Issued:
2021-11-03
Updated:
2021-11-03

RHSA-2021:4123 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 91.3.0 ESR.

Security Fix(es):

  • Mozilla: Use-after-free in HTTP2 Session object
  • Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
  • Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503)
  • Mozilla: Use-after-free in file picker dialog (CVE-2021-38504)
  • Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506)
  • Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports (CVE-2021-38507)
  • Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing (CVE-2021-38508)
  • Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain (CVE-2021-38509)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.4 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.6 x86_64
  • Red Hat Enterprise Linux Server - TUS 8.4 x86_64
  • Red Hat Enterprise Linux for ARM 64 8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64

Fixes

  • BZ - 2019621 - CVE-2021-38503 Mozilla: iframe sandbox rules did not apply to XSLT stylesheets
  • BZ - 2019622 - CVE-2021-38504 Mozilla: Use-after-free in file picker dialog
  • BZ - 2019624 - CVE-2021-38506 Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning
  • BZ - 2019625 - CVE-2021-38507 Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
  • BZ - 2019626 - Mozilla: Use-after-free in HTTP2 Session object
  • BZ - 2019627 - CVE-2021-38508 Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
  • BZ - 2019628 - CVE-2021-38509 Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain
  • BZ - 2019630 - Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

Red Hat Enterprise Linux for x86_64 8

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux Server - AUS 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux Server - AUS 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
s390x
firefox-91.3.0-1.el8_4.s390x.rpm SHA-256: cff374ad0b4b6d67935bdb42c76e48360adaaa25f8a1a59fb49030bb24f69c83
firefox-debuginfo-91.3.0-1.el8_4.s390x.rpm SHA-256: 33e243fa221133e5d37bda66cbb6ab24ce2b7f4c485aad62234e502f2636274b
firefox-debugsource-91.3.0-1.el8_4.s390x.rpm SHA-256: 2479c2f87db4643ba5c82b7dbe2ed2a3f8d8dfd71af9d5c5595a418f4efe55d2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
s390x
firefox-91.3.0-1.el8_4.s390x.rpm SHA-256: cff374ad0b4b6d67935bdb42c76e48360adaaa25f8a1a59fb49030bb24f69c83
firefox-debuginfo-91.3.0-1.el8_4.s390x.rpm SHA-256: 33e243fa221133e5d37bda66cbb6ab24ce2b7f4c485aad62234e502f2636274b
firefox-debugsource-91.3.0-1.el8_4.s390x.rpm SHA-256: 2479c2f87db4643ba5c82b7dbe2ed2a3f8d8dfd71af9d5c5595a418f4efe55d2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
s390x
firefox-91.3.0-1.el8_4.s390x.rpm SHA-256: cff374ad0b4b6d67935bdb42c76e48360adaaa25f8a1a59fb49030bb24f69c83
firefox-debuginfo-91.3.0-1.el8_4.s390x.rpm SHA-256: 33e243fa221133e5d37bda66cbb6ab24ce2b7f4c485aad62234e502f2636274b
firefox-debugsource-91.3.0-1.el8_4.s390x.rpm SHA-256: 2479c2f87db4643ba5c82b7dbe2ed2a3f8d8dfd71af9d5c5595a418f4efe55d2

Red Hat Enterprise Linux for Power, little endian 8

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
ppc64le
firefox-91.3.0-1.el8_4.ppc64le.rpm SHA-256: dfd8e6ca3ce658deeeab76e2e66e48bbafa527ad71aeeb691d8398ae0e0576a6
firefox-debuginfo-91.3.0-1.el8_4.ppc64le.rpm SHA-256: c6d576ade846b3e441e2f739dba7b6559f68ae3b06eadfea28c4513db23a21d4
firefox-debugsource-91.3.0-1.el8_4.ppc64le.rpm SHA-256: bcdc0be33547c238bf8af41393a8724299f17f9243503b964bfc44a3e5bd48ed

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
ppc64le
firefox-91.3.0-1.el8_4.ppc64le.rpm SHA-256: dfd8e6ca3ce658deeeab76e2e66e48bbafa527ad71aeeb691d8398ae0e0576a6
firefox-debuginfo-91.3.0-1.el8_4.ppc64le.rpm SHA-256: c6d576ade846b3e441e2f739dba7b6559f68ae3b06eadfea28c4513db23a21d4
firefox-debugsource-91.3.0-1.el8_4.ppc64le.rpm SHA-256: bcdc0be33547c238bf8af41393a8724299f17f9243503b964bfc44a3e5bd48ed

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
ppc64le
firefox-91.3.0-1.el8_4.ppc64le.rpm SHA-256: dfd8e6ca3ce658deeeab76e2e66e48bbafa527ad71aeeb691d8398ae0e0576a6
firefox-debuginfo-91.3.0-1.el8_4.ppc64le.rpm SHA-256: c6d576ade846b3e441e2f739dba7b6559f68ae3b06eadfea28c4513db23a21d4
firefox-debugsource-91.3.0-1.el8_4.ppc64le.rpm SHA-256: bcdc0be33547c238bf8af41393a8724299f17f9243503b964bfc44a3e5bd48ed

Red Hat Enterprise Linux Server - TUS 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux Server - TUS 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux for ARM 64 8

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
aarch64
firefox-91.3.0-1.el8_4.aarch64.rpm SHA-256: 4ff722e838bd8233e3eefdea7de69f7fd723d8e442cfe7262e42814436b96365
firefox-debuginfo-91.3.0-1.el8_4.aarch64.rpm SHA-256: 72bee0e5619e0258e5ca0f09d6af904da93bb70b72efd198ce2d58271e8e71f9
firefox-debugsource-91.3.0-1.el8_4.aarch64.rpm SHA-256: 935882de3c2038700f6fc8a13a4ca5228594997d6739809022a957b32be602c5

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
aarch64
firefox-91.3.0-1.el8_4.aarch64.rpm SHA-256: 4ff722e838bd8233e3eefdea7de69f7fd723d8e442cfe7262e42814436b96365
firefox-debuginfo-91.3.0-1.el8_4.aarch64.rpm SHA-256: 72bee0e5619e0258e5ca0f09d6af904da93bb70b72efd198ce2d58271e8e71f9
firefox-debugsource-91.3.0-1.el8_4.aarch64.rpm SHA-256: 935882de3c2038700f6fc8a13a4ca5228594997d6739809022a957b32be602c5

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
aarch64
firefox-91.3.0-1.el8_4.aarch64.rpm SHA-256: 4ff722e838bd8233e3eefdea7de69f7fd723d8e442cfe7262e42814436b96365
firefox-debuginfo-91.3.0-1.el8_4.aarch64.rpm SHA-256: 72bee0e5619e0258e5ca0f09d6af904da93bb70b72efd198ce2d58271e8e71f9
firefox-debugsource-91.3.0-1.el8_4.aarch64.rpm SHA-256: 935882de3c2038700f6fc8a13a4ca5228594997d6739809022a957b32be602c5

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
ppc64le
firefox-91.3.0-1.el8_4.ppc64le.rpm SHA-256: dfd8e6ca3ce658deeeab76e2e66e48bbafa527ad71aeeb691d8398ae0e0576a6
firefox-debuginfo-91.3.0-1.el8_4.ppc64le.rpm SHA-256: c6d576ade846b3e441e2f739dba7b6559f68ae3b06eadfea28c4513db23a21d4
firefox-debugsource-91.3.0-1.el8_4.ppc64le.rpm SHA-256: bcdc0be33547c238bf8af41393a8724299f17f9243503b964bfc44a3e5bd48ed

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
ppc64le
firefox-91.3.0-1.el8_4.ppc64le.rpm SHA-256: dfd8e6ca3ce658deeeab76e2e66e48bbafa527ad71aeeb691d8398ae0e0576a6
firefox-debuginfo-91.3.0-1.el8_4.ppc64le.rpm SHA-256: c6d576ade846b3e441e2f739dba7b6559f68ae3b06eadfea28c4513db23a21d4
firefox-debugsource-91.3.0-1.el8_4.ppc64le.rpm SHA-256: bcdc0be33547c238bf8af41393a8724299f17f9243503b964bfc44a3e5bd48ed

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4

SRPM
firefox-91.3.0-1.el8_4.src.rpm SHA-256: 775b7b15f695817e4821bfad670c992022e95c9766be8c90dd1b1feca8ddcafb
x86_64
firefox-91.3.0-1.el8_4.x86_64.rpm SHA-256: c2cdffb87d612635aac1ae595f603139d93ca2c251f4d32cb4462797f3645baa
firefox-debuginfo-91.3.0-1.el8_4.x86_64.rpm SHA-256: cfa1ba14807e811fc44e02050c92148375ea0454b9227ad2ae4ccdd12bc3f719
firefox-debugsource-91.3.0-1.el8_4.x86_64.rpm SHA-256: f54c3eea62043aee2a0f50aabf895c7f0cd53efff0296a3e7236d1623d8fadcd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.