilla: XSS by breaking out of title and textarea elements using innerHTML 1748656 - CVE-2019-11746 Mozilla: Use-after-free while manipulating video 1748657 - CVE-2019-11752 Mozilla: Use-after-free while extracting a key value in IndexedDB 1748660 - CVE-2019-9812 Mozilla: Sandbox escape through Firefox Sync 1748661 - CVE-2019-11735 Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 1748663 - CVE-2019-11738 Mozilla: Content security policy bypass through hash-based sources in directives 1748664 - CVE-2019-11747 Mozilla: 'Forget about this site' removes sites from pre-loaded HSTS list 1748665 - CVE-2019-11748 Mozilla: Persistence of WebRTC permissions in a third party context 1748666 - CVE-2019-11749 Mozilla: Camera information available without prompting using getUserMedia 1748667 - CVE-2019-11750 Mozilla: Type confusion in Spidermonkey