Red Hat Product Errata RHSA-2018:3005 - Security Advisory

Issued:: 2018-10-24
Updated:: 2018-10-24

RHSA-2018:3005 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: firefox security and bug fix update

Type/Severity

Security Advisory: Critical

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.3.0 ESR.

Security Fix(es):

Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 (CVE-2018-12390)
Mozilla: Crash with nested event loops (CVE-2018-12392)
Mozilla: Integer overflow during Unicode conversion while loading JavaScript (CVE-2018-12393)
Mozilla: WebExtension bypass of domain restrictions through header rewriting (CVE-2018-12395)
Mozilla: WebExtension content scripts can execute in disallowed contexts (CVE-2018-12396)
Mozilla: WebExtension local file permission check bypass (CVE-2018-12397)
Mozilla: Memory safety bugs fixed in Firefox ESR 60.3 (CVE-2018-12389)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Bob Owen, Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond Forbes, Bogdan Tara, Nils, r, Rob Wu, Andrew Swan, and Daniel Veditz as the original reporters.

Bug Fix(es):

Previously, passwords saved in the Firefox browser and encrypted by a master password were erased when Firefox was exited. This update ensures that NSS files used to decrypt stored login data are handled correctly. As a result, the affected passwords are no longer lost after restarting Firefox. (BZ#1638082)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.5 x86_64
Red Hat Enterprise Linux Server - AUS 7.7 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5 ppc64le
Red Hat Enterprise Linux Server - TUS 7.7 x86_64
Red Hat Enterprise Linux for ARM 64 7 aarch64
Red Hat Enterprise Linux for Power 9 7 ppc64le
Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64
Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

BZ - 1638082 - After Firefox update saved passwords cleared on startup [7.7] [rhel-7.6.z]
BZ - 1642179 - CVE-2018-12389 Mozilla: Memory safety bugs fixed in Firefox ESR 60.3
BZ - 1642180 - CVE-2018-12390 Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
BZ - 1642182 - CVE-2018-12392 Mozilla: Crash with nested event loops
BZ - 1642183 - CVE-2018-12393 Mozilla: Integer overflow during Unicode conversion while loading JavaScript
BZ - 1642185 - CVE-2018-12395 Mozilla: WebExtension bypass of domain restrictions through header rewriting
BZ - 1642186 - CVE-2018-12396 Mozilla: WebExtension content scripts can execute in disallowed contexts
BZ - 1642187 - CVE-2018-12397 Mozilla: WebExtension local file permission check bypass

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.5

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux Server - AUS 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux Workstation 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux Desktop 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
s390x
firefox-60.3.0-1.el7_5.s390x.rpm	SHA-256: c34382a0ed2e46832cac661831200f3864a0488ec13f3e5a3120625ed0b53f45
firefox-debuginfo-60.3.0-1.el7_5.s390x.rpm	SHA-256: fd473f4522f541f59c6abbfac3459ead143fc55f4f725bf2c596ba9616afb582

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
s390x
firefox-60.3.0-1.el7_5.s390x.rpm	SHA-256: c34382a0ed2e46832cac661831200f3864a0488ec13f3e5a3120625ed0b53f45
firefox-debuginfo-60.3.0-1.el7_5.s390x.rpm	SHA-256: fd473f4522f541f59c6abbfac3459ead143fc55f4f725bf2c596ba9616afb582

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
s390x
firefox-60.3.0-1.el7_5.s390x.rpm	SHA-256: c34382a0ed2e46832cac661831200f3864a0488ec13f3e5a3120625ed0b53f45
firefox-debuginfo-60.3.0-1.el7_5.s390x.rpm	SHA-256: fd473f4522f541f59c6abbfac3459ead143fc55f4f725bf2c596ba9616afb582

Red Hat Enterprise Linux for Power, big endian 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64
firefox-60.3.0-1.el7_5.ppc64.rpm	SHA-256: 8bc102559feccc2c132831519f59826867e9f42af71ee11508a2d1d22b5add24
firefox-debuginfo-60.3.0-1.el7_5.ppc64.rpm	SHA-256: 257667b46ca770c2b652044844c8ff4fe55e0aab0b572124c442f4af05c20755

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64
firefox-60.3.0-1.el7_5.ppc64.rpm	SHA-256: 8bc102559feccc2c132831519f59826867e9f42af71ee11508a2d1d22b5add24
firefox-debuginfo-60.3.0-1.el7_5.ppc64.rpm	SHA-256: 257667b46ca770c2b652044844c8ff4fe55e0aab0b572124c442f4af05c20755

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64
firefox-60.3.0-1.el7_5.ppc64.rpm	SHA-256: 8bc102559feccc2c132831519f59826867e9f42af71ee11508a2d1d22b5add24
firefox-debuginfo-60.3.0-1.el7_5.ppc64.rpm	SHA-256: 257667b46ca770c2b652044844c8ff4fe55e0aab0b572124c442f4af05c20755

Red Hat Enterprise Linux for Power, little endian 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64le
firefox-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 715fea36df61bee23a5168b83ea2113e9c86712f366a5d9b9778321a1e4aef13
firefox-debuginfo-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 7d881614f30dfed89c7680db08af6388c5643cc944a2b82ea83d464a943732a4

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64le
firefox-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 715fea36df61bee23a5168b83ea2113e9c86712f366a5d9b9778321a1e4aef13
firefox-debuginfo-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 7d881614f30dfed89c7680db08af6388c5643cc944a2b82ea83d464a943732a4

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64le
firefox-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 715fea36df61bee23a5168b83ea2113e9c86712f366a5d9b9778321a1e4aef13
firefox-debuginfo-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 7d881614f30dfed89c7680db08af6388c5643cc944a2b82ea83d464a943732a4

Red Hat Enterprise Linux Server - TUS 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux for ARM 64 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
aarch64
firefox-60.3.0-1.el7_5.aarch64.rpm	SHA-256: ce156bfddaed667aaecb78f87e623d2719c5ad510cd07f2d98235cfd149be534
firefox-60.3.0-1.el7_5.aarch64.rpm	SHA-256: ce156bfddaed667aaecb78f87e623d2719c5ad510cd07f2d98235cfd149be534
firefox-debuginfo-60.3.0-1.el7_5.aarch64.rpm	SHA-256: 51ee23c0944c71053ba518b0ff7b52de3424cc5f685aae4feace37e4d69904f7
firefox-debuginfo-60.3.0-1.el7_5.aarch64.rpm	SHA-256: 51ee23c0944c71053ba518b0ff7b52de3424cc5f685aae4feace37e4d69904f7

Red Hat Enterprise Linux for Power 9 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64le
firefox-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 715fea36df61bee23a5168b83ea2113e9c86712f366a5d9b9778321a1e4aef13
firefox-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 715fea36df61bee23a5168b83ea2113e9c86712f366a5d9b9778321a1e4aef13
firefox-debuginfo-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 7d881614f30dfed89c7680db08af6388c5643cc944a2b82ea83d464a943732a4
firefox-debuginfo-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 7d881614f30dfed89c7680db08af6388c5643cc944a2b82ea83d464a943732a4

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
ppc64le
firefox-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 715fea36df61bee23a5168b83ea2113e9c86712f366a5d9b9778321a1e4aef13
firefox-debuginfo-60.3.0-1.el7_5.ppc64le.rpm	SHA-256: 7d881614f30dfed89c7680db08af6388c5643cc944a2b82ea83d464a943732a4

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
x86_64
firefox-60.3.0-1.el7_5.i686.rpm	SHA-256: 406fa1528f00f083f2b945d0e1c3adce67d0f1ddabab71d79022bda88daac193
firefox-60.3.0-1.el7_5.x86_64.rpm	SHA-256: ee73b08b63efc197764c0dea9cbc0e570725028fdfc15cdeb92977335b1f16fe
firefox-debuginfo-60.3.0-1.el7_5.i686.rpm	SHA-256: 0f3d7dd6b6089a3179f9d26a8138ad6fd060e09a27056701353e2b4306669caf
firefox-debuginfo-60.3.0-1.el7_5.x86_64.rpm	SHA-256: 23bb4ea145a0874fd66e5b4a34cb935b4c239221d98293476228c8ad36592aa4

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
firefox-60.3.0-1.el7_5.src.rpm	SHA-256: 8d572a39c92b9ae2ec117f51b521fa1fe5a142a7d273acc8669540a3d6995751
s390x
firefox-60.3.0-1.el7_5.s390x.rpm	SHA-256: c34382a0ed2e46832cac661831200f3864a0488ec13f3e5a3120625ed0b53f45
firefox-60.3.0-1.el7_5.s390x.rpm	SHA-256: c34382a0ed2e46832cac661831200f3864a0488ec13f3e5a3120625ed0b53f45
firefox-debuginfo-60.3.0-1.el7_5.s390x.rpm	SHA-256: fd473f4522f541f59c6abbfac3459ead143fc55f4f725bf2c596ba9616afb582
firefox-debuginfo-60.3.0-1.el7_5.s390x.rpm	SHA-256: fd473f4522f541f59c6abbfac3459ead143fc55f4f725bf2c596ba9616afb582

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.