Issued:: 2024-09-19
Updated:: 2025-01-09

RHSA-2024:6838 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Security Fix(es):

mozilla: Type confusion when looking up a property name in a "with" block (CVE-2024-8381)
mozilla: Internal event interfaces were exposed to web content when browser

EventHandler listener callbacks ran (CVE-2024-8382)

mozilla: Firefox did not ask before openings news: links in an external

application (CVE-2024-8383)

mozilla: Garbage collection could mis-color cross-compartment objects in OOM

conditions (CVE-2024-8384)

mozilla: WASM type confusion involving ArrayTypes (CVE-2024-8385)
mozilla: SelectElements could be shown over another site if popups are allowed (CVE-2024-8386)
mozilla: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and

Thunderbird 128.2 (CVE-2024-8387)

mozilla: Type Confusion in Async Generators in Javascript Engine

(CVE-2024-7652)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x

Fixes

BZ - 2307328 - firefox: 115.15/128.2 ESR
BZ - 2309427 - CVE-2024-8381 mozilla: Type confusion when looking up a property name in a "with" block
BZ - 2309428 - CVE-2024-8382 mozilla: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran
BZ - 2309429 - CVE-2024-8383 mozilla: Firefox did not ask before openings news: links in an external application
BZ - 2309430 - CVE-2024-8384 mozilla: Garbage collection could mis-color cross-compartment objects in OOM conditions
BZ - 2309431 - CVE-2024-8385 mozilla: WASM type confusion involving ArrayTypes
BZ - 2309432 - CVE-2024-8386 mozilla: SelectElements could be shown over another site if popups are allowed
BZ - 2309433 - CVE-2024-8387 mozilla: Memory safety bugs fixed in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2
BZ - 2310490 - CVE-2024-7652 mozilla: Type Confusion in Async Generators in Javascript Engine

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
firefox-128.2.0-1.el7_9.src.rpm	SHA-256: d8eb15f370429251c9d869563b57701f231d6399c9196a10b1220a59a2a1f7d8
x86_64
firefox-128.2.0-1.el7_9.x86_64.rpm	SHA-256: 7b7dc66cec05de8c49c1172182fcf79a40a7dc946d4220276ff4db201304c0c7
firefox-debuginfo-128.2.0-1.el7_9.x86_64.rpm	SHA-256: 34ba5f7c2ec89402fcfa72d5d5394b6f602f5ff2e5f1f9b442715abc7606ba58

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
firefox-128.2.0-1.el7_9.src.rpm	SHA-256: d8eb15f370429251c9d869563b57701f231d6399c9196a10b1220a59a2a1f7d8
s390x
firefox-128.2.0-1.el7_9.s390x.rpm	SHA-256: 7361b99eded8ec6a6d5fe959489ec1cb70a13cb60a1258df1bfd584ac9949549
firefox-debuginfo-128.2.0-1.el7_9.s390x.rpm	SHA-256: a955598cd5cb4d3fcdeea1259065cb6e2104254ebea9e738972efa9e4366c39e

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
firefox-128.2.0-1.el7_9.src.rpm	SHA-256: d8eb15f370429251c9d869563b57701f231d6399c9196a10b1220a59a2a1f7d8
ppc64

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
firefox-128.2.0-1.el7_9.src.rpm	SHA-256: d8eb15f370429251c9d869563b57701f231d6399c9196a10b1220a59a2a1f7d8
ppc64le

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Ansible.com

Red Hat Ecosystem Catalog

Red Hat Hybrid Cloud Console

Red Hat Store

Red Hat Marketplace

Red Hat Summit and AnsibleFest