firefox-60.2.2-1.0.1.el7.AXS7

エラータID: AXSA:2018-3353:07

Release date: 
Wednesday, October 10, 2018 - 04:47
Subject: 
firefox-60.2.2-1.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.2.2 ESR.

Security Fix(es):

* Mozilla: type confusion in JavaScript (CVE-2018-12386)

* Mozilla: stack out-of-bounds read in Array.prototype.push (CVE-2018-12387)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Asianux would like to thank the Mozilla project for reporting these issues. The upstream acknowledges Niklas Baumstark, Samuel Groß, and Bruno Keith as the original reporters, via Beyond Security's SecuriTeam Secure Disclosure program.

CVE-2018-12386
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-12387
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2018-12386
A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
CVE-2018-12387
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-60.2.2-1.0.1.el7.AXS7.src.rpm
    MD5: e2b52af27669950a17354e1aefce9542
    SHA-256: 4de4aa1f0d48cd37d8e29aaee6165e521c9f5a83708419d03efae8083b37565c
    Size: 415.39 MB

Asianux Server 7 for x86_64
  1. firefox-60.2.2-1.0.1.el7.AXS7.x86_64.rpm
    MD5: c82423cebd17a6983250bffed413c23e
    SHA-256: 36a384ff5007104663fea31bde9b9dd1e438a9dcb185864a951133f4013946af
    Size: 90.62 MB
  2. firefox-60.2.2-1.0.1.el7.AXS7.i686.rpm
    MD5: fab95ac93e27179777ff57d869dec403
    SHA-256: 3a4c4b78e9a2dc8fea014ef6b1eafdd2723470de5ea018c6316e9bcc6bc16e90
    Size: 92.36 MB