Synopsis: Important: firefox security update
Advisory ID: SLSA-2022:0124-1
Issue Date: 2022-01-13
CVE Numbers: CVE-2022-22743
CVE-2022-22742
CVE-2022-22741
CVE-2022-22740
CVE-2022-22738
CVE-2022-22737
CVE-2021-4140
CVE-2022-22748
CVE-2022-22745
CVE-2022-22747
CVE-2022-22739
CVE-2022-22751
—
This update upgrades Firefox to version 91.5.0 ESR.
Security Fix(es):
* Mozilla: Iframe sandbox bypass with XSLT (CVE-2021-4140)
* Mozilla: Race condition when playing audio files (CVE-2022-22737)
* Mozilla: Heap-buffer-overflow in blendGaussianBlur (CVE-2022-22738)
* Mozilla: Use-after-free of ChannelEventQueue::mOwner (CVE-2022-22740)
* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22741)
* Mozilla: Out-of-bounds memory access when inserting text in edit mode
(CVE-2022-22742)
* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22743)
* Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
(CVE-2022-22751)
* Mozilla: Leaking cross-origin URLs through securitypolicyviolation event
(CVE-2022-22745)
* Mozilla: Spoofed origin on external protocol launch dialog
(CVE-2022-22748)
* Mozilla: Missing throttling on external protocol launch dialog
(CVE-2022-22739)
* Mozilla: Crash when handling empty pkcs7 sequence (CVE-2022-22747
—
SL7
x86_64
firefox-91.5.0-1.el7_9.x86_64.rpm
firefox-debuginfo-91.5.0-1.el7_9.x86_64.rpm
firefox-91.5.0-1.el7_9.i686.rpm
– Scientific Linux Development Team
