(RHSA-2022:8549) Important: firefox security update

2022-11-2112:24:08

access.redhat.com

mozilla

firefox

security update

cve-2022-45403

cross-origin media files

fullscreen notification

use-after-free

memory safety bugs

samesite cookie policy

cross-site tracing

keystroke side-channel leakage

custom mouse cursor

iframe contents

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.3%

JSON

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

Mozilla: Service Workers might have learned size of cross-origin media files (CVE-2022-45403)
Mozilla: Fullscreen notification bypass (CVE-2022-45404)
Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)
Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)
Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)
Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)
Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 (CVE-2022-45421)
Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy (CVE-2022-45410)
Mozilla: Cross-Site Tracing was possible via non-standard override headers (CVE-2022-45411)
Mozilla: Symlinks may resolve to partially uninitialized buffers (CVE-2022-45412)
Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)
Mozilla: Custom mouse cursor could have been drawn over browser UI (CVE-2022-45418)
Mozilla: Iframe contents could be rendered outside the iframe (CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
RedHat8s390xfirefox-debuginfo< 102.5.0-1.el8_4firefox-debuginfo-102.5.0-1.el8_4.s390x.rpm
RedHat8x86_64firefox< 102.5.0-1.el8_4firefox-102.5.0-1.el8_4.x86_64.rpm
RedHat8aarch64firefox< 102.5.0-1.el8_4firefox-102.5.0-1.el8_4.aarch64.rpm
RedHat8s390xfirefox-debugsource< 102.5.0-1.el8_4firefox-debugsource-102.5.0-1.el8_4.s390x.rpm
RedHat8x86_64firefox-debugsource< 102.5.0-1.el8_4firefox-debugsource-102.5.0-1.el8_4.x86_64.rpm
RedHat8aarch64firefox-debugsource< 102.5.0-1.el8_4firefox-debugsource-102.5.0-1.el8_4.aarch64.rpm
RedHat8s390xfirefox< 102.5.0-1.el8_4firefox-102.5.0-1.el8_4.s390x.rpm
RedHat8aarch64firefox-debuginfo< 102.5.0-1.el8_4firefox-debuginfo-102.5.0-1.el8_4.aarch64.rpm
RedHat8ppc64lefirefox-debuginfo< 102.5.0-1.el8_4firefox-debuginfo-102.5.0-1.el8_4.ppc64le.rpm
RedHat8x86_64firefox-debuginfo< 102.5.0-1.el8_4firefox-debuginfo-102.5.0-1.el8_4.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	8	s390x	firefox-debuginfo	< 102.5.0-1.el8_4	firefox-debuginfo-102.5.0-1.el8_4.s390x.rpm
RedHat	8	x86_64	firefox	< 102.5.0-1.el8_4	firefox-102.5.0-1.el8_4.x86_64.rpm
RedHat	8	aarch64	firefox	< 102.5.0-1.el8_4	firefox-102.5.0-1.el8_4.aarch64.rpm
RedHat	8	s390x	firefox-debugsource	< 102.5.0-1.el8_4	firefox-debugsource-102.5.0-1.el8_4.s390x.rpm
RedHat	8	x86_64	firefox-debugsource	< 102.5.0-1.el8_4	firefox-debugsource-102.5.0-1.el8_4.x86_64.rpm
RedHat	8	aarch64	firefox-debugsource	< 102.5.0-1.el8_4	firefox-debugsource-102.5.0-1.el8_4.aarch64.rpm
RedHat	8	s390x	firefox	< 102.5.0-1.el8_4	firefox-102.5.0-1.el8_4.s390x.rpm
RedHat	8	aarch64	firefox-debuginfo	< 102.5.0-1.el8_4	firefox-debuginfo-102.5.0-1.el8_4.aarch64.rpm
RedHat	8	ppc64le	firefox-debuginfo	< 102.5.0-1.el8_4	firefox-debuginfo-102.5.0-1.el8_4.ppc64le.rpm
RedHat	8	x86_64	firefox-debuginfo	< 102.5.0-1.el8_4	firefox-debuginfo-102.5.0-1.el8_4.x86_64.rpm