RHSA-2022:0815: Critical: firefox security update
First published: Thu Mar 10 2022(Updated: )
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.<br>This update upgrades Firefox to version 91.7.0 ESR.<br>Security Fix(es):<br><li> Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)</li> <li> Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)</li> <li> expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)</li> <li> expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)</li> <li> expat: Integer overflow in storeRawNames() (CVE-2022-25315)</li> <li> Mozilla: Use-after-free in text reflows (CVE-2022-26381)</li> <li> Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)</li> <li> Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)</li> <li> Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)</li> <li> Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/firefox | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
| redhat/firefox | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
| redhat/firefox-debuginfo | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
| redhat/firefox-debugsource | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
| redhat/firefox | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
| redhat/firefox-debuginfo | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
| redhat/firefox-debugsource | <91.7.0-3.el8_1 | 91.7.0-3.el8_1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2056363
- https://bugzilla.redhat.com/show_bug.cgi?id=2056366
- https://bugzilla.redhat.com/show_bug.cgi?id=2056370
- https://bugzilla.redhat.com/show_bug.cgi?id=2061735
- https://bugzilla.redhat.com/show_bug.cgi?id=2061736
- https://bugzilla.redhat.com/show_bug.cgi?id=2062220
- https://bugzilla.redhat.com/show_bug.cgi?id=2062221
- https://bugzilla.redhat.com/show_bug.cgi?id=2062222
- https://bugzilla.redhat.com/show_bug.cgi?id=2062223
- https://bugzilla.redhat.com/show_bug.cgi?id=2062224
- https://access.redhat.com/security/updates/classification/#critical
- https://access.redhat.com/errata/RHSA-2022:0815 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2022:0815?
The severity of RHSA-2022:0815 is critical due to the presence of a use-after-free vulnerability in XSLT parameter processing.
How do I fix RHSA-2022:0815?
To fix RHSA-2022:0815, upgrade Firefox to version 91.7.0-3.el8_1 as recommended by Red Hat.
Which versions of Firefox are affected by RHSA-2022:0815?
RHSA-2022:0815 affects all Firefox versions prior to 91.7.0-3.el8_1.
What is the nature of the vulnerability in RHSA-2022:0815?
The vulnerability in RHSA-2022:0815 is a use-after-free issue that can potentially allow remote code execution.
Is RHSA-2022:0815 related to any specific platforms?
Yes, RHSA-2022:0815 specifically affects Firefox on Red Hat Enterprise Linux 8 platforms.
- agent/references
- agent/weakness
- agent/severity
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2022:0815
- agent/software-canonical-lookup
- agent/title
- agent/remedy
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat