|
|
Subscribe / Log in / New account

Mageia alert MGASA-2025-0201 (rootcerts, nss & firefox)



From:
              Mageia Updates <updates-announce@ml.mageia.org>


To:
              updates-announce@ml.mageia.org


Subject:
              [updates-announce] MGASA-2025-0201: Updated rootcerts, nss & firefox packages fix security vulnerabilities


Date:
              Thu, 03 Jul 2025 00:17:01 +0200


Message-ID:
              <20250702221701.5CE889FC79@duvel.mageia.org>


Archive-link:
              Article


MGASA-2025-0201 - Updated rootcerts, nss & firefox packages fix security vulnerabilities

Publication date: 02 Jul 2025
URL: https://advisories.mageia.org/MGASA-2025-0201.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2025-6424,
     CVE-2025-6425,
     CVE-2025-6429,
     CVE-2025-6430

Description:
CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially
exploitable crash.
CVE-2025-6425: An attacker who enumerated resources from the WebCompat
extension could have obtained a persistent UUID that identified the
browser, and persisted between containers and normal/private browsing
mode, but not profiles.
CVE-2025-6429: Firefox could have incorrectly parsed a URL and rewritten
it to the youtube.com domain when parsing the URL specified in an embed
tag. This could have bypassed website security checks that restricted
which domains users were allowed to embed.
CVE-2025-6430: When a file download is specified via the
Content-Disposition header, that directive would be ignored if the file
was included via a <embed> or <object> tag, potentially making a website
vulnerable to a cross-site scripting attack.
We can't yet ship this update to the armv7hl architecture; we are
investigating the issue and will try to update firefox for armv7hl as soon as
possible.

References:
- https://bugs.mageia.org/show_bug.cgi?id=34393
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113.html
- https://www.mozilla.org/en-US/firefox/128.12.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa202...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6424
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6425
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6429
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6430

SRPMS:
- 9/core/firefox-128.12.0-1.1.mga9
- 9/core/firefox-l10n-128.12.0-1.1.mga9
- 9/core/rootcerts-20250613.00-1.mga9
- 9/core/nss-3.113.0-1.mga9
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds