firefox-60.2.2-1.0.1.AXS4

エラータID: AXSA:2018-3355:07

Release date: 
Thursday, October 11, 2018 - 05:46
Subject: 
firefox-60.2.2-1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 60.2.2 ESR.

Security Fix(es):

* Mozilla: type confusion in JavaScript (CVE-2018-12386)

* Mozilla: stack out-of-bounds read in Array.prototype.push (CVE-2018-12387)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Asianux would like to thank the Mozilla project for reporting these issues. The upstream acknowledges Niklas Baumstark, Samuel Groß, and Bruno Keith as the original reporters, via Beyond Security's SecuriTeam Secure Disclosure program.

CVE-2018-12386
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-12387
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2018-12386
A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
CVE-2018-12387
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-60.2.2-1.0.1.AXS4.src.rpm
    MD5: afe022ff30fbecf644a60788441dd08e
    SHA-256: 3f47996aa630ca196f78eb2c4fddcb29a5a1bc650b2783639b813d6ff6b20cad
    Size: 415.39 MB

Asianux Server 4 for x86
  1. firefox-60.2.2-1.0.1.AXS4.i686.rpm
    MD5: c9b85affe63883697a5dbb7e22ab8ba5
    SHA-256: 1d7dad8c1971e4d066aff3c37e7e6f7cb5b329109017943c06a8a5fef966ce68
    Size: 114.56 MB

Asianux Server 4 for x86_64
  1. firefox-60.2.2-1.0.1.AXS4.x86_64.rpm
    MD5: 39aa0c34598b02215fb576c4a2b77168
    SHA-256: 37644ad4f46ab6e45499910429b9544297b348baa590eae80d489ba46cb8f8c3
    Size: 114.76 MB
  2. firefox-60.2.2-1.0.1.AXS4.i686.rpm
    MD5: c9b85affe63883697a5dbb7e22ab8ba5
    SHA-256: 1d7dad8c1971e4d066aff3c37e7e6f7cb5b329109017943c06a8a5fef966ce68
    Size: 114.56 MB