9.3 - RHSA-2019:2729

Problem Description:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.9.0 ESR.

Security Fix(es):

* Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812)

* Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740)

* Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742)

* Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744)

* Mozilla: Use-after-free while manipulating video (CVE-2019-11746)

* Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752)

* firefox: stored passwords in 'Saved Logins' can be copied without master password entry (CVE-2019-11733)

* Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1745687 - CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry 1748652 - CVE-2019-11740 Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 1748653 - CVE-2019-11742 Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images 1748654 - CVE-2019-11743 Mozilla: Cross-origin access to unload event attributes 1748655 - CVE-2019-11744 Mozilla: XSS by breaking out of title and textarea elements using innerHTML 1748656 - CVE-2019-11746 Mozilla: Use-after-free while manipulating video 1748657 - CVE-2019-11752 Mozilla: Use-after-free while extracting a key value in IndexedDB 1748660 - CVE-2019-9812 Mozilla: Sandbox escape through Firefox Sync