Red Hat Product Errata RHSA-2022:8580 - Security Advisory
Issued:
2022-11-22
Updated:
2022-11-22

RHSA-2022:8580 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

  • Mozilla: Service Workers might have learned size of cross-origin media files (CVE-2022-45403)
  • Mozilla: Fullscreen notification bypass (CVE-2022-45404)
  • Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)
  • Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)
  • Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)
  • Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)
  • Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 (CVE-2022-45421)
  • Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy (CVE-2022-45410)
  • Mozilla: Cross-Site Tracing was possible via non-standard override headers (CVE-2022-45411)
  • Mozilla: Symlinks may resolve to partially uninitialized buffers (CVE-2022-45412)
  • Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)
  • Mozilla: Custom mouse cursor could have been drawn over browser UI (CVE-2022-45418)
  • Mozilla: Iframe contents could be rendered outside the iframe (CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
  • Red Hat Enterprise Linux Server - AUS 9.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files
  • BZ - 2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass
  • BZ - 2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation
  • BZ - 2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm
  • BZ - 2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName
  • BZ - 2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection
  • BZ - 2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
  • BZ - 2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers
  • BZ - 2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers
  • BZ - 2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage
  • BZ - 2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI
  • BZ - 2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe
  • BZ - 2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

Red Hat Enterprise Linux for x86_64 9

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
x86_64
firefox-102.5.0-1.el9_1.x86_64.rpm SHA-256: 52e42b89c5833a1e95a270c21d182d539a3ff375d65e72e5e4e6294e385d6ac8
firefox-debuginfo-102.5.0-1.el9_1.x86_64.rpm SHA-256: cedf24f451b65843e0c84ca1d6cbfeaed2cfc0aa8ff81b6138cecd7ae4c74a7e
firefox-debugsource-102.5.0-1.el9_1.x86_64.rpm SHA-256: f25a1ef8a4e8f09f761a264eebb46c49b47671a43ba9de7e80fa2f674ffbfeeb

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
x86_64
firefox-102.5.0-1.el9_1.x86_64.rpm SHA-256: 52e42b89c5833a1e95a270c21d182d539a3ff375d65e72e5e4e6294e385d6ac8
firefox-debuginfo-102.5.0-1.el9_1.x86_64.rpm SHA-256: cedf24f451b65843e0c84ca1d6cbfeaed2cfc0aa8ff81b6138cecd7ae4c74a7e
firefox-debugsource-102.5.0-1.el9_1.x86_64.rpm SHA-256: f25a1ef8a4e8f09f761a264eebb46c49b47671a43ba9de7e80fa2f674ffbfeeb

Red Hat Enterprise Linux Server - AUS 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
x86_64
firefox-102.5.0-1.el9_1.x86_64.rpm SHA-256: 52e42b89c5833a1e95a270c21d182d539a3ff375d65e72e5e4e6294e385d6ac8
firefox-debuginfo-102.5.0-1.el9_1.x86_64.rpm SHA-256: cedf24f451b65843e0c84ca1d6cbfeaed2cfc0aa8ff81b6138cecd7ae4c74a7e
firefox-debugsource-102.5.0-1.el9_1.x86_64.rpm SHA-256: f25a1ef8a4e8f09f761a264eebb46c49b47671a43ba9de7e80fa2f674ffbfeeb

Red Hat Enterprise Linux for IBM z Systems 9

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
s390x
firefox-102.5.0-1.el9_1.s390x.rpm SHA-256: 58fdb9dc6b91839d748e3c0ebf3ba735f839d09aba33b5635c22741af47cb97f
firefox-debuginfo-102.5.0-1.el9_1.s390x.rpm SHA-256: d968cb54f35b2badd2760130b8b80ec05d466a4919e1dbc384d04c1d0b71bcad
firefox-debugsource-102.5.0-1.el9_1.s390x.rpm SHA-256: a9537613ce696b06e6e45e24f32a4770c2f1ee50933a72bda1bae538708a0e6d

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
s390x
firefox-102.5.0-1.el9_1.s390x.rpm SHA-256: 58fdb9dc6b91839d748e3c0ebf3ba735f839d09aba33b5635c22741af47cb97f
firefox-debuginfo-102.5.0-1.el9_1.s390x.rpm SHA-256: d968cb54f35b2badd2760130b8b80ec05d466a4919e1dbc384d04c1d0b71bcad
firefox-debugsource-102.5.0-1.el9_1.s390x.rpm SHA-256: a9537613ce696b06e6e45e24f32a4770c2f1ee50933a72bda1bae538708a0e6d

Red Hat Enterprise Linux for Power, little endian 9

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
ppc64le
firefox-102.5.0-1.el9_1.ppc64le.rpm SHA-256: 4bc7e65c3fa822f2b739e0b3bd79765999882b0f5e2d584063b2fe517e3e40b6
firefox-debuginfo-102.5.0-1.el9_1.ppc64le.rpm SHA-256: b5c61e0a8e566af7a068a16b9dbc21a2521e045cc8aa4f00e633a807d47376e6
firefox-debugsource-102.5.0-1.el9_1.ppc64le.rpm SHA-256: 5927f54be55737a32aa972e3fdc2306dbe2b8f7b1bfc879bb08fbe949b3554b5

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
ppc64le
firefox-102.5.0-1.el9_1.ppc64le.rpm SHA-256: 4bc7e65c3fa822f2b739e0b3bd79765999882b0f5e2d584063b2fe517e3e40b6
firefox-debuginfo-102.5.0-1.el9_1.ppc64le.rpm SHA-256: b5c61e0a8e566af7a068a16b9dbc21a2521e045cc8aa4f00e633a807d47376e6
firefox-debugsource-102.5.0-1.el9_1.ppc64le.rpm SHA-256: 5927f54be55737a32aa972e3fdc2306dbe2b8f7b1bfc879bb08fbe949b3554b5

Red Hat Enterprise Linux for ARM 64 9

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
aarch64
firefox-102.5.0-1.el9_1.aarch64.rpm SHA-256: 7980945ce3ec6a2a5617d324ba454ebacfec1cf8a566457d8e70c4e850c4898e
firefox-debuginfo-102.5.0-1.el9_1.aarch64.rpm SHA-256: 0977b2a6fc5c07c71bc880deeeb7c45c605b1f99cbe9bd8e2d92c03105679037
firefox-debugsource-102.5.0-1.el9_1.aarch64.rpm SHA-256: 03df9a8d159aaf5573ac9dab3be99bd9ef74b0d0e63974cae00fac719ea1603f

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
aarch64
firefox-102.5.0-1.el9_1.aarch64.rpm SHA-256: 7980945ce3ec6a2a5617d324ba454ebacfec1cf8a566457d8e70c4e850c4898e
firefox-debuginfo-102.5.0-1.el9_1.aarch64.rpm SHA-256: 0977b2a6fc5c07c71bc880deeeb7c45c605b1f99cbe9bd8e2d92c03105679037
firefox-debugsource-102.5.0-1.el9_1.aarch64.rpm SHA-256: 03df9a8d159aaf5573ac9dab3be99bd9ef74b0d0e63974cae00fac719ea1603f

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
ppc64le
firefox-102.5.0-1.el9_1.ppc64le.rpm SHA-256: 4bc7e65c3fa822f2b739e0b3bd79765999882b0f5e2d584063b2fe517e3e40b6
firefox-debuginfo-102.5.0-1.el9_1.ppc64le.rpm SHA-256: b5c61e0a8e566af7a068a16b9dbc21a2521e045cc8aa4f00e633a807d47376e6
firefox-debugsource-102.5.0-1.el9_1.ppc64le.rpm SHA-256: 5927f54be55737a32aa972e3fdc2306dbe2b8f7b1bfc879bb08fbe949b3554b5

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
x86_64
firefox-102.5.0-1.el9_1.x86_64.rpm SHA-256: 52e42b89c5833a1e95a270c21d182d539a3ff375d65e72e5e4e6294e385d6ac8
firefox-debuginfo-102.5.0-1.el9_1.x86_64.rpm SHA-256: cedf24f451b65843e0c84ca1d6cbfeaed2cfc0aa8ff81b6138cecd7ae4c74a7e
firefox-debugsource-102.5.0-1.el9_1.x86_64.rpm SHA-256: f25a1ef8a4e8f09f761a264eebb46c49b47671a43ba9de7e80fa2f674ffbfeeb

Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
aarch64
firefox-102.5.0-1.el9_1.aarch64.rpm SHA-256: 7980945ce3ec6a2a5617d324ba454ebacfec1cf8a566457d8e70c4e850c4898e
firefox-debuginfo-102.5.0-1.el9_1.aarch64.rpm SHA-256: 0977b2a6fc5c07c71bc880deeeb7c45c605b1f99cbe9bd8e2d92c03105679037
firefox-debugsource-102.5.0-1.el9_1.aarch64.rpm SHA-256: 03df9a8d159aaf5573ac9dab3be99bd9ef74b0d0e63974cae00fac719ea1603f

Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2

SRPM
firefox-102.5.0-1.el9_1.src.rpm SHA-256: 673a207166a00cdfa1b3c918008ecd1f61d29304549b7baef7c41974fb06c2d5
s390x
firefox-102.5.0-1.el9_1.s390x.rpm SHA-256: 58fdb9dc6b91839d748e3c0ebf3ba735f839d09aba33b5635c22741af47cb97f
firefox-debuginfo-102.5.0-1.el9_1.s390x.rpm SHA-256: d968cb54f35b2badd2760130b8b80ec05d466a4919e1dbc384d04c1d0b71bcad
firefox-debugsource-102.5.0-1.el9_1.s390x.rpm SHA-256: a9537613ce696b06e6e45e24f32a4770c2f1ee50933a72bda1bae538708a0e6d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.