Red Hat Product Errata RHSA-2022:5474 - Security Advisory
Issued:
2022-06-30
Updated:
2022-06-30

RHSA-2022:5474 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 91.11 ESR.

Security Fix(es):

  • Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (CVE-2022-34468)
  • Mozilla: Use-after-free in nsSHistory (CVE-2022-34470)
  • Mozilla: A popup window could be resized in a way to overlay the address bar with web content (CVE-2022-34479)
  • Mozilla: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (CVE-2022-34484)
  • Mozilla: Undesired attributes could be set as part of prototype pollution (CVE-2022-2200)
  • Mozilla: CSP bypass enabling stylesheet injection (CVE-2022-31744)
  • Mozilla: Unavailable PAC file resulted in OCSP requests being blocked (CVE-2022-34472)
  • Mozilla: Potential integer overflow in ReplaceElementsAt (CVE-2022-34481)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2 x86_64

Fixes

  • BZ - 2102161 - CVE-2022-34479 Mozilla: A popup window could be resized in a way to overlay the address bar with web content
  • BZ - 2102162 - CVE-2022-34470 Mozilla: Use-after-free in nsSHistory
  • BZ - 2102163 - CVE-2022-34468 Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
  • BZ - 2102164 - CVE-2022-34481 Mozilla: Potential integer overflow in ReplaceElementsAt
  • BZ - 2102165 - CVE-2022-31744 Mozilla: CSP bypass enabling stylesheet injection
  • BZ - 2102166 - CVE-2022-34472 Mozilla: Unavailable PAC file resulted in OCSP requests being blocked
  • BZ - 2102168 - CVE-2022-2200 Mozilla: Undesired attributes could be set as part of prototype pollution
  • BZ - 2102169 - CVE-2022-34484 Mozilla: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
x86_64
firefox-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8982676f34889534ee677643c8da7842ff4853a2606df0119a549a0e69cd6bca
firefox-debuginfo-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8fd09d1fa666816dc3d1f586aaf4c9084d8114246d7201859116575423be4925
firefox-debugsource-91.11.0-2.el8_2.x86_64.rpm SHA-256: 6a4abd922b8e811671bc2ce8518d8e26c3e497c173e45f634d2dc36757b632f7

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
x86_64
firefox-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8982676f34889534ee677643c8da7842ff4853a2606df0119a549a0e69cd6bca
firefox-debuginfo-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8fd09d1fa666816dc3d1f586aaf4c9084d8114246d7201859116575423be4925
firefox-debugsource-91.11.0-2.el8_2.x86_64.rpm SHA-256: 6a4abd922b8e811671bc2ce8518d8e26c3e497c173e45f634d2dc36757b632f7

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
s390x
firefox-91.11.0-2.el8_2.s390x.rpm SHA-256: a5c3ebf82830471673c02bda1496c2a5badc1daa94bd2abae052840ef1f5cf51
firefox-debuginfo-91.11.0-2.el8_2.s390x.rpm SHA-256: 066550ecb936e139945544bc989990361e9a8a17a750ce04683448aa24f4cd69
firefox-debugsource-91.11.0-2.el8_2.s390x.rpm SHA-256: b29a5382025665aab20693f7dd1c8f6fdc07b9001de6fbaa3f6a8f0cf2b97f26

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
ppc64le
firefox-91.11.0-2.el8_2.ppc64le.rpm SHA-256: 812619fa1c5180f33e68934741c3b3f1dec1165ecddada3faa3cc5f7ff161419
firefox-debuginfo-91.11.0-2.el8_2.ppc64le.rpm SHA-256: 7fd5c0225b4396d207fc5f3ce9b56ac4f2fa7094d2fd0c921ad8dcbb3a24e7f3
firefox-debugsource-91.11.0-2.el8_2.ppc64le.rpm SHA-256: a9e9aa4dece2fe6e4633b65aade456038c2af0cfc92a80046537bf7bb1b4ae83

Red Hat Enterprise Linux Server - TUS 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
x86_64
firefox-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8982676f34889534ee677643c8da7842ff4853a2606df0119a549a0e69cd6bca
firefox-debuginfo-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8fd09d1fa666816dc3d1f586aaf4c9084d8114246d7201859116575423be4925
firefox-debugsource-91.11.0-2.el8_2.x86_64.rpm SHA-256: 6a4abd922b8e811671bc2ce8518d8e26c3e497c173e45f634d2dc36757b632f7

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
aarch64
firefox-91.11.0-2.el8_2.aarch64.rpm SHA-256: 5b7e188d66e0f11f973d21653f2f685e2e9a3033fa9ee12e8053bc955ae7e624
firefox-debuginfo-91.11.0-2.el8_2.aarch64.rpm SHA-256: f2b4db50c8cabecfcc39dc0b35f68ea3698b92a0540731d8cfd59766a0eff07b
firefox-debugsource-91.11.0-2.el8_2.aarch64.rpm SHA-256: daa62f39ff31d1bbf3c0b8833f75e4b166a0ff341020c1f11a29741fa6b47430

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
ppc64le
firefox-91.11.0-2.el8_2.ppc64le.rpm SHA-256: 812619fa1c5180f33e68934741c3b3f1dec1165ecddada3faa3cc5f7ff161419
firefox-debuginfo-91.11.0-2.el8_2.ppc64le.rpm SHA-256: 7fd5c0225b4396d207fc5f3ce9b56ac4f2fa7094d2fd0c921ad8dcbb3a24e7f3
firefox-debugsource-91.11.0-2.el8_2.ppc64le.rpm SHA-256: a9e9aa4dece2fe6e4633b65aade456038c2af0cfc92a80046537bf7bb1b4ae83

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2

SRPM
firefox-91.11.0-2.el8_2.src.rpm SHA-256: ac25ffc359a7219da1875783397806d507475f43f0c972b333ce53428d3c3ed4
x86_64
firefox-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8982676f34889534ee677643c8da7842ff4853a2606df0119a549a0e69cd6bca
firefox-debuginfo-91.11.0-2.el8_2.x86_64.rpm SHA-256: 8fd09d1fa666816dc3d1f586aaf4c9084d8114246d7201859116575423be4925
firefox-debugsource-91.11.0-2.el8_2.x86_64.rpm SHA-256: 6a4abd922b8e811671bc2ce8518d8e26c3e497c173e45f634d2dc36757b632f7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.