Issued:
2021-11-10
Updated:
2021-11-10

RHSA-2021:4605 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 91.3.0 ESR.

Security Fix(es):

  • Mozilla: Use-after-free in HTTP2 Session object
  • Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
  • Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503)
  • Mozilla: Use-after-free in file picker dialog (CVE-2021-38504)
  • Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506)
  • Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports (CVE-2021-38507)
  • Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing (CVE-2021-38508)
  • Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain (CVE-2021-38509)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2 x86_64

Fixes

  • BZ - 2019621 - CVE-2021-38503 Mozilla: iframe sandbox rules did not apply to XSLT stylesheets
  • BZ - 2019622 - CVE-2021-38504 Mozilla: Use-after-free in file picker dialog
  • BZ - 2019624 - CVE-2021-38506 Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning
  • BZ - 2019625 - CVE-2021-38507 Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
  • BZ - 2019626 - Mozilla: Use-after-free in HTTP2 Session object
  • BZ - 2019627 - CVE-2021-38508 Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
  • BZ - 2019628 - CVE-2021-38509 Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain
  • BZ - 2019630 - Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
x86_64
firefox-91.3.0-1.el8_2.x86_64.rpm SHA-256: b3ba8bbe552658baea1a13ccbb6a5023b5e540987b87b37643b9dad5b8936373
firefox-debuginfo-91.3.0-1.el8_2.x86_64.rpm SHA-256: b9264cbe8a12c66c9aa2216f9dea1c95d49f6d655c7699d4afe57373375b3991
firefox-debugsource-91.3.0-1.el8_2.x86_64.rpm SHA-256: a577d25cc56fbe0db29da538a4785eec757243f8ce69f91777087b71e586b44f

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
x86_64
firefox-91.3.0-1.el8_2.x86_64.rpm SHA-256: b3ba8bbe552658baea1a13ccbb6a5023b5e540987b87b37643b9dad5b8936373
firefox-debuginfo-91.3.0-1.el8_2.x86_64.rpm SHA-256: b9264cbe8a12c66c9aa2216f9dea1c95d49f6d655c7699d4afe57373375b3991
firefox-debugsource-91.3.0-1.el8_2.x86_64.rpm SHA-256: a577d25cc56fbe0db29da538a4785eec757243f8ce69f91777087b71e586b44f

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
s390x
firefox-91.3.0-1.el8_2.s390x.rpm SHA-256: 7cf41e982a30c9d41968928a4b8da122ab292eebedadc132e096e48c1f6c866a
firefox-debuginfo-91.3.0-1.el8_2.s390x.rpm SHA-256: bf6c5b875bfb934d7ccc67d66e18729a2223681a61857855e6b38f1f5ecd001c
firefox-debugsource-91.3.0-1.el8_2.s390x.rpm SHA-256: 58c7abcbbcc3b76efe060aacc829b8442a88e3d4cfc2372fc500baa15c54fb11

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
ppc64le
firefox-91.3.0-1.el8_2.ppc64le.rpm SHA-256: a23c5af57fd8097e5472670c1a3e17a6679461d0c514ecd237925c989c0d4299
firefox-debuginfo-91.3.0-1.el8_2.ppc64le.rpm SHA-256: 8a9ccc7643498f2885b5352fde3565841317fda62c088513efb3b57ee2e583b9
firefox-debugsource-91.3.0-1.el8_2.ppc64le.rpm SHA-256: b7e348c5daf2a52fd8ed87e64e02b8ae358ed564c63d8aff72c225db617060e1

Red Hat Enterprise Linux Server - TUS 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
x86_64
firefox-91.3.0-1.el8_2.x86_64.rpm SHA-256: b3ba8bbe552658baea1a13ccbb6a5023b5e540987b87b37643b9dad5b8936373
firefox-debuginfo-91.3.0-1.el8_2.x86_64.rpm SHA-256: b9264cbe8a12c66c9aa2216f9dea1c95d49f6d655c7699d4afe57373375b3991
firefox-debugsource-91.3.0-1.el8_2.x86_64.rpm SHA-256: a577d25cc56fbe0db29da538a4785eec757243f8ce69f91777087b71e586b44f

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
aarch64
firefox-91.3.0-1.el8_2.aarch64.rpm SHA-256: a8b33a26939a5fb88da6075cb055ca8427f605d5d0f97553643ea92a63fc820d
firefox-debuginfo-91.3.0-1.el8_2.aarch64.rpm SHA-256: 5257cd5c6988009cea3d72a20f59fc4720b415ef034e0f3b5e3da047a0f14097
firefox-debugsource-91.3.0-1.el8_2.aarch64.rpm SHA-256: 075a73ab766cae4fdb26df594a195b60dfcd7c8b61ee56cb5744d1055cffdf34

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
ppc64le
firefox-91.3.0-1.el8_2.ppc64le.rpm SHA-256: a23c5af57fd8097e5472670c1a3e17a6679461d0c514ecd237925c989c0d4299
firefox-debuginfo-91.3.0-1.el8_2.ppc64le.rpm SHA-256: 8a9ccc7643498f2885b5352fde3565841317fda62c088513efb3b57ee2e583b9
firefox-debugsource-91.3.0-1.el8_2.ppc64le.rpm SHA-256: b7e348c5daf2a52fd8ed87e64e02b8ae358ed564c63d8aff72c225db617060e1

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2

SRPM
firefox-91.3.0-1.el8_2.src.rpm SHA-256: 7111c4e0d1ddc4231bd5ff86bc4ac8ed84d7890269f61be7f9fdab9b6198bfdb
x86_64
firefox-91.3.0-1.el8_2.x86_64.rpm SHA-256: b3ba8bbe552658baea1a13ccbb6a5023b5e540987b87b37643b9dad5b8936373
firefox-debuginfo-91.3.0-1.el8_2.x86_64.rpm SHA-256: b9264cbe8a12c66c9aa2216f9dea1c95d49f6d655c7699d4afe57373375b3991
firefox-debugsource-91.3.0-1.el8_2.x86_64.rpm SHA-256: a577d25cc56fbe0db29da538a4785eec757243f8ce69f91777087b71e586b44f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.