Issued:: 2024-10-07
Updated:: 2024-10-07

RHSA-2024:7702 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)
firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)
firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)
firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)
firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)
firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)
firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)
firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)
firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x

Fixes

BZ - 2315945 - CVE-2024-9399 firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service
BZ - 2315947 - CVE-2024-9403 firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131
BZ - 2315949 - CVE-2024-9397 firefox: thunderbird: Potential directory upload bypass via clickjacking
BZ - 2315950 - CVE-2024-9401 firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
BZ - 2315951 - CVE-2024-9402 firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3
BZ - 2315952 - CVE-2024-9398 firefox: thunderbird: External protocol handlers could be enumerated via popups
BZ - 2315953 - CVE-2024-9400 firefox: thunderbird: Potential memory corruption during JIT compilation
BZ - 2315954 - CVE-2024-9396 firefox: thunderbird: Potential memory corruption may occur when cloning certain objects
BZ - 2315956 - CVE-2024-9393 firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
BZ - 2315957 - CVE-2024-9394 firefox: thunderbird: Cross-origin access to JSON contents through multipart responses
BZ - 2315959 - CVE-2024-9392 firefox: thunderbird: Compromised content process can bypass site isolation
RHEL-13327 - Firefox: WARNING: No marshaller for signature of signal 'PropertiesChanged': 'glib warning', file /builddir/build/BUILD/firefox-115.3.1/toolkit/xre/nsSigHandlers.cpp:167

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
firefox-128.3.0-1.el7_9.src.rpm	SHA-256: da73499ecedb4106f936a8bd6e6d59a3e1769e41f6193bb7c41753168074f30d
x86_64
firefox-128.3.0-1.el7_9.x86_64.rpm	SHA-256: 601ecb1228809206cca11c103bdacd3433d8e31d0e53a22678f83fd910f629a2
firefox-debuginfo-128.3.0-1.el7_9.x86_64.rpm	SHA-256: b4587b0bf45bd14ff8867fa406f97c36330ff15c578ccd0e611137663cb0bb4c

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
firefox-128.3.0-1.el7_9.src.rpm	SHA-256: da73499ecedb4106f936a8bd6e6d59a3e1769e41f6193bb7c41753168074f30d
s390x
firefox-128.3.0-1.el7_9.s390x.rpm	SHA-256: 7482869ce0a52189f50eec8bb8589862f4c77fcf734a15082db6237fbfcc3930
firefox-debuginfo-128.3.0-1.el7_9.s390x.rpm	SHA-256: 705a52e40ec5c7e051c51975b22867b4175d5ebb3a7bf497301ca6784418fa88

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
firefox-128.3.0-1.el7_9.src.rpm	SHA-256: da73499ecedb4106f936a8bd6e6d59a3e1769e41f6193bb7c41753168074f30d
ppc64

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
firefox-128.3.0-1.el7_9.src.rpm	SHA-256: da73499ecedb4106f936a8bd6e6d59a3e1769e41f6193bb7c41753168074f30d
ppc64le

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation