Red Hat Product Errata RHSA-2019:0622 - Security Advisory

Issued:: 2019-03-20
Updated:: 2019-03-20

RHSA-2019:0622 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: firefox security update

Type/Severity

Security Advisory: Critical

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.6.0 ESR.

Security Fix(es):

Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)
Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)
Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)
Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)
Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)
Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)
Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)
Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
Red Hat Enterprise Linux Server - AUS 7.6 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
Red Hat Enterprise Linux Server - TUS 7.6 x86_64
Red Hat Enterprise Linux for ARM 64 7 aarch64
Red Hat Enterprise Linux for Power 9 7 ppc64le
Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

BZ - 1690673 - CVE-2018-18506 Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied
BZ - 1690674 - CVE-2019-9788 Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6
BZ - 1690675 - CVE-2019-9790 Mozilla: Use-after-free when removing in-use DOM elements
BZ - 1690676 - CVE-2019-9791 Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey
BZ - 1690677 - CVE-2019-9792 Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
BZ - 1690678 - CVE-2019-9793 Mozilla: Improper bounds checks when Spectre mitigations are disabled
BZ - 1690680 - CVE-2019-9795 Mozilla: Type-confusion in IonMonkey JIT compiler
BZ - 1690681 - CVE-2019-9796 Mozilla: Use-after-free with SMIL animation controller

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux Server - AUS 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux Workstation 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux Desktop 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
s390x
firefox-60.6.0-3.el7_6.s390x.rpm	SHA-256: cbc3ae5b4434b9242d9d5d2493def1732b3490a76e84aa46e81b00de2a6ed133
firefox-debuginfo-60.6.0-3.el7_6.s390x.rpm	SHA-256: 1252d120ddf0e67acfe58b6e113050833c1844a7db778c555f0a6c960e24f7d6

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
s390x
firefox-60.6.0-3.el7_6.s390x.rpm	SHA-256: cbc3ae5b4434b9242d9d5d2493def1732b3490a76e84aa46e81b00de2a6ed133
firefox-debuginfo-60.6.0-3.el7_6.s390x.rpm	SHA-256: 1252d120ddf0e67acfe58b6e113050833c1844a7db778c555f0a6c960e24f7d6

Red Hat Enterprise Linux for Power, big endian 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
ppc64
firefox-60.6.0-3.el7_6.ppc64.rpm	SHA-256: 0cf0e0b1aa8894d4ebe784f5b5c9811ef35f5ec37333a6589b9b429137aefc6d
firefox-debuginfo-60.6.0-3.el7_6.ppc64.rpm	SHA-256: 2302f45ad7d898af9b21d5054d4d73cf52125de649eebee03e868abd5d632faf

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
ppc64
firefox-60.6.0-3.el7_6.ppc64.rpm	SHA-256: 0cf0e0b1aa8894d4ebe784f5b5c9811ef35f5ec37333a6589b9b429137aefc6d
firefox-debuginfo-60.6.0-3.el7_6.ppc64.rpm	SHA-256: 2302f45ad7d898af9b21d5054d4d73cf52125de649eebee03e868abd5d632faf

Red Hat Enterprise Linux for Power, little endian 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
ppc64le
firefox-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: 90905be6f547b74a9798520e0325ac1496a453f60b0aacf239b25da42fd713e6
firefox-debuginfo-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: e0c453ff0189daeaa5d2cdfd08a466dba688daf8784ebe7c68d36e8683e8e16e

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
ppc64le
firefox-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: 90905be6f547b74a9798520e0325ac1496a453f60b0aacf239b25da42fd713e6
firefox-debuginfo-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: e0c453ff0189daeaa5d2cdfd08a466dba688daf8784ebe7c68d36e8683e8e16e

Red Hat Enterprise Linux Server - TUS 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux for ARM 64 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
aarch64
firefox-60.6.0-3.el7_6.aarch64.rpm	SHA-256: fa85833e29026d52a3427f819c4aecf3b80414805a1886cc0c27e2de3656f7fe
firefox-debuginfo-60.6.0-3.el7_6.aarch64.rpm	SHA-256: 30826096c35c096011ec08a1b0ba107515e06b4050f6fffdec6a1e63742de156

Red Hat Enterprise Linux for Power 9 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
ppc64le
firefox-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: 90905be6f547b74a9798520e0325ac1496a453f60b0aacf239b25da42fd713e6
firefox-debuginfo-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: e0c453ff0189daeaa5d2cdfd08a466dba688daf8784ebe7c68d36e8683e8e16e

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
ppc64le
firefox-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: 90905be6f547b74a9798520e0325ac1496a453f60b0aacf239b25da42fd713e6
firefox-debuginfo-60.6.0-3.el7_6.ppc64le.rpm	SHA-256: e0c453ff0189daeaa5d2cdfd08a466dba688daf8784ebe7c68d36e8683e8e16e

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
x86_64
firefox-60.6.0-3.el7_6.i686.rpm	SHA-256: 5d5dadded93d5126563fbb433a9361d29d387af226f8b94b010d01957ebac236
firefox-60.6.0-3.el7_6.x86_64.rpm	SHA-256: 2cae7d897c2b0ed8cd57871de610116bc2dc0cff08d528a04a835d7b5c65f9aa
firefox-debuginfo-60.6.0-3.el7_6.i686.rpm	SHA-256: b81448b6c6cf3b85b15ffbd9557db474b13acd82be85586977d617c41ca38b33
firefox-debuginfo-60.6.0-3.el7_6.x86_64.rpm	SHA-256: e0f4714b7997289457fbd3fe62c63a9e8f3c345ea435fac05b820a1baf9d0930

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
firefox-60.6.0-3.el7_6.src.rpm	SHA-256: 61ea0993166cced5a79757747d556e94c54ac9c136206a96c9ab481fb8afc100
s390x
firefox-60.6.0-3.el7_6.s390x.rpm	SHA-256: cbc3ae5b4434b9242d9d5d2493def1732b3490a76e84aa46e81b00de2a6ed133
firefox-debuginfo-60.6.0-3.el7_6.s390x.rpm	SHA-256: 1252d120ddf0e67acfe58b6e113050833c1844a7db778c555f0a6c960e24f7d6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.