Red Hat Security Advisory 2022-8550-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:8550-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8550  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
firefox-102.5.0-1.el8_2.src.rpm

aarch64:  
firefox-102.5.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.5.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.5.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.5.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.5.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.5.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.5.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
firefox-102.5.0-1.el8_2.src.rpm

aarch64:  
firefox-102.5.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.5.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.5.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.5.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.5.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.5.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.5.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
firefox-102.5.0-1.el8_2.src.rpm

aarch64:  
firefox-102.5.0-1.el8_2.aarch64.rpm  
firefox-debuginfo-102.5.0-1.el8_2.aarch64.rpm  
firefox-debugsource-102.5.0-1.el8_2.aarch64.rpm

ppc64le:  
firefox-102.5.0-1.el8_2.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_2.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_2.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el8_2.s390x.rpm  
firefox-debuginfo-102.5.0-1.el8_2.s390x.rpm  
firefox-debugsource-102.5.0-1.el8_2.s390x.rpm

x86_64:  
firefox-102.5.0-1.el8_2.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_2.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJtdzjgjWX9erEAQiw+Q//R8Fd5A2l3Zis2flMbha1Zv4wORpor07B  
nBJvF2qb5hzxvv2YoOD+8c/V5CP8telyVajQWespFXhUC/FLFFsnVfUa7IGX9U9T  
GTtiaL0gXj2m3oTvqSWN42KHlRa1iHeY0JH2w/arV4Qd4n5QfvsEykBmktR+Viz7  
GGMvQsnz4Ckeh/m65KmXkwiWAkiwv/juXesfNG/aQA6qO61AEmtNQD5CXDOAAPbF  
t8lMuWTEuhdDidq8i29j/+b2uMh8TWwxCr4w5+fRte1gWHpIabFI+3gV+/lYsWRk  
MpksUoUeYgSrbT5lBVVMoUP9r3lwMnmMdXNB6YWL5zl2aiXyMvSRs6ptHZP/4Vl/  
JbrNTu6b/NtycKZANBodlSwwXS1z5uBwt7SPb+8nMLG0I8Tya1mMWymbKQqKJBmP  
kpePdxH9Ni5ZzJU8kldSb2IzDgqHs1li7ChFXNVyf2j8Cx3BUXlLNj7ciVdmURwi  
ZEY/QbHnt680mwemkW6JEb+UIbau+1L9yU1VpB9KHm2h/OJt5aT6Idmjn8clP6FL  
a626x8qvzGm7JWNjmfs/ZGkulhiHiL9TlbAJIOp5dRw/k6DLLSqHR3tSWHsY4sJ1  
2El9Oi2kAzK4xhAHhsDW4El/ill7xf1gV903TUcNxmiPS/ZnRKmDJkJhiGNIt2g+  
tSno8rmb0bM=KEnM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8550-01

Red Hat Security Advisory 2022-8553-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:8553-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8553  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.5.0-1.el8_1.src.rpm

ppc64le:  
firefox-102.5.0-1.el8_1.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_1.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_1.ppc64le.rpm

x86_64:  
firefox-102.5.0-1.el8_1.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_1.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJrtzjgjWX9erEAQgm4w/7BiWsAX8FsWUc7kDNOtAdiNs3tmgmrJKS  
bIiM/nuALBnphSokhKgTx3Mmk5FqSGpzVihv6AlZKXrgI5Xpf6UA4xfohTm+vTRs  
VbX6fO6puLontD4jY2Bj2XM6rxONbVqbjqo+RT1hEVAaaj9VQdY7GQbG55Dqv3/w  
OlTARORqICSyVVYPpacFRbtM2KkuWOhG3iVqDnTJuZbg29fcTtQu9bStMQGcxad/  
vxYSqoAXyDARKlHozyc1w6mT9sw/7mh4kZyWWrKwuyB6QXUeMt8gBxA1B82mT/i5  
kZkzU8EwjH3mTBgnqhgLHf6yLMUVE72jcxRCqvtRNoye9X6DKKFWzpnDlNwdvbTk  
nmgYF7FLAvNEncqpo/uUIgF2yOE/de5isaZS5oj7hwOLBDXaC47Di/DnrEIOXqw6  
5roe4Tue3mKbUtwHO/ofzQ0jM7uBA8B24ItmVJz3HlxDSF33Iz5n6YPl3omqzqTS  
OluSiyH2CjYrhy9yJV6id9rKP1cDlET+D6mbBArhNiAESKn3/jqFxLE1S65Joiae  
azsUxWowNkAS1okjK/LnTCjUkPJcJ5r4KLJjXgBxaJpzaqJ3IUbBIyIU2NqyGX9P  
9BCFfZ08N1BXMOSgXeS7hJiVrZgrEhB9FovkB4Dx2Os7IXB+5GgVctPaVDCW/2YJ  
pGMGZbNrc3I=YIHI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8553-01

Red Hat Security Advisory 2022-8555-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8555-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8555  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.5.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.5.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.5.0-2.el7_9.src.rpm

ppc64le:  
thunderbird-102.5.0-2.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.5.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.5.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJqNzjgjWX9erEAQjmcQ//f7RmJ4Pe2f8kcRgqSB3amNLxzAL2a2UK  
rYNBdCvcOCzk6sjYuwfyM3QU/WYleUvNPlt4jqed96tmHq0OKQPLmAvQGA1Ix2B6  
6hvB2aG6+R19HesJ01MCTQStD3HbqgCOxe/ZVqIllwTlw9ff7dUfBLnJOQhGnCGK  
eQ1+yiXyL+rRysqKNgTArUS69hKZQNUe5/nYo4sbQh+MBIBlGFrSl2xa2LZaEcLw  
BFD4PytHErCh+tInYQLbTc42Mq5A7IGXPize4Q/Qv7gC1pxck0D6piGNlFQ8rpyk  
DRNZd0iLqpPfqXyzLkXtc0KF/QBZMVysgMP7Bh5spXJrzd+lkeunFBoEh0PVQ5fD  
w5GpyRoMemiSSNNCoXf8VAicOI6f4OqyW6zWcAH3EvEYOEOeJo2wR+VCMkbLlMvh  
MazzmeexokeJ+PFEDidhZOo93pH78UsXnV2zlV3YTdJrVDeD3HMJm1FIF1RJ47zS  
5AAXhPYxswjK4W3NYLEOqHxwxECpZ10k3lOQg8cpyiv9KUfW+S/obeuw+iUxY4gZ  
pX/HhuW5XCJ3q/jiCOW4yPrAcmByGl5Emb7/PBwooYK6+I8+XYxo0bGvxVZrRszd  
e/L/awWzF4MjKT3YG0wjUv3EYGjyIHDrj1NayDqFbMMGJ1jvhdLivUT3dP2YKBy3  
NGYpWbLWE8A=xawt  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8555-01

Red Hat Security Advisory 2022-8560-01 - The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database contains a JDBC driver to support a subset of ANSI-92 SQL.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: hsqldb security update  
Advisory ID:       RHSA-2022:8560-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8560  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-41853  
====================================================================  
1. Summary:

An update for hsqldb is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch  
Red Hat Enterprise Linux Server (v. 7) - noarch  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch  
Red Hat Enterprise Linux Workstation (v. 7) - noarch  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

The hsqldb packages provide a relational database management system written  
in Java. The Hyper Structured Query Language Database (HSQLDB) contains a  
JDBC driver to support a subset of ANSI-92 SQL.

Security Fix(es):

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
hsqldb-1.8.1.3-15.el7_9.src.rpm

noarch:  
hsqldb-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-demo-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-javadoc-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-manual-1.8.1.3-15.el7_9.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
hsqldb-1.8.1.3-15.el7_9.src.rpm

noarch:  
hsqldb-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-demo-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-javadoc-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-manual-1.8.1.3-15.el7_9.noarch.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
hsqldb-1.8.1.3-15.el7_9.src.rpm

noarch:  
hsqldb-1.8.1.3-15.el7_9.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
hsqldb-1.8.1.3-15.el7_9.src.rpm

noarch:  
hsqldb-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-demo-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-javadoc-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-manual-1.8.1.3-15.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
hsqldb-1.8.1.3-15.el7_9.src.rpm

noarch:  
hsqldb-1.8.1.3-15.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
hsqldb-demo-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-javadoc-1.8.1.3-15.el7_9.noarch.rpm  
hsqldb-manual-1.8.1.3-15.el7_9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJxNzjgjWX9erEAQiSUw//UJFY2xsCnIsTAIyksjQG0oVvUVtrZgmS  
zXX1zlCtPSaPbnyvXQx2bYC+WfP3V5/8n4/9V6OVQruaPCfgk50074FarBRWNl3c  
JijAfca6orVZcOmYI8thSte1XX8gTr0y8Nz5/Uh00ocEt6gJlrvebUFW9PxiqITi  
7jkbySojkJ8JQy/sXv0/o6ZF2lTIb5p2YIZHb/BloCcoUmm2ZKY0TwA9BY9gEEb6  
7UFccLSIG4/HWx7v2N9Wvku1osidtLc1i2dvkah60AM/B3gWA0daRm4eOZPSyNHs  
IN2C8B8J9PCFKqouCQ5muYtK0JtV5jJjhDD7M7RWcAF4TFDHrjHrPXUifp6m/JHj  
qwkEeCoj2UtX+nNWN0J4typ9x2vDBqsAH+PfLhg6Dsk6VtVe840+zCwB2m9v2dic  
bZUXtatqn3Mn599f35WmASw4F1puhqdt9chcfsF2kvqx8nFmrRix3KKIQsdl/K58  
W9UdasDiOD8PV0pN5LULv3vtzk6PCJJMvKp3VFWcm3JsqNEEXYCCvDF7FATZYCqB  
B5dE72yuwz7bUyHLw23z7uV96KbQYfd0djbkNDqfSdfCvuy8UzDiu4CMjIBDtxm/  
F0//LAUZKSc2xovaJho9tU6EcpuYzKe24o9yxXjl/Pg3pBeY2pDlExUzoFW+BpO/  
D6Z1tkBjj8E=VAOx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8560-01

Red Hat Security Advisory 2022-8552-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:8552-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8552  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.5.0-1.el7_9.src.rpm

x86_64:  
firefox-102.5.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.5.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.5.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.5.0-1.el7_9.src.rpm

ppc64:  
firefox-102.5.0-1.el7_9.ppc64.rpm  
firefox-debuginfo-102.5.0-1.el7_9.ppc64.rpm

ppc64le:  
firefox-102.5.0-1.el7_9.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el7_9.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el7_9.s390x.rpm  
firefox-debuginfo-102.5.0-1.el7_9.s390x.rpm

x86_64:  
firefox-102.5.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.5.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.5.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.5.0-1.el7_9.src.rpm

x86_64:  
firefox-102.5.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.5.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.5.0-1.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJsdzjgjWX9erEAQjSzxAAnUNu+6Dd1WyR5ivftYM5oDRTXD6TQNSP  
gcJATtM7uOfo5s4cluRPBnBOqfAEfq+P6rxZ4zlyohPVEbbfBsHHZdkmsqcXAI/C  
t7BgFi2aJ8Ij/eaaGq5lKTAA3Zwt05QgTfwNeQ+LG1/RO0pdiaV6UZiinceBrIZc  
+OEB2Zjf0PBLMHEVKkVyWEOgHYIMbNuXOo7Vdkkn/4EOwQFvJ5CZejSpyb/g19JO  
qTkcPJWOCw7UB2ZuwG6O1O2gsOnxYt/UK3kWo2ype44qt1rzzcXrap2p2wb+Z4Xp  
DksAwiHMTpkXDvjMFlvqaThzpDc3hEUTrlsn4GDsUCp7DdGTA3yNGa/G10gp06zx  
QrlHLbAVIWmlkzcsWm0UjzzAABJsMz0jleRmogCU+5wgdNGzLVV9eAy+s1yYq1xn  
JarVqWlFQ8R193v8n60PHs5H/Odmb7pC58J+AVNgobjWv+GmaQa5hPIzl4xH/bds  
kCxYnh8ASIl9M/r46l/iSSrtmwmVyIV9z17bWrchdDqmaxA+tAcGHIYvXD1yOI/o  
YMNdLGDYLTbvvQE5tz5Z9w3fxsjFogtwqnv+S8lDgX7ZGPMkcBHZdNUnwGbLW6tz  
JE2jpwQ5OV1RN4Ifwpe6xy8hN1X2rsBR2ZxcoSzKLo8tV3fqrXn1Tz9zrMLVvAkI  
2AjhdNYxHtw=bLHN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8552-01

Red Hat Security Advisory 2022-8556-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8556-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8556  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.5.0-2.el8_1.src.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_1.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJpNzjgjWX9erEAQjHFxAApj6H1B8NReTyr+gUbiRpOyrdpO1XdUyo  
cAPep9OSTNnGppCLm7ClM0PbaN4YExPUSz3Ijb6hnIVxGdSfzUzMLPD3f/RocpNx  
RIcfORsn3f9wWN+UHgcjx/EwVPduv/lIt6QD9PNDcz69FlkEw1leFn1BnMt5fEnK  
13XLt0PymFlI6e+6HtfElk2jdxiWHnzCPdiVcUyCZ4iX4syvDI5qNGQl+BFIS9J2  
S8ZjvcwzLcr+7q603unX1hVlca4suJWNTNJFLk6CPdPX9QoGwewtZZ8kh8o3ML1X  
/zlLeme3jrgCvN+3LtNAzDWGRAOPt6J9tVtbu5+Cpe0jH2uJkN75CBxZzgAnE7mi  
y9QHS+jqPGwwM2sVyRmBntVh9aHWMxnpUdDrrJzCDJNd3Fjetn/v+cufNhFRFmUb  
LH+uWDRkGErNTwnjJhGpAuPwsRMYvTp940VNfHBGYe5DwB20VtLsYxA+LLVSrM1n  
t2h3dp+AGQ/xI6yKb2V416wt2IQ1qJ0EJtAzLOqDiKS8leBxmbjatFcXo3nXxvrf  
zPpAmoccSggdcLXwwnp4TlMZKieG99urrd9EULwKV8mdmeWb+kYOOhLOP/3XhiAN  
jfl4PNdzc7oleT36/mC8yE/+vB0DB0ppG0wHpzzixNU2MS3v0e8din+xpTlR2htC  
TiBpNGf+BD0ÿwy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8556-01

Red Hat Security Advisory 2022-8548-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:8548-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8548  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
firefox-102.5.0-1.el8_6.src.rpm

aarch64:  
firefox-102.5.0-1.el8_6.aarch64.rpm  
firefox-debuginfo-102.5.0-1.el8_6.aarch64.rpm  
firefox-debugsource-102.5.0-1.el8_6.aarch64.rpm

ppc64le:  
firefox-102.5.0-1.el8_6.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_6.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_6.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el8_6.s390x.rpm  
firefox-debuginfo-102.5.0-1.el8_6.s390x.rpm  
firefox-debugsource-102.5.0-1.el8_6.s390x.rpm

x86_64:  
firefox-102.5.0-1.el8_6.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_6.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJu9zjgjWX9erEAQjBxRAAkaDXX5NuhRJ+ORbiMwaveW/omJ1SrVUo  
PBCo1uXtHXPuvMLjgOoDJI/kx8oPwrBk975KW0evD54xncUCDrBx8Kk3+PvMkDS9  
8rFLD0Nl5mdh3FYxmxd+lRqx9aGm59FQpFND8R4RA5O9oUdTvHGdEurrKlLgQXwh  
ib0jieM0uKAaU4aleFB2eEv05B3o2iUqyU98IX6nUzV5VoIOe3bH66sb+f8OBZ2k  
hqXgPtFQcBu+QoSzps5+zydPa/wq3VTwl7Bd8g6FE52qg1YWHsyHwHAwWNtIuB02  
Xg4hGzxfQNto7uQYTkmMAIq87vFS4aLtkWLjOmrHsKcXwbYJh2UAV2tVNW5UDVpX  
MabfulFoe44IgjfafjtV2WiBL8rgKc05rU/pHw9+i0koUdmGqy+8/A04qIBD6013  
+5lEBzH5Vrjxx+0Hn4LtL9ofC7Yx4Q5u/lIjCuod5O6a+kc7qsaCD8PMkOV0+LFu  
03LmLt5NJD5Ubb5eFa45rMLcVPTkTgLh85uD2grVpkgb5UpJU21+CDlw1r21GCIv  
Ye9b/dYqYDAyWPSLOyQGXUH5RpabukbhoE7MzwfGnWv5vd+R6bYGHA68eC8lbRaS  
o3uLigsxkAZeDWLQ9OHG+xNfzp9b9FaAMjHBzBib/mVTnAWg8ljlnp1HN4mfBSrr  
v/QQtqt8H6s=vSZq  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8548-01

Red Hat Security Advisory 2022-8549-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:8549-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8549  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.5.0-1.el8_4.src.rpm

aarch64:  
firefox-102.5.0-1.el8_4.aarch64.rpm  
firefox-debuginfo-102.5.0-1.el8_4.aarch64.rpm  
firefox-debugsource-102.5.0-1.el8_4.aarch64.rpm

ppc64le:  
firefox-102.5.0-1.el8_4.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_4.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_4.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el8_4.s390x.rpm  
firefox-debuginfo-102.5.0-1.el8_4.s390x.rpm  
firefox-debugsource-102.5.0-1.el8_4.s390x.rpm

x86_64:  
firefox-102.5.0-1.el8_4.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_4.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJuNzjgjWX9erEAQik5RAAnD31J/lymXcgWBWXKIj7SpMY4DzB6i7J  
bLve2az5vHlV/Mlwbg2a6quxe7DsR5aQZjE00R2XfPpFDDhT/QV8n6Za71x681Aq  
XPdcYU+kivCnmWzqE35yk5nS5R29BfjD5xMD7xcjClAAlUx45CVLEgY5qHPIq72D  
popvld9PhCfZd8Yix7Tg6J39YPd/gAFOVHyRt2SDZ9DHyIlLGCBCTtNAAwwATBP9  
5kA4g+eME3K80p4J3/GhapEpQY9aTcZN6OdNl4qE+ELAFeatWvOh7Z+N86ucZXbD  
UTK+yiLKamCQfmowOHq1zTGS+DMMPWCxXKp+aAl6HnH9S1+loQzPozhe5M6MjaU/  
MWXnHnX9sOlbb8NnfmUH5mqppItuNL/jV7xHpL/AkRzcm7Ro5+Ag+dTrmtDvApg+  
PDXwxi2DHiS1rCozh4zc7EyWNrbFX/IS/pLj4d1B+xbUCDAXBaNrRaEp5Vwo0gwL  
fmduNPtZrEai96gwU0ab6LY4bFYhBkkLekGTlltzP+oT4oE6SlUlBAveeGseyPVN  
0udVU11o8mIFGZaxuT8moXZHyZpWZ3jjlwU8SUWgv+sX36nlPCestEaasZyPomwt  
Wl02rHBvNVwUwdFWnREY5iu9rL+e8yjhILiD5U3zND5FLDkdpYxRgdap3px/oVEF  
7uvYjD0g7/w=/RTV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8549-01

Red Hat Security Advisory 2022-8559-01 - The hsqldb packages provide a relational database management system written in Java. The Hyper Structured Query Language Database contains a JDBC driver to support a subset of ANSI-92 SQL.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: hsqldb security update  
Advisory ID:       RHSA-2022:8559-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8559  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-41853  
====================================================================  
1. Summary:

An update for hsqldb is now available for Red Hat Enterprise Linux 6  
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - noarch  
Red Hat Enterprise Linux Server Optional (v. 6 ELS) - noarch

3. Description:

The hsqldb packages provide a relational database management system written  
in Java. The Hyper Structured Query Language Database (HSQLDB) contains a  
JDBC driver to support a subset of ANSI-92 SQL.

Security Fix(es):

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

6. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:  
hsqldb-1.8.0.10-13.el6_10.src.rpm

noarch:  
hsqldb-1.8.0.10-13.el6_10.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 6 ELS):

Source:  
hsqldb-1.8.0.10-13.el6_10.src.rpm

noarch:  
hsqldb-1.8.0.10-13.el6_10.noarch.rpm  
hsqldb-demo-1.8.0.10-13.el6_10.noarch.rpm  
hsqldb-javadoc-1.8.0.10-13.el6_10.noarch.rpm  
hsqldb-manual-1.8.0.10-13.el6_10.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJvtzjgjWX9erEAQjU1w/+PsYWR9Dx+uh+4feHX3PKCpDXDOxnNo9O  
K0UlAzR6/wsyH2ITI+sgcHIgVaEZH2eW7KegS+bxVC4LGW37cnF3bk1LOaHccBXt  
zd9O/Y+P63+pDLgqgHF3hoYWr20tm+fjnIy35LprMiui2P61dq21zgjEaEZJgybJ  
h4IaKCLFsEDwRc12/NNnCP27vnN8ScehBTs5dDfWEeeE6KgQ446KiPNTq2jTGIYg  
z+BOD8o52EzACRqsu7pCW7wVGMACYsteL8wBEsNACF1H3yfmIB9lzil0tNOsQYrj  
V/XhmeSjCbU+PUQxmYYt8lYfs1w7/uyz2xtb34Yy3AmaVZt8iR30PdJZ8D7j0H2c  
mDzspmf0/n1jaRjgUTadVFMY2OjSRefhEbOVXFNsMf2y/qOfgPqoSIZNJf8tRDl4  
PFGGiBK+K3Ud6IlvGtdmoEP8I2dSXD4eVHG/nlnsqgxP0KPkLT9lD0ZcyUPTXAdV  
1MFy6Od+V2p++sEgueCJ8kS9Sx7KUEezNWLZeHDLCrc7Pr68vZuw7zj0adY0gbVr  
/nAYVf6iq23nvoVRMbc+SjdyyMXQ4hrNdWA39l6dSPHzu+V27g7slZwqIYwSDilf  
6Psmzn/pZRLDUCVwMVuGyKlNdFOaltao5rRvB+nGeXtuN/OHNvWBDW6zpMUtY9ZP  
jnoZbLy6lIw=VjuI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8559-01

Red Hat Security Advisory 2022-8554-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:8554-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8554  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405  
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409  
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412  
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420  
                   CVE-2022-45421  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.5.0 ESR.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.5.0-1.el8_7.src.rpm

aarch64:  
firefox-102.5.0-1.el8_7.aarch64.rpm  
firefox-debuginfo-102.5.0-1.el8_7.aarch64.rpm  
firefox-debugsource-102.5.0-1.el8_7.aarch64.rpm

ppc64le:  
firefox-102.5.0-1.el8_7.ppc64le.rpm  
firefox-debuginfo-102.5.0-1.el8_7.ppc64le.rpm  
firefox-debugsource-102.5.0-1.el8_7.ppc64le.rpm

s390x:  
firefox-102.5.0-1.el8_7.s390x.rpm  
firefox-debuginfo-102.5.0-1.el8_7.s390x.rpm  
firefox-debugsource-102.5.0-1.el8_7.s390x.rpm

x86_64:  
firefox-102.5.0-1.el8_7.x86_64.rpm  
firefox-debuginfo-102.5.0-1.el8_7.x86_64.rpm  
firefox-debugsource-102.5.0-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3vJq9zjgjWX9erEAQjc2w/+LC4S3wIeSep4DdKUIP3nnZQjheRSE7DG  
k9Zjiw36zuTLZ4vv+5BiPiKrvR1mkBqyzaFKTIr/FScIUt6vUDT44754PD3RTw0F  
0oi+4HDEgriSD722bGgZjh03MnkVNCah4G2MTEiU3oZW25V/2zqzneTukuY4f5+L  
qw0NAj5fOhUHcZ6VYPq/R43wJg8eBu4oCkgPPc+YvW+Y4CwYAacoK+m3y5en+XHz  
CJvQKppLqeeXprOWUr95ps1BP4LsR+bStc8Lr8qtza9Ayu1rpizg9YYFybRM7bJS  
U+0s/vk1DJLj/Im+1UdPHUWiNlVYV5hyD83HH8Dau1aVM0CYkNCE/F+p3UPlKpi4  
9B1ZB+0qc1m2uWYEld/xtmtaK+hsX2YY8a4FN4MvqOZlCuzQ5vR/zag5OewqaBL1  
4oNmqvtKQ9scyVRo3MBxBpUoyVvEeQ8cO5zUyE1NSArgMxoz38pcIp6vpaiCRyWc  
eGjePbJALIA5k3N8bi7E0mxHP5DwYitfd8tFOF/hdvbj8CEKNnbYikF11g9NBLVT  
bvkqrqyJuDMu0NqPzaI6SBDZ+FBlJixLnAGXSz9aarGiiIjRhVts5IlSiTpt7rFd  
9hhUFhWRtZYFcRS198XFFEOR7RL0qXmvOscxFcVrhylPem3/gGo//3cjiPTomR66  
ewpGI45w/vY·Da  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux