firefox-68.10.0-1.0.1.AXS4

エラータID: AXSA:2020-213:15

Release date: 
Friday, July 10, 2020 - 03:38
Subject: 
firefox-68.10.0-1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 68.10.0 ESR.

Security Fix(es):

* Mozilla: Information disclosure due to manipulated URL object (CVE-2020-12418)

* Mozilla: Use-after-free in nsGlobalWindowInner (CVE-2020-12419)

* Mozilla: Use-After-Free when trying to connect to a STUN server (CVE-2020-12420)

* Mozilla: Add-On updates did not respect the same certificate trust rules as software updates (CVE-2020-12421)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-12418
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-12419
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-12420
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-12421
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2020-12418
Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
CVE-2020-12419
When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
CVE-2020-12420
When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
CVE-2020-12421
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 68.10, Firefox < 78, and Thunderbird < 68.10.0.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-68.10.0-1.0.1.AXS4.src.rpm
    MD5: 4f3725597db936c9c163c6d94e22d605
    SHA-256: ba124e28eef19772f14b08dee4e6ac514173d1f9a2a50e48e6cc505ee3605ccd
    Size: 506.49 MB

Asianux Server 4 for x86
  1. firefox-68.10.0-1.0.1.AXS4.i686.rpm
    MD5: eb844f4afbf8122be2325393c1173d15
    SHA-256: b94375a440b4c8e686f24f592498ecd68e6cbc6becf950507a6573a53de80ccb
    Size: 118.45 MB

Asianux Server 4 for x86_64
  1. firefox-68.10.0-1.0.1.AXS4.x86_64.rpm
    MD5: 35ca4ea0e9ce2e89612469a02ce92fe8
    SHA-256: 8f8a86710e40cfc1ded67b20139b68d0094f55bbf1e1d4c7ef6f2ef2d0dd56af
    Size: 118.54 MB
  2. firefox-68.10.0-1.0.1.AXS4.i686.rpm
    MD5: eb844f4afbf8122be2325393c1173d15
    SHA-256: b94375a440b4c8e686f24f592498ecd68e6cbc6becf950507a6573a53de80ccb
    Size: 118.45 MB