Red Hat Product Errata RHSA-2024:8721 - Security Advisory
Issued:
2024-10-31
Updated:
2024-10-31

RHSA-2024:8721 - Security Advisory

Synopsis

Moderate: firefox security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser (CVE-2024-10464)
  • firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response (CVE-2024-10461)
  • firefox: thunderbird: Permission leak via embed or object elements (CVE-2024-10458)
  • firefox: thunderbird: Use-after-free in layout with accessibility (CVE-2024-10459)
  • firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4 (CVE-2024-10467)
  • firefox: thunderbird: Clipboard "paste" button persisted across tabs (CVE-2024-10465)
  • firefox: DOM push subscription message could hang Firefox (CVE-2024-10466)
  • firefox: thunderbird: Cross origin video frame leak (CVE-2024-10463)
  • firefox: thunderbird: Origin of permission prompt could be spoofed by long URL (CVE-2024-10462)
  • firefox: thunderbird: Confusing display of origin for external protocol handler prompt (CVE-2024-10460)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2322424 - CVE-2024-10464 firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser
  • BZ - 2322425 - CVE-2024-10461 firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
  • BZ - 2322428 - CVE-2024-10458 firefox: thunderbird: Permission leak via embed or object elements
  • BZ - 2322429 - CVE-2024-10459 firefox: thunderbird: Use-after-free in layout with accessibility
  • BZ - 2322433 - CVE-2024-10467 firefox: thunderbird: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4
  • BZ - 2322434 - CVE-2024-10465 firefox: thunderbird: Clipboard "paste" button persisted across tabs
  • BZ - 2322438 - CVE-2024-10466 firefox: DOM push subscription message could hang Firefox
  • BZ - 2322439 - CVE-2024-10463 firefox: thunderbird: Cross origin video frame leak
  • BZ - 2322440 - CVE-2024-10462 firefox: thunderbird: Origin of permission prompt could be spoofed by long URL
  • BZ - 2322444 - CVE-2024-10460 firefox: thunderbird: Confusing display of origin for external protocol handler prompt

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
firefox-128.4.0-1.el9_0.src.rpm SHA-256: a69e358363990aa3cf5b9774fbb2729c572a0d715ee642378104ed4d07bd03c1
ppc64le
firefox-128.4.0-1.el9_0.ppc64le.rpm SHA-256: 50973bf7fd699245906a36dc978fd03544d21a547c8138cf4435316022426556
firefox-debuginfo-128.4.0-1.el9_0.ppc64le.rpm SHA-256: 8ee3ea8582f3d5adfa002889c12f1a6895dd9be58d5dbfc376d91f59ece386a7
firefox-debugsource-128.4.0-1.el9_0.ppc64le.rpm SHA-256: ee3601a72b954f4c0e7644f76514ac3c8a5de56f1e1d5845843c086fd156fbfa

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
firefox-128.4.0-1.el9_0.src.rpm SHA-256: a69e358363990aa3cf5b9774fbb2729c572a0d715ee642378104ed4d07bd03c1
x86_64
firefox-128.4.0-1.el9_0.x86_64.rpm SHA-256: 6ccdadcdcf7d80bd21dda6d71f8101d1575236d777b84aee2e8a2e7a2396e185
firefox-debuginfo-128.4.0-1.el9_0.x86_64.rpm SHA-256: b6da79ff3743a6e06328e867c58ed1f3fef590977bd0492144a3fae3d54c503d
firefox-debugsource-128.4.0-1.el9_0.x86_64.rpm SHA-256: 086a7915c7ee089e75792631b4620cac7efbdfb29f12f85efa975d9ef34ad945

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
firefox-128.4.0-1.el9_0.src.rpm SHA-256: a69e358363990aa3cf5b9774fbb2729c572a0d715ee642378104ed4d07bd03c1
aarch64
firefox-128.4.0-1.el9_0.aarch64.rpm SHA-256: a8cb2d2df445d1b833d817577a751f225ecd4323e603024654edfffd1fd2eb90
firefox-debuginfo-128.4.0-1.el9_0.aarch64.rpm SHA-256: 0e372d7c3298abd7370aee2ae756ac297fe305ce4d318e02edd976ebdd7496fd
firefox-debugsource-128.4.0-1.el9_0.aarch64.rpm SHA-256: 8d8a6499802fb0524ce665d5dba35a5692f7b503eb1046be830159b34b5b7eb9

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
firefox-128.4.0-1.el9_0.src.rpm SHA-256: a69e358363990aa3cf5b9774fbb2729c572a0d715ee642378104ed4d07bd03c1
s390x
firefox-128.4.0-1.el9_0.s390x.rpm SHA-256: c9d2a810eb869e9faffed2024ee7da393c8994fa0ddda7db54baccc3ecfa5b83
firefox-debuginfo-128.4.0-1.el9_0.s390x.rpm SHA-256: eb9405d6bb1983ce107e735eb2b1e9d3266a2b8f3d762c1c42d1c353038ba054
firefox-debugsource-128.4.0-1.el9_0.s390x.rpm SHA-256: fb653ebd9b6fdd81e2863ad7bfc585996447c9359e859d46c68ea8627eaf8d45

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.