An update for firefox is now available for Red Hat Enterprise Linux 5, Red Hat
Enterprise Linux 6, and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of
Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
[Updated 21 February 2017]
This advisory has been updated to include Firefox packages for the PPC and S390
architectures that were previously omitted. For this revised update, packages
for all architectures were rebuilt. The rebuilt packages do not contain any new
Mozilla Firefox is an open source web browser.
This update upgrades Firefox to version 45.7.0 ESR.
* Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380,
CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jann Horn, Filipe Gomes, Muneaki Nishimura, Nils, Armin
Razmjou, Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom
Schuster, Oriol, Rh0, Nicolas Grégoire, and Jerri Rice as the original
1415924 – CVE-2017-5373 Mozilla: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 (MFSA 2017-01)
1416271 – CVE-2017-5375 Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
1416272 – CVE-2017-5376 Mozilla: Use-after-free in XSL (MFSA 2017-02)
1416274 – CVE-2017-5380 Mozilla: Potential use-after-free during DOM manipulations (MFSA 2017-02)
1416279 – CVE-2017-5390 Mozilla: Insecure communication methods in Developer Tools JSON viewer (MFSA 2017-02)
1416280 – CVE-2017-5396 Mozilla: Use-after-free with Media Decoder (MFSA 2017-02)
1416281 – CVE-2017-5383 Mozilla: Location bar spoofing with unicode characters (MFSA 2017-02)
1416282 – CVE-2017-5386 Mozilla: WebExtensions can use data: protocol to affect other extensions (MFSA 2017-02)