An update for firefox is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1859 Final 1.0 1.0 2024-07-19 Initial 2024-07-19 2024-07-19 openEuler SA Tool V1.0 2024-07-19 firefox security update An update for firefox is now available for openEuler-20.03-LTS-SP4 Mozilla Firefox is a standalone web browser, designed for standards compliance and performance. Its functionality can be enhanced via a plethora of extensions. Security Fix(es):Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. Security Fix(es): When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81.(CVE-2020-15675) Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.(CVE-2021-23954) If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.(CVE-2022-45406) An update for firefox is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical firefox https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1859 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2020-15675 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2021-23954 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-45406 https://nvd.nist.gov/vuln/detail/CVE-2020-15675 https://nvd.nist.gov/vuln/detail/CVE-2021-23954 https://nvd.nist.gov/vuln/detail/CVE-2022-45406 openEuler-20.03-LTS-SP4 firefox-79.0-26.oe2003sp4.aarch64.rpm firefox-debuginfo-79.0-26.oe2003sp4.aarch64.rpm firefox-debugsource-79.0-26.oe2003sp4.aarch64.rpm firefox-79.0-26.oe2003sp4.src.rpm firefox-79.0-26.oe2003sp4.x86_64.rpm firefox-debuginfo-79.0-26.oe2003sp4.x86_64.rpm firefox-debugsource-79.0-26.oe2003sp4.x86_64.rpm mozilla-crashreporter-firefox-debuginfo-79.0-26.oe2003sp4.x86_64.rpm When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81. 2024-07-19 CVE-2020-15675 openEuler-20.03-LTS-SP4 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H firefox security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1859 Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7. 2024-07-19 CVE-2021-23954 openEuler-20.03-LTS-SP4 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H firefox security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1859 If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. 2024-07-19 CVE-2022-45406 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H firefox security update 2024-07-19 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1859