Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.68. firefox

Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2013-0775, CVE-2013-0780, CVE-2013-0782, CVE-2013-0783
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2013-0776
It was found that, after canceling a proxy server's authentication prompt, the address bar continued to show the requested site's address. An attacker could use this flaw to conduct phishing attacks by tricking a user into believing they are viewing a trusted site.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Nils, Abhishek Arya, Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight, Joe Drew, Wayne Mery, and Michal Zalewski as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 17.0.3 ESR:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Note that due to a Kerberos credentials change, the following configuration steps may be required when using Firefox 17.0.3 ESR with the Enterprise Identity Management (IPA) web interface:
https://access.redhat.com/site/solutions/294303

Important

Firefox 17 is not completely backwards-compatible with all Mozilla add-ons and Firefox plug-ins that worked with Firefox 10.0. Firefox 17 checks compatibility on first-launch, and, depending on the individual configuration and the installed add-ons and plug-ins, may disable said Add-ons and plug-ins, or attempt to check for updates and upgrade them. Add-ons and plug-ins may have to be manually updated.
All Firefox users should upgrade to these updated packages, which contain Firefox version 17.0.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967
A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-1959
A malicious web page could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges.
CVE-2012-1966
A flaw in the context menu functionality in Firefox could allow a malicious website to bypass intended restrictions and allow a cross-site scripting attack.
CVE-2012-1950
A page different to that in the address bar could be displayed when dragging and dropping to the address bar, possibly making it easier for a malicious site or user to perform a phishing attack.
CVE-2012-1955
A flaw in the way Firefox called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site.
CVE-2012-1957
A flaw in a parser utility class used by Firefox to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Firefox. This issue could have affected other browser components or add-ons that assume the class returns sanitized input.
CVE-2012-1961
A flaw in the way Firefox handled X-Frame-Options headers could allow a malicious website to perform a clickjacking attack.
CVE-2012-1963
A flaw in the way Content Security Policy (CSP) reports were generated by Firefox could allow a malicious web page to steal a victim's OAuth 2.0 access tokens and OpenID credentials.
CVE-2012-1964
A flaw in the way Firefox handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted.
CVE-2012-1965
A flaw in the way Firefox handled feed:javascript URLs could allow output filtering to be bypassed, possibly leading to a cross-site scripting attack.
The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6 introduced a mitigation for the CVE-2011-3389 flaw. For compatibility reasons, it remains disabled by default in the nss packages. This update makes Firefox enable the mitigation by default. It can be disabled by setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before launching Firefox. (BZ#838879)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.6 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby Holley, Code Audit Labs, Mariusz Mlynski, Mario Heiderich, Frédéric Buclin, Karthikeyan Bhargavan, Matt McCutchen, Mario Gomes, and Soroush Dalili as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.6 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964
A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3969, CVE-2012-3970
A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3967, CVE-2012-3968
Two flaws were found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3966
A flaw was found in the way Firefox decoded embedded bitmap images in Icon Format (ICO) files. A web page containing a malicious ICO file could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3980
A flaw was found in the way the "eval" command was handled by the Firefox Web Console. Running "eval" in the Web Console while viewing a web page containing malicious content could possibly cause Firefox to execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3972
An out-of-bounds memory read flaw was found in the way Firefox used the format-number feature of XSLT (Extensible Stylesheet Language Transformations). A web page containing malicious content could possibly cause an information leak, or cause Firefox to crash.
CVE-2012-3976
It was found that the SSL certificate information for a previously visited site could be displayed in the address bar while the main window displayed a new page. This could lead to phishing attacks as attackers could use this flaw to trick users into believing they are viewing a trusted site.
CVE-2012-3978
A flaw was found in the location object implementation in Firefox. Malicious content could use this flaw to possibly allow restricted content to be loaded.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.7 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Gary Kwong, Christian Holler, Jesse Ruderman, John Schoenick, Vladimir Vukicevic, Daniel Holbert, Abhishek Arya, Frédéric Hoguin, miaubiz, Arthur Gerkis, Nicolas Grégoire, Mark Poticha, moz_bug_r_a4, and Colby Russell as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.7 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fix

CVE-2012-4194, CVE-2012-4195, CVE-2012-4196
Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.10 ESR:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mariusz Mlynski, moz_bug_r_a4, and Antoine Delignat-Lavaud as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.10 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2013-0744, CVE-2013-0746, CVE-2013-0750, CVE-2013-0753, CVE-2013-0754, CVE-2013-0762, CVE-2013-0766, CVE-2013-0767, CVE-2013-0769
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2013-0758
A flaw was found in the way Chrome Object Wrappers were implemented. Malicious content could be used to cause Firefox to execute arbitrary code via plug-ins installed in Firefox.
CVE-2013-0759
A flaw in the way Firefox displayed URL values in the address bar could allow a malicious site or user to perform a phishing attack.
CVE-2013-0748
An information disclosure flaw was found in the way certain JavaScript functions were implemented in Firefox. An attacker could use this flaw to bypass Address Space Layout Randomization (ASLR) and other security restrictions.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.12 ESR:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Atte Kettunen, Boris Zbarsky, pa_kt, regenrecht, Abhishek Arya, Christoph Diehl, Christian Holler, Mats Palmgren, Chiaki Ishikawa, Mariusz Mlynski, Masato Kinugawa, and Jesse Ruderman as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.12 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3986, CVE-2012-3991
Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.
CVE-2012-1956, CVE-2012-3992, CVE-2012-3994
Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks.
CVE-2012-3993, CVE-2012-4184
Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Firefox to execute arbitrary code.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.8 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Jesse Ruderman, Soroush Dalili, miaubiz, Abhishek Arya, Atte Kettunen, Johnny Stenback, Alice White, moz_bug_r_a4, and Mariusz Mlynski as the original reporters of these issues.

Bug Fix

BZ#809571, BZ#816234
In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue.
If you experience this issue:
  1. Start Firefox.
  2. Type "about:config" (without quotes) into the URL bar and press the Enter key.
  3. If prompted with "This might void your warranty!", click the "I'll be careful, I promise!" button.
  4. Right-click in the Preference Name list. In the menu that opens, select New -> Boolean.
  5. Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.
  6. Select "true" for the boolean value and then press the OK button.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.8 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-4202
A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-4210
A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges.
CVE-2012-4207
A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
CVE-2012-4209
A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins.
CVE-2012-5841
A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks.
CVE-2012-4201
A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.11 ESR:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, miaubiz, Jesse Ruderman, Andrew McCreight, Bob Clary, Kyle Huey, Atte Kettunen, Mariusz Mlynski, Masato Kinugawa, Bobby Holley, and moz_bug_r_a4 as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.11 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.