Issued:: 2025-01-09
Updated:: 2025-01-09

RHSA-2025:0132 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: Use-after-free when breaking lines in text (CVE-2025-0238)
firefox: Memory corruption when using JavaScript Text Segmentation (CVE-2025-0241)
firefox: Alt-Svc ALPN validation failure when redirected (CVE-2025-0239)
firefox: thunderbird: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6 (CVE-2025-0243)
firefox: thunderbird: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6 (CVE-2025-0242)
firefox: WebChannel APIs susceptible to confused deputy attack (CVE-2025-0237)
firefox: Compartment mismatch when parsing JavaScript JSON module (CVE-2025-0240)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x

Fixes

BZ - 2336165 - CVE-2025-0238 firefox: Use-after-free when breaking lines in text
BZ - 2336168 - CVE-2025-0241 firefox: Memory corruption when using JavaScript Text Segmentation
BZ - 2336170 - CVE-2025-0239 firefox: Alt-Svc ALPN validation failure when redirected
BZ - 2336175 - CVE-2025-0243 firefox: thunderbird: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6
BZ - 2336181 - CVE-2025-0242 firefox: thunderbird: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6
BZ - 2336182 - CVE-2025-0237 firefox: WebChannel APIs susceptible to confused deputy attack
BZ - 2336188 - CVE-2025-0240 firefox: Compartment mismatch when parsing JavaScript JSON module

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
firefox-128.6.0-1.el7_9.src.rpm	SHA-256: ff94f71da781fe5f05f635b107be528ba9e4e7cbdcfbac0455e89a4e04f544ff
x86_64
firefox-128.6.0-1.el7_9.x86_64.rpm	SHA-256: 7b494fadcf97395a706be22c12f04c43e8c4a9d41a80ea7283cd3f0f090a551d
firefox-debuginfo-128.6.0-1.el7_9.x86_64.rpm	SHA-256: e37e6f0da1f9d364bb8ceefcda74d924188deaf85c1cfd9817e6cb7d0ea1e376

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
firefox-128.6.0-1.el7_9.src.rpm	SHA-256: ff94f71da781fe5f05f635b107be528ba9e4e7cbdcfbac0455e89a4e04f544ff
s390x
firefox-128.6.0-1.el7_9.s390x.rpm	SHA-256: 4bcff9dceb58570f64d2b081a2bf64c7f5b897ac51612cbae75e1805c51975a1
firefox-debuginfo-128.6.0-1.el7_9.s390x.rpm	SHA-256: 22d0eef4b29751246ed3a096381b5144696968d71a92b42c2fd6b17b0c6cd449

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
firefox-128.6.0-1.el7_9.src.rpm	SHA-256: ff94f71da781fe5f05f635b107be528ba9e4e7cbdcfbac0455e89a4e04f544ff
ppc64

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
firefox-128.6.0-1.el7_9.src.rpm	SHA-256: ff94f71da781fe5f05f635b107be528ba9e4e7cbdcfbac0455e89a4e04f544ff
ppc64le

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation