firefox-78.13.0-2.0.1.AXS4

エラータID: AXSA:2021-2377:24

Release date: 
Friday, August 20, 2021 - 06:20
Subject: 
firefox-78.13.0-2.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 78.13.0 ESR.

Security Fix(es):

* Mozilla: Uninitialized memory in a canvas object could have led to memory corruption (CVE-2021-29980)
* Mozilla: Incorrect instruction reordering during JIT optimization (CVE-2021-29984)
* Mozilla: Race condition when resolving DNS names could have led to memory corruption (CVE-2021-29986)
* Mozilla: Memory corruption as a result of incorrect style treatment (CVE-2021-29988)
* Mozilla: Memory safety bugs fixed in Thunderbird 78.13 (CVE-2021-29989)
* Mozilla: Use-after-free media channels (CVE-2021-29985)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-29980
Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29984
Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29985
A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29986
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29988
Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29989
Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.

Solution: 

Update packages.

CVEs: 
CVE-2021-29980
Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29984
Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29985
A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29986
A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29988
Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
CVE-2021-29989
Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13, and Firefox < 91.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-78.13.0-2.0.1.AXS4.src.rpm
    MD5: 4aff026562712e3cc69c35516f331819
    SHA-256: 9d6875995910d1ba42b24363d8ff6cf8de9b076f96093e93ac2ade0a0f84a427
    Size: 689.86 MB

Asianux Server 4 for x86
  1. firefox-78.13.0-2.0.1.AXS4.i686.rpm
    MD5: d5a8f432940a83d27eec9acc0ca0f341
    SHA-256: dbb6823379f45db0d5f9a2eaecf04f6ff4f958505192ca676eab33cdc13b2db6
    Size: 130.21 MB

Asianux Server 4 for x86_64
  1. firefox-78.13.0-2.0.1.AXS4.x86_64.rpm
    MD5: a20bc974ea2a1053fc321256777e7b97
    SHA-256: f9131ee517eb9a7626f468b1cdc30633e4d4eb1ad024d51101235e03b2bc7ab2
    Size: 126.77 MB
  2. firefox-78.13.0-2.0.1.AXS4.i686.rpm
    MD5: d5a8f432940a83d27eec9acc0ca0f341
    SHA-256: dbb6823379f45db0d5f9a2eaecf04f6ff4f958505192ca676eab33cdc13b2db6
    Size: 130.21 MB