firefox-60.9.0-1.0.1.AXS4

エラータID: AXSA:2019-4316:05

Release date: 
Wednesday, September 25, 2019 - 08:14
Subject: 
firefox-60.9.0-1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.9.0 ESR.

Security Fix(es):

* Mozilla: Sandbox escape through Firefox Sync (CVE-2019-9812)

* Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9 (CVE-2019-11740)

* Mozilla: Same-origin policy violation with SVG filters and canvas to steal cross-origin images (CVE-2019-11742)

* Mozilla: XSS by breaking out of title and textarea elements using innerHTML (CVE-2019-11744)

* Mozilla: Use-after-free while manipulating video (CVE-2019-11746)

* Mozilla: Use-after-free while extracting a key value in IndexedDB (CVE-2019-11752)

* firefox: stored passwords in 'Saved Logins' can be copied without master password entry (CVE-2019-11733)

* Mozilla: Cross-origin access to unload event attributes (CVE-2019-11743)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-11733
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11740
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11742
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11743
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11744
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11746
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11752
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-9812
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2019-11733
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords. This vulnerability affects Firefox < 68.0.2 and Firefox ESR < 68.0.2.
CVE-2019-11740
Mozilla developers and community members reported memory safety bugs present in Firefox 68, Firefox ESR 68, and Firefox 60.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-60.9.0-1.0.1.AXS4.src.rpm
    MD5: 4b398f8701ce07ec3420b50f361e117c
    SHA-256: e41c461f129d4ce38ded5e0db52a9b0c90682448ac2ad85e8130b37c3eb9f3fe
    Size: 417.26 MB

Asianux Server 4 for x86
  1. firefox-60.9.0-1.0.1.AXS4.i686.rpm
    MD5: 10dad5d15143f3f6df012d4f00ca6de8
    SHA-256: 26184df1b1b763c65d9d7ddbca5f606ce17be086155c412b035b76a175e67e8e
    Size: 115.12 MB

Asianux Server 4 for x86_64
  1. firefox-60.9.0-1.0.1.AXS4.x86_64.rpm
    MD5: 5437a8c0081a6f6b48d8acda564e4471
    SHA-256: 5190a02cbf14789b601eb0538c44d0887efe65218109a62f5331ad58534026a7
    Size: 115.34 MB
  2. firefox-60.9.0-1.0.1.AXS4.i686.rpm
    MD5: 10dad5d15143f3f6df012d4f00ca6de8
    SHA-256: 26184df1b1b763c65d9d7ddbca5f606ce17be086155c412b035b76a175e67e8e
    Size: 115.12 MB