firefox-52.4.0-1.0.1.AXS4

エラータID: AXSA:2017-2316:05

Release date: 
Wednesday, October 18, 2017 - 16:46
Subject: 
firefox-52.4.0-1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 52.4.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2017-7810, CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7814, CVE-2017-7823)

Asianux would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell
Jesup, Tom Ritter, Tyson Smith, Sebastian Hengst, Abhishek Arya, Nils, Omair,
Andre Weissflog, François Marier, and Jun Kokatsu as the original reporters.

CVE-2017-7793
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7810
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7814
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7818
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7819
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7823
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-7824
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2017-7793
A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7810
Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7814
File downloads encoded with "blob:" and "data:" URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious sites to lure users into downloading executables that would otherwise be detected as suspicious. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7818
A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7819
A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7823
The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
CVE-2017-7824
A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-52.4.0-1.0.1.AXS4.src.rpm
    MD5: cb6b4dd2e6d09d16762a5a8efdf2fdb6
    SHA-256: 8b386dc74a868393474605fdafe5e1b7338adb666369483bf58b95ad03a38e0e
    Size: 368.25 MB

Asianux Server 4 for x86
  1. firefox-52.4.0-1.0.1.AXS4.i686.rpm
    MD5: 566a32f0372e386efb6a48be5ccffca0
    SHA-256: b31bb71b5727186eaae3e95f998d480961e2cd00013abc2cc15acaf5676cf458
    Size: 80.16 MB

Asianux Server 4 for x86_64
  1. firefox-52.4.0-1.0.1.AXS4.x86_64.rpm
    MD5: 53963ec4d7ba49b50cf461dbc4e2eb91
    SHA-256: 0e9affb0ae5cf6142cd101c5ff289c79dcd45e95720e2015cdbb34130e900b8a
    Size: 79.69 MB
  2. firefox-52.4.0-1.0.1.AXS4.i686.rpm
    MD5: 566a32f0372e386efb6a48be5ccffca0
    SHA-256: b31bb71b5727186eaae3e95f998d480961e2cd00013abc2cc15acaf5676cf458
    Size: 80.16 MB