Headline
RHSA-2022:6997: Red Hat Security Advisory: firefox security update
An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-10-18
Updated:
2022-10-18
RHSA-2022:6997 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: firefox security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for firefox is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.
This update upgrades Firefox to version 102.3.0 ESR.
Security Fix(es):
- expat: a use-after-free in the doContent function in xmlparse.c (CVE-2022-40674)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, Firefox must be restarted for the changes to take effect.
Affected Products
- Red Hat Enterprise Linux Server 7 x86_64
- Red Hat Enterprise Linux Workstation 7 x86_64
- Red Hat Enterprise Linux Desktop 7 x86_64
- Red Hat Enterprise Linux for IBM z Systems 7 s390x
- Red Hat Enterprise Linux for Power, big endian 7 ppc64
- Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Fixes
- BZ - 2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c
Red Hat Enterprise Linux Server 7
SRPM
firefox-102.3.0-7.el7_9.src.rpm
SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04
x86_64
firefox-102.3.0-7.el7_9.i686.rpm
SHA-256: 4db3d6b4bca2419b68471f05b71e0f39559274176ffdb634d2e34e80b6cf29a3
firefox-102.3.0-7.el7_9.x86_64.rpm
SHA-256: 98a9ef4bfd5b1b0b00483fcdddc2547ae064ffabbdc6597448b03754eb5ca899
firefox-debuginfo-102.3.0-7.el7_9.i686.rpm
SHA-256: 66fc95633e2c055a4a61b13af9267a8f079d570bed3c7e4ea69109e476d26712
firefox-debuginfo-102.3.0-7.el7_9.x86_64.rpm
SHA-256: 61d4a321e007e7baa3722e77caa8e7e7eab1e7059b5cbc8135379bf88e155c1f
Red Hat Enterprise Linux Workstation 7
SRPM
firefox-102.3.0-7.el7_9.src.rpm
SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04
x86_64
firefox-102.3.0-7.el7_9.i686.rpm
SHA-256: 4db3d6b4bca2419b68471f05b71e0f39559274176ffdb634d2e34e80b6cf29a3
firefox-102.3.0-7.el7_9.x86_64.rpm
SHA-256: 98a9ef4bfd5b1b0b00483fcdddc2547ae064ffabbdc6597448b03754eb5ca899
firefox-debuginfo-102.3.0-7.el7_9.i686.rpm
SHA-256: 66fc95633e2c055a4a61b13af9267a8f079d570bed3c7e4ea69109e476d26712
firefox-debuginfo-102.3.0-7.el7_9.x86_64.rpm
SHA-256: 61d4a321e007e7baa3722e77caa8e7e7eab1e7059b5cbc8135379bf88e155c1f
Red Hat Enterprise Linux Desktop 7
SRPM
firefox-102.3.0-7.el7_9.src.rpm
SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04
x86_64
firefox-102.3.0-7.el7_9.i686.rpm
SHA-256: 4db3d6b4bca2419b68471f05b71e0f39559274176ffdb634d2e34e80b6cf29a3
firefox-102.3.0-7.el7_9.x86_64.rpm
SHA-256: 98a9ef4bfd5b1b0b00483fcdddc2547ae064ffabbdc6597448b03754eb5ca899
firefox-debuginfo-102.3.0-7.el7_9.i686.rpm
SHA-256: 66fc95633e2c055a4a61b13af9267a8f079d570bed3c7e4ea69109e476d26712
firefox-debuginfo-102.3.0-7.el7_9.x86_64.rpm
SHA-256: 61d4a321e007e7baa3722e77caa8e7e7eab1e7059b5cbc8135379bf88e155c1f
Red Hat Enterprise Linux for IBM z Systems 7
SRPM
firefox-102.3.0-7.el7_9.src.rpm
SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04
s390x
firefox-102.3.0-7.el7_9.s390x.rpm
SHA-256: 86380468af5cf5965d3ca7d3f6dabf34dccd70f58a09b890e844cbacf5c36600
firefox-debuginfo-102.3.0-7.el7_9.s390x.rpm
SHA-256: 89a7f9fc31f3c6bc5d824ffcf72f980e169255f52643371588f53919515210d2
Red Hat Enterprise Linux for Power, big endian 7
SRPM
firefox-102.3.0-7.el7_9.src.rpm
SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04
ppc64
firefox-102.3.0-7.el7_9.ppc64.rpm
SHA-256: 273c30a8e85ce10e47cf87158764fd8a8027d3f7704f1237e7105d6020d0ffd9
firefox-debuginfo-102.3.0-7.el7_9.ppc64.rpm
SHA-256: d2e67ecae2d64cf3d802c04b53c843f7173e6e9cb24fa839e8a3f3baf590c815
Red Hat Enterprise Linux for Power, little endian 7
SRPM
firefox-102.3.0-7.el7_9.src.rpm
SHA-256: a4b59a2f4a4d4734dd3260afb1ec670c14fc06b25f01eaedd0159517c3736d04
ppc64le
firefox-102.3.0-7.el7_9.ppc64le.rpm
SHA-256: 0f06f355ad528774772aea08e0e423a9b0b3cbc6f3160cea38bd999404d40fa6
firefox-debuginfo-102.3.0-7.el7_9.ppc64le.rpm
SHA-256: 365c981d2ae3b6f264a0836a033bf5c3d146087c350a3e56b57a104e6bb9fdcd
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.
An update for mingw-expat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: A vulnerability was found in expat. With this flaw, it is possible to create a situation in which parsing is suspended while substituting in an internal entity so that XML_ResumeParser directly uses the internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawName...
Dell PowerScale OneFS 8.2.x, 9.0.0.x - 9.4.0.x, contain an insufficient resource pool vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.
Red Hat Security Advisory 2022-8841-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer over-read, buffer overflow, bypass, code execution, denial of service, double free, integer overflow, out of bounds read, and use-after-free vulnerabilities.
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Red Hat Security Advisory 2022-8598-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include bypass, code execution, integer overflow, memory leak, and use-after-free v...
Ubuntu Security Notice 5638-2 - USN-5638-1 fixed a vulnerability in Expat. This update provides the corresponding updates for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Rhodri James discovered that Expat incorrectly handled memory when processing certain malformed XML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Red Hat Security Advisory 2022-7434-01 - A Red Hat OpenShift security update has been provided for the Logging Subsystem.
Red Hat Security Advisory 2022-7313-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Issues addressed include denial of service and remote SQL injection vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...
Red Hat Security Advisory 2022-6905-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.50. Issues addressed include a code execution vulnerability.
OpenShift sandboxed containers 1.3.1 is now available.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2832: blender: Null pointer reference in blender thumbnail extractor * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob
Red Hat Security Advisory 2022-7026-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2022-6996-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a use-after-free vulnerability.
An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
Red Hat Security Advisory 2022-6967-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.
An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
An update for compat-expat1 is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
Red Hat Security Advisory 2022-6921-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2022-6878-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.
An update for expat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
Red Hat Security Advisory 2022-6831-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.
An update for expat is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
Gentoo Linux Security Advisory 202209-24 - Multiple vulnerabilities have been discovered in Expat, the worst of which could result in arbitrary code execution. Versions less than 2.4.9 are affected.
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.