Security Advisory Critical: firefox security update

Advisory: RHSA-2017:1104-1
Type: Security Advisory
Severity: Critical
Issued on: 2017-04-20
Last updated on: 2017-04-20
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2016-10195
CVE-2016-10196
CVE-2016-10197
CVE-2017-5429
CVE-2017-5432
CVE-2017-5433
CVE-2017-5434
CVE-2017-5435
CVE-2017-5436
CVE-2017-5438
CVE-2017-5439
CVE-2017-5440
CVE-2017-5441
CVE-2017-5442
CVE-2017-5443
CVE-2017-5444
CVE-2017-5445
CVE-2017-5446
CVE-2017-5447
CVE-2017-5448
CVE-2017-5449
CVE-2017-5459
CVE-2017-5460
CVE-2017-5464
CVE-2017-5465
CVE-2017-5469

Details

An update for firefox is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Mozilla Firefox is an open source web browser.

This update upgrades Firefox to version 52.1.0 ESR.

Security Fix(es):

* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2017-5429, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435,
CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440,
CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445,
CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5459,
CVE-2017-5460, CVE-2017-5464, CVE-2017-5465, CVE-2017-5469)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Mozilla developers and community, Nils, Holger Fuhrmannek,
Atte Kettunen, Huzaifa Sidhpurwala, Nicolas Grégoire, Chamal De Silva, Chun Han
Hsiao, Ivan Fratric of Google Project Zero, Anonymous working with Trend Micro's
Zero Day Initiative, and Petr Cerny as the original reporters.


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to take
effect.

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
firefox-52.1.0-2.el6_9.src.rpm
File outdated by:  RHSA-2017:1440
    MD5: 05f31a2d8a2dc110bfe4720e22e10618
SHA-256: 15fd0fc5e56be4e80602fff7f38a0dbe68b29c93e2aea90bae715440364a8a08
 
IA-32:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
 
x86_64:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: c85862be4789fef58fc7c81e57f06655
SHA-256: fb2dd0f0693150e2cd5f6ecf5c21f700dca0440b79baadac43223705b45354c0
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
firefox-debuginfo-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: 91841cbfd36cc3fa92dc349129c81531
SHA-256: a526a358b25415baac9e3f92b061a5646e72d9bf1d6a94bc5e7f908ff63367e4
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
firefox-52.1.0-2.el6_9.src.rpm
File outdated by:  RHSA-2017:1440
    MD5: 05f31a2d8a2dc110bfe4720e22e10618
SHA-256: 15fd0fc5e56be4e80602fff7f38a0dbe68b29c93e2aea90bae715440364a8a08
 
x86_64:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: c85862be4789fef58fc7c81e57f06655
SHA-256: fb2dd0f0693150e2cd5f6ecf5c21f700dca0440b79baadac43223705b45354c0
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
firefox-debuginfo-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: 91841cbfd36cc3fa92dc349129c81531
SHA-256: a526a358b25415baac9e3f92b061a5646e72d9bf1d6a94bc5e7f908ff63367e4
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
firefox-52.1.0-2.el6_9.src.rpm
File outdated by:  RHSA-2017:1440
    MD5: 05f31a2d8a2dc110bfe4720e22e10618
SHA-256: 15fd0fc5e56be4e80602fff7f38a0dbe68b29c93e2aea90bae715440364a8a08
 
IA-32:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
 
PPC:
firefox-52.1.0-2.el6_9.ppc.rpm
File outdated by:  RHSA-2017:1440
    MD5: 832a39f608d21b59ebd3cbaf211825a5
SHA-256: b40ec5e13385a298f21443b55c2ded0d865e07b1a8347f0624b5ad1e3cce45de
firefox-52.1.0-2.el6_9.ppc64.rpm
File outdated by:  RHSA-2017:1440
    MD5: 0430e74d828856a4a703adfb8891455f
SHA-256: 6cfbed3f5a5e9786b9d8d108c33fef8cf940eb6a515e81df857824d2586126aa
firefox-debuginfo-52.1.0-2.el6_9.ppc.rpm
File outdated by:  RHSA-2017:1440
    MD5: 816d0585996bc7f0a4f1b3c150ca05bb
SHA-256: 3fa611efbc2dfe04cb7e9f52a55e104694f78615bce7d4b072ac097587db0a86
firefox-debuginfo-52.1.0-2.el6_9.ppc64.rpm
File outdated by:  RHSA-2017:1440
    MD5: 43ec38e61313db3c86e421b14eacf4e8
SHA-256: ecb6b926c5b2af6204f3dc67e44025b3ec2aa9735e6491b7516f86c2ebff4835
 
s390x:
firefox-52.1.0-2.el6_9.s390.rpm
File outdated by:  RHSA-2017:1440
    MD5: c426952f435d1f1790cc4317d02a02f7
SHA-256: 422d6a9504100e1792e3e855cd715f8f72f0e695febbf1866dab896f3002015b
firefox-52.1.0-2.el6_9.s390x.rpm
File outdated by:  RHSA-2017:1440
    MD5: cf51cb81de18694dc85dd19b0f3eea72
SHA-256: 620d5e554dcc318ee12f48d441b81e52d324096aee6173d1d69b09ce4370f1f7
firefox-debuginfo-52.1.0-2.el6_9.s390.rpm
File outdated by:  RHSA-2017:1440
    MD5: 2e314495481772aebfeb73df1a7af048
SHA-256: 25032640d663251bb57170a9fa99f529b0c5634a3685402c72a4b8111521b5e1
firefox-debuginfo-52.1.0-2.el6_9.s390x.rpm
File outdated by:  RHSA-2017:1440
    MD5: 14fcc65462095ce7addde65914e90600
SHA-256: 5ff8304238b62ee25bc3dc579a47143a98c9bdd64f7e1e64dd4f9303f0513c20
 
x86_64:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: c85862be4789fef58fc7c81e57f06655
SHA-256: fb2dd0f0693150e2cd5f6ecf5c21f700dca0440b79baadac43223705b45354c0
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
firefox-debuginfo-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: 91841cbfd36cc3fa92dc349129c81531
SHA-256: a526a358b25415baac9e3f92b061a5646e72d9bf1d6a94bc5e7f908ff63367e4
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
firefox-52.1.0-2.el6_9.src.rpm
File outdated by:  RHSA-2017:1440
    MD5: 05f31a2d8a2dc110bfe4720e22e10618
SHA-256: 15fd0fc5e56be4e80602fff7f38a0dbe68b29c93e2aea90bae715440364a8a08
 
IA-32:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
 
x86_64:
firefox-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 44c23574a6f4fa26bc9ac71b42753b27
SHA-256: 608b631e62c3b70257786e53091a3a6c6cfe7eafd604db65345f78554ce400f9
firefox-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: c85862be4789fef58fc7c81e57f06655
SHA-256: fb2dd0f0693150e2cd5f6ecf5c21f700dca0440b79baadac43223705b45354c0
firefox-debuginfo-52.1.0-2.el6_9.i686.rpm
File outdated by:  RHSA-2017:1440
    MD5: 17b66ece80fd061e3b5b6770a6f326bf
SHA-256: 6408eb3d7d92d94dfed3e8eb114bb1fc758074a2cb12ef2f429ba08cca2cb9c6
firefox-debuginfo-52.1.0-2.el6_9.x86_64.rpm
File outdated by:  RHSA-2017:1440
    MD5: 91841cbfd36cc3fa92dc349129c81531
SHA-256: a526a358b25415baac9e3f92b061a5646e72d9bf1d6a94bc5e7f908ff63367e4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1443298 - CVE-2017-5442 Mozilla: Use-after-free during style changes (MFSA 2017-11, MFSA 2017-12)
1443299 - CVE-2017-5443 Mozilla: Out-of-bounds write during BinHex decoding (MFSA 2017-11, MFSA 2017-12)
1443301 - CVE-2017-5429 Mozilla: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 (MFSA 2017-11, MFSA 2017-12)
1443303 - CVE-2017-5464 Mozilla: Memory corruption with accessibility and DOM manipulation (MFSA 2017-11, MFSA 2017-12)
1443304 - CVE-2017-5465 Mozilla: Out-of-bounds read in ConvolvePixel (MFSA 2017-11, MFSA 2017-12)
1443308 - CVE-2017-5460 Mozilla: Use-after-free in frame selection (MFSA 2017-11, MFSA 2017-12)
1443310 - CVE-2017-5448 Mozilla: Out-of-bounds write in ClearKeyDecryptor (MFSA 2017-11, MFSA 2017-12)
1443311 - CVE-2017-5449 Mozilla: Crash during bidirectional unicode manipulation with animation (MFSA 2017-11, MFSA 2017-12)
1443312 - CVE-2017-5446 Mozilla: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data (MFSA 2017-11, MFSA 2017-12)
1443313 - CVE-2017-5447 Mozilla: Out-of-bounds read during glyph processing (MFSA 2017-11, MFSA 2017-12)
1443314 - CVE-2017-5444 Mozilla: Buffer overflow while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443315 - CVE-2017-5445 Mozilla: Uninitialized values used while parsing application/http-index-format content (MFSA 2017-11, MFSA 2017-12)
1443317 - CVE-2017-5469 Mozilla: Potential Buffer overflow in flex-generated code (MFSA 2017-11, MFSA 2017-12)
1443322 - CVE-2017-5440 Mozilla: Use-after-free in txExecutionState destructor during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443323 - CVE-2017-5441 Mozilla: Use-after-free with selection during scroll events (MFSA 2017-11, MFSA 2017-12)
1443324 - CVE-2017-5439 Mozilla: Use-after-free in nsTArray Length() during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443325 - CVE-2017-5438 Mozilla: Use-after-free in nsAutoPtr during XSLT processing (MFSA 2017-11, MFSA 2017-12)
1443326 - CVE-2017-5437 Mozilla: Vulnerabilities in libevent library (MFSA 2017-11, MFSA 2017-12)
1443327 - CVE-2017-5436 Mozilla: Out-of-bounds write with malicious font in Graphite 2 (MFSA 2017-11, MFSA 2017-12)
1443328 - CVE-2017-5435 Mozilla: Use-after-free during transaction processing in the editor (MFSA 2017-11, MFSA 2017-12)
1443329 - CVE-2017-5434 Mozilla: Use-after-free during focus handling (MFSA 2017-11, MFSA 2017-12)
1443330 - CVE-2017-5433 Mozilla: Use-after-free in SMIL animation functions (MFSA 2017-11, MFSA 2017-12)
1443332 - CVE-2017-5432 Mozilla: Use-after-free in text input selection (MFSA 2017-11, MFSA 2017-12)
1443333 - CVE-2017-5459 Mozilla: Buffer overflow in WebGL (MFSA 2017-11, MFSA 2017-12)


References

https://www.redhat.com/security/data/cve/CVE-2016-10195.html
https://www.redhat.com/security/data/cve/CVE-2016-10196.html
https://www.redhat.com/security/data/cve/CVE-2016-10197.html
https://www.redhat.com/security/data/cve/CVE-2017-5429.html
https://www.redhat.com/security/data/cve/CVE-2017-5432.html
https://www.redhat.com/security/data/cve/CVE-2017-5433.html
https://www.redhat.com/security/data/cve/CVE-2017-5434.html
https://www.redhat.com/security/data/cve/CVE-2017-5435.html
https://www.redhat.com/security/data/cve/CVE-2017-5436.html
https://www.redhat.com/security/data/cve/CVE-2017-5438.html
https://www.redhat.com/security/data/cve/CVE-2017-5439.html
https://www.redhat.com/security/data/cve/CVE-2017-5440.html
https://www.redhat.com/security/data/cve/CVE-2017-5441.html
https://www.redhat.com/security/data/cve/CVE-2017-5442.html
https://www.redhat.com/security/data/cve/CVE-2017-5443.html
https://www.redhat.com/security/data/cve/CVE-2017-5444.html
https://www.redhat.com/security/data/cve/CVE-2017-5445.html
https://www.redhat.com/security/data/cve/CVE-2017-5446.html
https://www.redhat.com/security/data/cve/CVE-2017-5447.html
https://www.redhat.com/security/data/cve/CVE-2017-5448.html
https://www.redhat.com/security/data/cve/CVE-2017-5449.html
https://www.redhat.com/security/data/cve/CVE-2017-5459.html
https://www.redhat.com/security/data/cve/CVE-2017-5460.html
https://www.redhat.com/security/data/cve/CVE-2017-5464.html
https://www.redhat.com/security/data/cve/CVE-2017-5465.html
https://www.redhat.com/security/data/cve/CVE-2017-5469.html
https://access.redhat.com/security/updates/classification/#critical
https://www.mozilla.org/en-US/security/advisories/mfsa2017-08


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/