firefox-102.12.0-1.el8.ML.1

エラータID: AXSA:2023-6166:23

Release date: 
Thursday, June 29, 2023 - 00:55
Subject: 
firefox-102.12.0-1.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 102.12.0 ESR.

Security Fix(es):

* Mozilla: Click-jacking certificate exceptions through rendering lag (CVE-2023-34414)
* Mozilla: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12 (CVE-2023-34416)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-34414
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-34416
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2023-34414
The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
CVE-2023-34416
Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-102.12.0-1.el8.ML.1.src.rpm
    MD5: 02369868ed09163ac9b87f4dc43adf04
    SHA-256: 040d3d2bfcf6398cb61ca980263f8a4f08648f171dfd46557a2195fb0e5ebaae
    Size: 594.92 MB

Asianux Server 8 for x86_64
  1. firefox-102.12.0-1.el8.ML.1.x86_64.rpm
    MD5: 09b9217ba130bb33ede792bc51122a00
    SHA-256: 7c073efb9a1aeba97bdb46a02a4ce5109cc5a922e8db5379f29f57d017b448a7
    Size: 109.42 MB