Scientific Linux alert SLSA-2022:0514-1 (firefox)

From:
             
 
Pat Riehecky <riehecky@fnal.gov>
To:
             
 
scientific-linux-errata@listserv.fnal.gov
Subject:
             
 
Security ERRATA Important: firefox on SL7.x x86_64
Date:
             
 
Mon, 14 Feb 2022 17:13:42 -0000
Message-ID:
             
 
<20220214171342.32388.96272@0acbe050e934>
Synopsis:          Important: firefox security update
Advisory ID:       SLSA-2022:0514-1
Issue Date:        2022-02-14
CVE Numbers:       CVE-2022-22754
                   CVE-2022-22756
                   CVE-2022-22760
                   CVE-2022-22761
                   CVE-2022-22763
                   CVE-2022-22759
                   CVE-2022-22764
--

This update upgrades Firefox to version 91.6.0 ESR.

Security Fix(es):

* Mozilla: Extensions could have bypassed permission confirmation during
update (CVE-2022-22754)

* Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
(CVE-2022-22764)

* Mozilla: Drag and dropping an image could have resulted in the dropped
object being an executable (CVE-2022-22756)

* Mozilla: Sandboxed iframes could have executed script if the parent
appended elements (CVE-2022-22759)

* Mozilla: Cross-Origin responses could be distinguished between script
and  non-script content-types (CVE-2022-22760)

* Mozilla: frame-ancestors Content Security Policy directive was not
enforced for framed extension pages (CVE-2022-22761)

* Mozilla: Script Execution during invalid object state (CVE-2022-22763)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
--

SL7
  x86_64
    firefox-91.6.0-1.el7_9.x86_64.rpm
    firefox-debuginfo-91.6.0-1.el7_9.x86_64.rpm
    firefox-91.6.0-1.el7_9.i686.rpm

- Scientific Linux Development Team