Red Hat Product Errata RHSA-2019:1265 - Security Advisory

Issued:: 2019-05-23
Updated:: 2019-05-23

RHSA-2019:1265 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: firefox security update

Type/Severity

Security Advisory: Critical

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.7.0 ESR.

Security Fix(es):

Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 (CVE-2019-9800)
Mozilla: Cross-origin theft of images with createImageBitmap (CVE-2019-9797)
Mozilla: Type confusion with object groups and UnboxedObjects (CVE-2019-9816)
Mozilla: Stealing of cross-domain images using canvas (CVE-2019-9817)
Mozilla: Compartment mismatch with fetch API (CVE-2019-9819)
Mozilla: Use-after-free of ChromeEventHandler by DocShell (CVE-2019-9820)
Mozilla: Use-after-free in XMLHttpRequest (CVE-2019-11691)
Mozilla: Use-after-free removing listeners in the event listener manager (CVE-2019-11692)
Mozilla: Buffer overflow in WebGL bufferdata on Linux (CVE-2019-11693)
mozilla: Cross-origin theft of images with ImageBitmapRenderingContext (CVE-2018-18511)
chromium-browser: Out of bounds read in Skia (CVE-2019-5798)
Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks (CVE-2019-11698)
libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
Red Hat Enterprise Linux Server - AUS 7.6 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
Red Hat Enterprise Linux Server - TUS 7.6 x86_64
Red Hat Enterprise Linux for ARM 64 7 aarch64
Red Hat Enterprise Linux for Power 9 7 ppc64le
Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

BZ - 1672409 - CVE-2019-7317 libpng: use-after-free in png_image_free in png.c
BZ - 1676997 - CVE-2018-18511 mozilla: Cross-origin theft of images with ImageBitmapRenderingContext
BZ - 1688200 - CVE-2019-5798 chromium-browser: Out of bounds read in Skia
BZ - 1712617 - CVE-2019-11691 Mozilla: Use-after-free in XMLHttpRequest
BZ - 1712618 - CVE-2019-11692 Mozilla: Use-after-free removing listeners in the event listener manager
BZ - 1712619 - CVE-2019-11693 Mozilla: Buffer overflow in WebGL bufferdata on Linux
BZ - 1712621 - CVE-2019-11698 Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
BZ - 1712622 - CVE-2019-9797 Mozilla: Cross-origin theft of images with createImageBitmap
BZ - 1712623 - CVE-2019-9800 Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
BZ - 1712625 - CVE-2019-9816 Mozilla: Type confusion with object groups and UnboxedObjects
BZ - 1712626 - CVE-2019-9817 Mozilla: Stealing of cross-domain images using canvas
BZ - 1712628 - CVE-2019-9819 Mozilla: Compartment mismatch with fetch API
BZ - 1712629 - CVE-2019-9820 Mozilla: Use-after-free of ChromeEventHandler by DocShell

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux Server - AUS 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux Workstation 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux Desktop 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
s390x
firefox-60.7.0-1.el7_6.s390x.rpm	SHA-256: b70bc9c96edfbb5ce025b71d254f66ce79c650993fc5fd057cb7b350b461d014
firefox-debuginfo-60.7.0-1.el7_6.s390x.rpm	SHA-256: 16d5ce853456f58f1e7ad8b03387290ce2b221891ec427d84b08fcfa8f8a1279

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
s390x
firefox-60.7.0-1.el7_6.s390x.rpm	SHA-256: b70bc9c96edfbb5ce025b71d254f66ce79c650993fc5fd057cb7b350b461d014
firefox-debuginfo-60.7.0-1.el7_6.s390x.rpm	SHA-256: 16d5ce853456f58f1e7ad8b03387290ce2b221891ec427d84b08fcfa8f8a1279

Red Hat Enterprise Linux for Power, big endian 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
ppc64
firefox-60.7.0-1.el7_6.ppc64.rpm	SHA-256: e747f2b7dcf7666a01b663f5ad6fac439f670695394d5740d5fd76293f01d66b
firefox-debuginfo-60.7.0-1.el7_6.ppc64.rpm	SHA-256: 6f92c209d8c0adfeb6a4aefe88b8a1e134c32245578123c0be68721cddd67007

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
ppc64
firefox-60.7.0-1.el7_6.ppc64.rpm	SHA-256: e747f2b7dcf7666a01b663f5ad6fac439f670695394d5740d5fd76293f01d66b
firefox-debuginfo-60.7.0-1.el7_6.ppc64.rpm	SHA-256: 6f92c209d8c0adfeb6a4aefe88b8a1e134c32245578123c0be68721cddd67007

Red Hat Enterprise Linux for Power, little endian 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
ppc64le
firefox-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: 4f392c51c360b151317b8d6f4f3c0d26706dde76b9f0d8b19b15cf8906d227e9
firefox-debuginfo-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: eeabbc6cf027d246a2ba3e8e90e45f015d3400bcb5a8001d6c6d91d0daf7a594

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
ppc64le
firefox-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: 4f392c51c360b151317b8d6f4f3c0d26706dde76b9f0d8b19b15cf8906d227e9
firefox-debuginfo-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: eeabbc6cf027d246a2ba3e8e90e45f015d3400bcb5a8001d6c6d91d0daf7a594

Red Hat Enterprise Linux Server - TUS 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux for ARM 64 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
aarch64
firefox-60.7.0-1.el7_6.aarch64.rpm	SHA-256: 69450870b200bfd841110ae94af9ad21744955bab5042beb463e8af5b17ffea4
firefox-60.7.0-1.el7_6.aarch64.rpm	SHA-256: 69450870b200bfd841110ae94af9ad21744955bab5042beb463e8af5b17ffea4
firefox-60.7.0-1.el7_6.aarch64.rpm	SHA-256: 69450870b200bfd841110ae94af9ad21744955bab5042beb463e8af5b17ffea4
firefox-debuginfo-60.7.0-1.el7_6.aarch64.rpm	SHA-256: f36882b32b7ee4167b7a89e4ba8a095880719f4a90880477594dd645ffc598ae
firefox-debuginfo-60.7.0-1.el7_6.aarch64.rpm	SHA-256: f36882b32b7ee4167b7a89e4ba8a095880719f4a90880477594dd645ffc598ae
firefox-debuginfo-60.7.0-1.el7_6.aarch64.rpm	SHA-256: f36882b32b7ee4167b7a89e4ba8a095880719f4a90880477594dd645ffc598ae

Red Hat Enterprise Linux for Power 9 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
ppc64le
firefox-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: 4f392c51c360b151317b8d6f4f3c0d26706dde76b9f0d8b19b15cf8906d227e9
firefox-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: 4f392c51c360b151317b8d6f4f3c0d26706dde76b9f0d8b19b15cf8906d227e9
firefox-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: 4f392c51c360b151317b8d6f4f3c0d26706dde76b9f0d8b19b15cf8906d227e9
firefox-debuginfo-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: eeabbc6cf027d246a2ba3e8e90e45f015d3400bcb5a8001d6c6d91d0daf7a594
firefox-debuginfo-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: eeabbc6cf027d246a2ba3e8e90e45f015d3400bcb5a8001d6c6d91d0daf7a594
firefox-debuginfo-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: eeabbc6cf027d246a2ba3e8e90e45f015d3400bcb5a8001d6c6d91d0daf7a594

Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
ppc64le
firefox-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: 4f392c51c360b151317b8d6f4f3c0d26706dde76b9f0d8b19b15cf8906d227e9
firefox-debuginfo-60.7.0-1.el7_6.ppc64le.rpm	SHA-256: eeabbc6cf027d246a2ba3e8e90e45f015d3400bcb5a8001d6c6d91d0daf7a594

Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
x86_64
firefox-60.7.0-1.el7_6.i686.rpm	SHA-256: 7eb94469fe5d2fbfdb77c6af38d09e1f520e754064d758e971aa94563a0a0c69
firefox-60.7.0-1.el7_6.x86_64.rpm	SHA-256: bee1bfe8996e5f8635c5602bbcb5127ebd2377c67f27cd66348927020635ff4f
firefox-debuginfo-60.7.0-1.el7_6.i686.rpm	SHA-256: 614e74d2b04c156ebd3abe175ed5caa320bc73f553c2050fdb50f86773f35e0d
firefox-debuginfo-60.7.0-1.el7_6.x86_64.rpm	SHA-256: 4aa407ef5e5eefb0becec4aa9dbcda395a5c70c89be0831d480fd8bb56a54701

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
firefox-60.7.0-1.el7_6.src.rpm	SHA-256: 6b1adeff67e452284bb32cc09b0d23124cc0fabb25c4f2b70b86d0f0d5ec171b
s390x
firefox-60.7.0-1.el7_6.s390x.rpm	SHA-256: b70bc9c96edfbb5ce025b71d254f66ce79c650993fc5fd057cb7b350b461d014
firefox-60.7.0-1.el7_6.s390x.rpm	SHA-256: b70bc9c96edfbb5ce025b71d254f66ce79c650993fc5fd057cb7b350b461d014
firefox-60.7.0-1.el7_6.s390x.rpm	SHA-256: b70bc9c96edfbb5ce025b71d254f66ce79c650993fc5fd057cb7b350b461d014
firefox-debuginfo-60.7.0-1.el7_6.s390x.rpm	SHA-256: 16d5ce853456f58f1e7ad8b03387290ce2b221891ec427d84b08fcfa8f8a1279
firefox-debuginfo-60.7.0-1.el7_6.s390x.rpm	SHA-256: 16d5ce853456f58f1e7ad8b03387290ce2b221891ec427d84b08fcfa8f8a1279
firefox-debuginfo-60.7.0-1.el7_6.s390x.rpm	SHA-256: 16d5ce853456f58f1e7ad8b03387290ce2b221891ec427d84b08fcfa8f8a1279

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.