firefox-52.4.0-1.0.1.el7.AXS7

エラータID: AXSA:2017-2314:06

Release date: 
Thursday, October 12, 2017 - 02:22
Subject: 
firefox-52.4.0-1.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 52.4.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-7810, CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7814, CVE-2017-7823)

Asianux would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell
Jesup, Tom Ritter, Tyson Smith, Sebastian Hengst, Abhishek Arya, Nils, Omair,
Andre Weissflog, François Marier, and Jun Kokatsu as the original reporters.

CVE-2017-7793
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7810
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7814
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7818
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7819
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7823
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7824
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2017-7793
A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7810
Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7814
File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables that would otherwise be detected as suspicious. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7818
A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7819
A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7823
The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7824
A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-52.4.0-1.0.1.el7.AXS7.src.rpm
    MD5: edc5f75c10f65255fc525415457791b7
    SHA-256: 80a81d2653d2cc4856be2b9b8b9efc004913377d83491edd7f5eaea787657578
    Size: 367.40 MB

Asianux Server 7 for x86_64
  1. firefox-52.4.0-1.0.1.el7.AXS7.x86_64.rpm
    MD5: 78dd222966e6a059589d9661c723616b
    SHA-256: daaa9632d95779a2068730bdf55e3b00ad5c56b154d8cf5f06d734fe69a9e2c3
    Size: 83.20 MB
  2. firefox-52.4.0-1.0.1.el7.AXS7.i686.rpm
    MD5: bfbbbfa6b444fe60cad0eb320e236748
    SHA-256: 5cf03847c087d6f6b719edb25490cd99330b860f1d2ab89fc181aa8f1b54229c
    Size: 83.45 MB