Synopsis:          Important: firefox security update
Advisory ID:       SLSA-2022:0124-1
Issue Date:        2022-01-13
CVE Numbers:       CVE-2022-22743
                   CVE-2022-22742
                   CVE-2022-22741
                   CVE-2022-22740
                   CVE-2022-22738
                   CVE-2022-22737
                   CVE-2021-4140
                   CVE-2022-22748
                   CVE-2022-22745
                   CVE-2022-22747
                   CVE-2022-22739
                   CVE-2022-22751
--

This update upgrades Firefox to version 91.5.0 ESR.

Security Fix(es):

* Mozilla: Iframe sandbox bypass with XSLT (CVE-2021-4140)

* Mozilla: Race condition when playing audio files (CVE-2022-22737)

* Mozilla: Heap-buffer-overflow in blendGaussianBlur (CVE-2022-22738)

* Mozilla: Use-after-free of ChannelEventQueue::mOwner (CVE-2022-22740)

* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22741)

* Mozilla: Out-of-bounds memory access when inserting text in edit mode
(CVE-2022-22742)

* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22743)

* Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
(CVE-2022-22751)

* Mozilla: Leaking cross-origin URLs through securitypolicyviolation event
(CVE-2022-22745)

* Mozilla: Spoofed origin on external protocol launch dialog
(CVE-2022-22748)

* Mozilla: Missing throttling on external protocol launch dialog
(CVE-2022-22739)

* Mozilla: Crash when handling empty pkcs7 sequence (CVE-2022-22747
--

SL7
  x86_64
    firefox-91.5.0-1.el7_9.x86_64.rpm
    firefox-debuginfo-91.5.0-1.el7_9.x86_64.rpm
    firefox-91.5.0-1.el7_9.i686.rpm

- Scientific Linux Development Team