Print

Print


Synopsis:          Critical: firefox security update
Advisory ID:       SLSA-2018:2113-1
Issue Date:        2018-06-28
CVE Numbers:       CVE-2018-6126
                   CVE-2017-7762
                   CVE-2018-12359
                   CVE-2018-12360
                   CVE-2018-12362
                   CVE-2018-12363
                   CVE-2018-12364
                   CVE-2018-12365
                   CVE-2018-12366
                   CVE-2018-5156
                   CVE-2018-5188
--

This update upgrades Firefox to version 60.1.0 ESR.

Many older firefox extensions must be updated to work with this new release.

Security Fix(es):

* Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Firefox ESR 52.9 (CVE-2018-5188)

* Mozilla: Buffer overflow using computed size of canvas element
(CVE-2018-12359)

* Mozilla: Use-after-free using focus() (CVE-2018-12360)

* Mozilla: Media recorder segmentation fault when track type is changed
during capture (CVE-2018-5156)

* Skia: Heap buffer overflow rasterizing paths in SVG (CVE-2018-6126)

* Mozilla: Integer overflow in SSSE3 scaler (CVE-2018-12362)

* Mozilla: Use-after-free when appending DOM nodes (CVE-2018-12363)

* Mozilla: CSRF attacks through 307 redirects and NPAPI plugins
(CVE-2018-12364)

* Mozilla: address bar username and password spoofing in reader mode
(CVE-2017-7762)

* Mozilla: Compromised IPC child process can list local filenames
(CVE-2018-12365)

* Mozilla: Invalid data handling during QCMS transformations
(CVE-2018-12366)
--

SL7
  x86_64
    firefox-60.1.0-4.el7_5.x86_64.rpm
    firefox-debuginfo-60.1.0-4.el7_5.x86_64.rpm
    firefox-60.1.0-4.el7_5.i686.rpm
    firefox-debuginfo-60.1.0-4.el7_5.i686.rpm

- Scientific Linux Development Team