Red Hat 製品エラータ RHSA-2024:7842 - Security Advisory
発行日:
2024-10-09
更新日:
2024-10-09

RHSA-2024:7842 - Security Advisory

概要

Important: firefox security update

タイプ/重大度

Security Advisory: Important

Red Hat Insights パッチ分析

このアドバイザリーの影響を受けるシステムを特定し、修正します。

影響を受けるシステムの表示

トピック

An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

説明

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
  • firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
  • firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
  • firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
  • firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
  • firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
  • firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
  • firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

解決策

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

影響を受ける製品

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.8 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

修正

  • BZ - 2315945 - CVE-2024-9399 firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service
  • BZ - 2315947 - CVE-2024-9403 firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
  • BZ - 2315949 - CVE-2024-9397 firefox: thunderbird: Potential directory upload bypass via clickjacking
  • BZ - 2315950 - CVE-2024-9401 firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
  • BZ - 2315951 - CVE-2024-9402 firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
  • BZ - 2315952 - CVE-2024-9398 firefox: thunderbird: External protocol handlers could be enumerated via popups
  • BZ - 2315953 - CVE-2024-9400 firefox: thunderbird: Potential memory corruption during JIT compilation
  • BZ - 2315954 - CVE-2024-9396 firefox: thunderbird: Potential memory corruption may occur when cloning certain objects
  • BZ - 2315956 - CVE-2024-9393 firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
  • BZ - 2315957 - CVE-2024-9394 firefox: thunderbird: Cross-origin access to JSON contents through multipart responses
  • BZ - 2315959 - CVE-2024-9392 firefox: thunderbird: Compromised content process can bypass site isolation

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
x86_64
firefox-128.3.0-1.el8_8.x86_64.rpm SHA-256: fc61f1ef0a3fb6be74e8d797ef11b0c2caf675ac2371af8f7fa8a10e3ad2451c
firefox-debuginfo-128.3.0-1.el8_8.x86_64.rpm SHA-256: 2b8b7df58bcf124aabe8c0827c6e1f28a47ddcd00c57d2f35f835e973fe2346e
firefox-debugsource-128.3.0-1.el8_8.x86_64.rpm SHA-256: f42a17ff673d24dc99277ce58a0f9cdbc5f01e5ac94a10672a980f5362f85617

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
s390x
firefox-128.3.0-1.el8_8.s390x.rpm SHA-256: 2913acd0c6f372c5fffa8dabb3b7d896eefc04709257eecc651fb69477327329
firefox-debuginfo-128.3.0-1.el8_8.s390x.rpm SHA-256: 2350bef83f06753200ba437bb54af86c660b0406c91ff783687d6f5c012c3eec
firefox-debugsource-128.3.0-1.el8_8.s390x.rpm SHA-256: 8fd41b3b3a43b5de15552821934fd568c3bff4357798f3e00f992b5a5c0bffd2

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
ppc64le
firefox-128.3.0-1.el8_8.ppc64le.rpm SHA-256: b33906cbdcee32e5d771080e20e36485a24bc4999bf3239010ff6a20f82392e5
firefox-debuginfo-128.3.0-1.el8_8.ppc64le.rpm SHA-256: 642d5b6810127b3d70ec1516ae8d929e71c30d89c7fe4389a84ba71fb19c8d23
firefox-debugsource-128.3.0-1.el8_8.ppc64le.rpm SHA-256: d355385f95e7d0d93174a6a819c6fe485b7ff8d2c0d0078d5f0f14b5a3212b5b

Red Hat Enterprise Linux Server - TUS 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
x86_64
firefox-128.3.0-1.el8_8.x86_64.rpm SHA-256: fc61f1ef0a3fb6be74e8d797ef11b0c2caf675ac2371af8f7fa8a10e3ad2451c
firefox-debuginfo-128.3.0-1.el8_8.x86_64.rpm SHA-256: 2b8b7df58bcf124aabe8c0827c6e1f28a47ddcd00c57d2f35f835e973fe2346e
firefox-debugsource-128.3.0-1.el8_8.x86_64.rpm SHA-256: f42a17ff673d24dc99277ce58a0f9cdbc5f01e5ac94a10672a980f5362f85617

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
aarch64
firefox-128.3.0-1.el8_8.aarch64.rpm SHA-256: 3d2cb32cbdecdc4ee6bafe19a3234b0ce5657ae4384a1e6b9e14f2d91eab1760
firefox-debuginfo-128.3.0-1.el8_8.aarch64.rpm SHA-256: 52996c22e9a306c845b36b51565e22adb343eda0f01008151d3f11ab7e41ab69
firefox-debugsource-128.3.0-1.el8_8.aarch64.rpm SHA-256: 9629eb93c4ddb8441b1fd800c2edd3cf45b0410f21e5052283da5d88c13317e7

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
ppc64le
firefox-128.3.0-1.el8_8.ppc64le.rpm SHA-256: b33906cbdcee32e5d771080e20e36485a24bc4999bf3239010ff6a20f82392e5
firefox-debuginfo-128.3.0-1.el8_8.ppc64le.rpm SHA-256: 642d5b6810127b3d70ec1516ae8d929e71c30d89c7fe4389a84ba71fb19c8d23
firefox-debugsource-128.3.0-1.el8_8.ppc64le.rpm SHA-256: d355385f95e7d0d93174a6a819c6fe485b7ff8d2c0d0078d5f0f14b5a3212b5b

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8

SRPM
firefox-128.3.0-1.el8_8.src.rpm SHA-256: 06e22bc27115c64ebec401e23c9dbf738da680d8e576004155331dabc05483d3
x86_64
firefox-128.3.0-1.el8_8.x86_64.rpm SHA-256: fc61f1ef0a3fb6be74e8d797ef11b0c2caf675ac2371af8f7fa8a10e3ad2451c
firefox-debuginfo-128.3.0-1.el8_8.x86_64.rpm SHA-256: 2b8b7df58bcf124aabe8c0827c6e1f28a47ddcd00c57d2f35f835e973fe2346e
firefox-debugsource-128.3.0-1.el8_8.x86_64.rpm SHA-256: f42a17ff673d24dc99277ce58a0f9cdbc5f01e5ac94a10672a980f5362f85617

Red Hat のセキュリティーに関する連絡先は secalert@redhat.com です。 連絡先の詳細は https://access.redhat.com/security/team/contact/ をご覧ください。