Red Hat Product Errata RHSA-2024:0019 - Security Advisory
Issued:
2024-01-02
Updated:
2024-01-02

RHSA-2024:0019 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.6.0 ESR.

Security Fix(es):

  • Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver (CVE-2023-6856)
  • Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6 (CVE-2023-6864)
  • Mozilla: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code> (CVE-2023-6865)
  • Mozilla: Symlinks may resolve to smaller than expected buffers (CVE-2023-6857)
  • Mozilla: Heap buffer overflow in <code>nsTextFragment</code> (CVE-2023-6858)
  • Mozilla: Use-after-free in PR_GetIdentitiesLayer (CVE-2023-6859)
  • Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation (CVE-2023-6860)
  • Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode (CVE-2023-6861)
  • Mozilla: Use-after-free in <code>nsDNSService</code> (CVE-2023-6862)
  • Mozilla: Clickjacking permission prompts using the popup transition (CVE-2023-6867)
  • Mozilla: Undefined behavior in <code>ShutdownObserver()</code> (CVE-2023-6863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take effect.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
  • Red Hat Enterprise Linux Server - AUS 9.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2255360 - CVE-2023-6856 Mozilla: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver
  • BZ - 2255361 - CVE-2023-6865 Mozilla: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code>
  • BZ - 2255362 - CVE-2023-6857 Mozilla: Symlinks may resolve to smaller than expected buffers
  • BZ - 2255363 - CVE-2023-6858 Mozilla: Heap buffer overflow in <code>nsTextFragment</code>
  • BZ - 2255364 - CVE-2023-6859 Mozilla: Use-after-free in PR_GetIdentitiesLayer
  • BZ - 2255365 - CVE-2023-6860 Mozilla: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation
  • BZ - 2255366 - CVE-2023-6867 Mozilla: Clickjacking permission prompts using the popup transition
  • BZ - 2255367 - CVE-2023-6861 Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode
  • BZ - 2255368 - CVE-2023-6862 Mozilla: Use-after-free in <code>nsDNSService</code>
  • BZ - 2255369 - CVE-2023-6863 Mozilla: Undefined behavior in <code>ShutdownObserver()</code>
  • BZ - 2255370 - CVE-2023-6864 Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
x86_64
firefox-115.6.0-1.el9_2.x86_64.rpm SHA-256: 7372dca755ec96b2ca0bac9b4daa42bbafcbf189856b7926757592ea3369fce8
firefox-debuginfo-115.6.0-1.el9_2.x86_64.rpm SHA-256: 98f3db78a8468f2347cf55ccf7bf860c89a85cb9e0326d9d13d1d0c0d82031e1
firefox-debugsource-115.6.0-1.el9_2.x86_64.rpm SHA-256: 7764f3eeb1042304f03fa5957cc66a50c709df09fb7c216b25c279bb9c5e6b2c
firefox-x11-115.6.0-1.el9_2.x86_64.rpm SHA-256: b61a15940be5dcbf2f47a76e606079d1a47b99c9f0dc5dbc36b6683004b0fdc2

Red Hat Enterprise Linux Server - AUS 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
x86_64
firefox-115.6.0-1.el9_2.x86_64.rpm SHA-256: 7372dca755ec96b2ca0bac9b4daa42bbafcbf189856b7926757592ea3369fce8
firefox-debuginfo-115.6.0-1.el9_2.x86_64.rpm SHA-256: 98f3db78a8468f2347cf55ccf7bf860c89a85cb9e0326d9d13d1d0c0d82031e1
firefox-debugsource-115.6.0-1.el9_2.x86_64.rpm SHA-256: 7764f3eeb1042304f03fa5957cc66a50c709df09fb7c216b25c279bb9c5e6b2c
firefox-x11-115.6.0-1.el9_2.x86_64.rpm SHA-256: b61a15940be5dcbf2f47a76e606079d1a47b99c9f0dc5dbc36b6683004b0fdc2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
s390x
firefox-115.6.0-1.el9_2.s390x.rpm SHA-256: 77f8dd47b184536692c6f89e37330e6fb778863bb4e15f13588c9a396f6be194
firefox-debuginfo-115.6.0-1.el9_2.s390x.rpm SHA-256: 9fa04e78f54208934d5667c6765608f49ebe5316050cf978a7b664895b33cdea
firefox-debugsource-115.6.0-1.el9_2.s390x.rpm SHA-256: e05dc06cc488b9fbee10e1d68c7f8730324451fca92a672db9404f8f521a9f68
firefox-x11-115.6.0-1.el9_2.s390x.rpm SHA-256: f92e6b1b7ae3e7dfc2a8b264697329cd432dcdefb7b94eb8f233cd32a28296ed

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
ppc64le
firefox-115.6.0-1.el9_2.ppc64le.rpm SHA-256: 508bac03681ad5841b5067981941f34e9455fe221325c3c318daa6dabe765742
firefox-debuginfo-115.6.0-1.el9_2.ppc64le.rpm SHA-256: eee8b84654ca9155eec52f417145b6d7e3b062ec63acae15e1178dcd72de9f2c
firefox-debugsource-115.6.0-1.el9_2.ppc64le.rpm SHA-256: 7622277e800c95ec9cf4eb88b85e836309f4f09491eb8db9e0d54ba2827ad12a
firefox-x11-115.6.0-1.el9_2.ppc64le.rpm SHA-256: 5c2adb254ce487b05ba7e795229a917d203c3b91b6482082d706e7e3a89ffec4

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
aarch64
firefox-115.6.0-1.el9_2.aarch64.rpm SHA-256: d93ec7a134b45aa36940d01466b20cbcd177a4579d8f63454d4b8b3a7eed8567
firefox-debuginfo-115.6.0-1.el9_2.aarch64.rpm SHA-256: 43cb3883515768f14e55f041100dc3263eb305c1dcd58ac5da16090e47e41ab3
firefox-debugsource-115.6.0-1.el9_2.aarch64.rpm SHA-256: 7c7fec62ed0baf459790efa8da4eccd34c0cf468360bbabbd3020e589cddd664
firefox-x11-115.6.0-1.el9_2.aarch64.rpm SHA-256: c49dedaba5e9c27ad201c8139c8c45aa805783a216dd764533a7178d9ba5257a

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
ppc64le
firefox-115.6.0-1.el9_2.ppc64le.rpm SHA-256: 508bac03681ad5841b5067981941f34e9455fe221325c3c318daa6dabe765742
firefox-debuginfo-115.6.0-1.el9_2.ppc64le.rpm SHA-256: eee8b84654ca9155eec52f417145b6d7e3b062ec63acae15e1178dcd72de9f2c
firefox-debugsource-115.6.0-1.el9_2.ppc64le.rpm SHA-256: 7622277e800c95ec9cf4eb88b85e836309f4f09491eb8db9e0d54ba2827ad12a
firefox-x11-115.6.0-1.el9_2.ppc64le.rpm SHA-256: 5c2adb254ce487b05ba7e795229a917d203c3b91b6482082d706e7e3a89ffec4

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
x86_64
firefox-115.6.0-1.el9_2.x86_64.rpm SHA-256: 7372dca755ec96b2ca0bac9b4daa42bbafcbf189856b7926757592ea3369fce8
firefox-debuginfo-115.6.0-1.el9_2.x86_64.rpm SHA-256: 98f3db78a8468f2347cf55ccf7bf860c89a85cb9e0326d9d13d1d0c0d82031e1
firefox-debugsource-115.6.0-1.el9_2.x86_64.rpm SHA-256: 7764f3eeb1042304f03fa5957cc66a50c709df09fb7c216b25c279bb9c5e6b2c
firefox-x11-115.6.0-1.el9_2.x86_64.rpm SHA-256: b61a15940be5dcbf2f47a76e606079d1a47b99c9f0dc5dbc36b6683004b0fdc2

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
aarch64
firefox-115.6.0-1.el9_2.aarch64.rpm SHA-256: d93ec7a134b45aa36940d01466b20cbcd177a4579d8f63454d4b8b3a7eed8567
firefox-debuginfo-115.6.0-1.el9_2.aarch64.rpm SHA-256: 43cb3883515768f14e55f041100dc3263eb305c1dcd58ac5da16090e47e41ab3
firefox-debugsource-115.6.0-1.el9_2.aarch64.rpm SHA-256: 7c7fec62ed0baf459790efa8da4eccd34c0cf468360bbabbd3020e589cddd664
firefox-x11-115.6.0-1.el9_2.aarch64.rpm SHA-256: c49dedaba5e9c27ad201c8139c8c45aa805783a216dd764533a7178d9ba5257a

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2

SRPM
firefox-115.6.0-1.el9_2.src.rpm SHA-256: a861a97282b868d19bddff1f70c22e4fef2802892edf196b613d5c5cdd5e4266
s390x
firefox-115.6.0-1.el9_2.s390x.rpm SHA-256: 77f8dd47b184536692c6f89e37330e6fb778863bb4e15f13588c9a396f6be194
firefox-debuginfo-115.6.0-1.el9_2.s390x.rpm SHA-256: 9fa04e78f54208934d5667c6765608f49ebe5316050cf978a7b664895b33cdea
firefox-debugsource-115.6.0-1.el9_2.s390x.rpm SHA-256: e05dc06cc488b9fbee10e1d68c7f8730324451fca92a672db9404f8f521a9f68
firefox-x11-115.6.0-1.el9_2.s390x.rpm SHA-256: f92e6b1b7ae3e7dfc2a8b264697329cd432dcdefb7b94eb8f233cd32a28296ed

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.