Issued:: 2024-06-17
Updated:: 2024-06-17

RHSA-2024:3952 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.12.0 ESR.

Security Fix(es):

firefox: Use-after-free in networking (CVE-2024-5702)
firefox: Use-after-free in JavaScript object transplant (CVE-2024-5688)
firefox: External protocol handlers leaked by timing attack (CVE-2024-5690)
firefox: Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)
firefox: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)
firefox: Memory Corruption in Text Fragments (CVE-2024-5696)
firefox: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take
effect.

Affected Products

Red Hat Enterprise Linux Server - AUS 8.2 x86_64

Fixes

BZ - 2291394 - CVE-2024-5702 Mozilla: Use-after-free in networking
BZ - 2291395 - CVE-2024-5688 Mozilla: Use-after-free in JavaScript object transplant
BZ - 2291396 - CVE-2024-5690 Mozilla: External protocol handlers leaked by timing attack
BZ - 2291397 - CVE-2024-5691 Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
BZ - 2291399 - CVE-2024-5693 Mozilla: Cross-Origin Image leak via Offscreen Canvas
BZ - 2291400 - CVE-2024-5696 Mozilla: Memory Corruption in Text Fragments
BZ - 2291401 - CVE-2024-5700 Mozilla: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
firefox-115.12.0-1.el8_2.src.rpm	SHA-256: 9ab37407c9ff84b6e089dee91de2c6bc715c8af05d0141cca820ccb12c327986
x86_64
firefox-115.12.0-1.el8_2.x86_64.rpm	SHA-256: a9fa99d187792c27d0294966b7dbbc954c47f62c064da9764f517cb1b120cd4b
firefox-debuginfo-115.12.0-1.el8_2.x86_64.rpm	SHA-256: d7ef1f1d994cec9ca0c4d2f45d9033db78c1ef31e77b65a463e5ba36fce4faa1
firefox-debugsource-115.12.0-1.el8_2.x86_64.rpm	SHA-256: 129c91c083f19bba32906b4d7c17fa64e8bd961d5e480bc36a85e7fbe8454835

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation