The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way.

_The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way._

FROM THE EDITOR

**Securing your edge infrastructure**

Edge security is becoming increasingly important as more organizations turn to edge computing to benefit from the flexibility of hybrid cloud computing and deliver faster, more reliable services at a lower cost.

When we surveyed IT decision makers in 2021 for our 2022 Global Tech Outlook report about what emerging technologies they were most likely to consider using in the next year, or are currently using, 28% said edge computing (up from 25% in 2020). Furthermore, a July 2022 report from 451 Research reveals that "large organizations will significantly expand edge computing infrastructure in two years."1

In edge computing, an increase in data and processing outside the traditional datacenter creates potential risk to organizations. Reduced physical security, a limited compute footprint, lower cost expectations and remote management are often compounded by a lack of IT personnel. These issues combine to create relaxed standards for security and policy and expand the attack surface.

However, there are ways edge resources can improve security. For example, IDC says "63% of organizations report using edge resources to enhance cybersecurity through monitoring networks." IDC also says "replicating data \[using edge resources\] across multiple locations" can "reduce \[the\] impact of ransomware attacks."2

Red Hat provides trusted open source software that helps organizations implement a layered security approach across infrastructure, the application stack and the life cycle for better security on site, in cloud environments or at edge sites.

In this issue of Red Hat Shares, learn about security considerations for edge implementations, key edge security issues for CIOs, how Red Hat helped a customer reduce its edge deployment time while enhancing its infrastructure security and more. Plus, just for fun, we threw in a video from our "In the Clouds" series about how edge computing is being used to solve problems on the International Space Station.

1.  451 Research. "Security tops the priorities for edge computing infrastructure – Highlights from VotE: Edge Infrastructure & Services," 25 July 2022. 
2.  Huang, Cathy, and Jennifer Cooke. "Securing the Edge: How Edge Is Architected Will Determine How Security Is Designed." IDC, Feb. 2022.

**5 security considerations for edge implementations**

Learn about some of the primary security threats edge deployments face and how Red Hat technologies can help mitigate them.

**Edge computing: 4 key security issues for CIOs to prioritize**

The Enterprisers Project suggests considering the expert advice in this article to address security concerns before implementing an edge computing strategy.

_You may also be interested in "Beat these common edge computing challenges."_

**A deep dive on edge and security**

Global analyst firm Futurum Research addresses common edge computing security challenges, Red Hat’s approach to security at the edge and more.

**Boost security, flexibility, and scale at the edge with Red Hat Enterprise Linux**

Find out how Red Hat Enterprise Linux can help you extend your datacenter capabilities to the edge with confidence.

_You may also be interested in "What’s new in Red Hat Enterprise Linux 9 for edge computing."_

CUSTOMER SPOTLIGHT

**Edge computing flexibility enables critical defense and security advantages**

See how Red Hat helped Mamram―the Israel Defense Forces’ central computing system unit―reduce its edge deployment time from weeks to hours while enhancing its infrastructure security and compliance.

**In the Clouds: Edge Computing in Space**

In this episode of our video series, IBM Distinguished Engineer and CTO Space Tech Naeem Altaf explains how, together with NASA, cloud and edge computing services and technologies are being used to solve problems on the International Space Station.

_You may also be interested in "Edge computing in action: Space."_

**AnsibleFest: Shape the present and future of automation**

Oct. 18-19, 2022

Chicago, Illinois

Get discounted pricing through Oct. 17.

_Did you miss our special July edition recapping Red Hat Summit 2022? Check it out. Or browse all past issues of Red Hat Shares._

_Questions or comments about Red Hat Shares? It’s your turn to share. Email us._

Red Hat Shares ― Edge computing: Security

Red Hat Security Advisory 2022-6696-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include crlf injection and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Advanced Cluster Management 2.4.6 security update and bug fixes  
Advisory ID:       RHSA-2022:6696-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6696  
Issue date:        2022-09-26  
CVE Names:         CVE-2015-20107 CVE-2020-28915 CVE-2021-40528   
                   CVE-2022-0391 CVE-2022-1012 CVE-2022-1292   
                   CVE-2022-1586 CVE-2022-1729 CVE-2022-1785   
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068   
                   CVE-2022-2097 CVE-2022-2526 CVE-2022-21123   
                   CVE-2022-21125 CVE-2022-21166 CVE-2022-22576   
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-27666   
                   CVE-2022-27774 CVE-2022-27776 CVE-2022-27782   
                   CVE-2022-29154 CVE-2022-29824 CVE-2022-30629   
                   CVE-2022-31129 CVE-2022-31150 CVE-2022-31151   
                   CVE-2022-32206 CVE-2022-32208 CVE-2022-32250   
                   CVE-2022-34903 CVE-2022-36067   
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.4.6 General  
Availability release images, which fix bugs and update container images.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.4.6 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several security issues and several  
bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/

Security fixes:

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

* moment: inefficient parsing algorithim resulting in DoS (CVE-2022-31129)

* nodejs16: CRLF injection in node-undici (CVE-2022-31150)

* nodejs/undici: Cookie headers uncleared on cross-origin redirect  
(CVE-2022-31151)

* vm2: Sandbox Escape in vm2 (CVE-2022-36067)

Bug fixes:

* RHACM 2.4 using deprecated APIs in managed clusters (BZ# 2041540)

* vSphere network name doesn't allow entering spaces and doesn't reflect  
YAML changes (BZ# 2074766)

* cluster update status is stuck, also update is not even visible (BZ#  
2079418)

* Policy that creates cluster role is showing as not compliant due to  
Request entity too large message (BZ# 2088486)

* Upgraded from RHACM 2.2-->2.3-->2.4 and cannot create cluster (BZ#  
2089490)

* ACM Console Becomes Unusable After a Time (BZ# 2097464)

* RHACM 2.4.6 images (BZ# 2100613)

* Cluster Pools with conflicting name of existing clusters in same  
namespace fails creation and deletes existing cluster (BZ# 2102436)

* ManagedClusters in Pending import state after ACM hub migration (BZ#  
2102495)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following  
documentation, which will be updated shortly for this release, for  
important  
instructions on installing this update:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2041540 - RHACM 2.4 using deprecated APIs in managed clusters  
2074766 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes  
2079418 - cluster update status is stuck, also update is not even visible  
2088486 - Policy that creates cluster role is showing as not compliant due to Request entity too large message  
2089490 - Upgraded from RHACM 2.2-->2.3-->2.4 and cannot create cluster  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2097464 - ACM Console Becomes Unusable After a Time  
2100613 - RHACM 2.4.6 images  
2102436 - Cluster Pools with conflicting name of existing clusters in same namespace fails creation and deletes existing cluster  
2102495 - ManagedClusters in Pending import state after ACM hub migration  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2109354 - CVE-2022-31150 nodejs16: CRLF injection in node-undici  
2121396 - CVE-2022-31151 nodejs/undici: Cookie headers uncleared on cross-origin redirect  
2124794 - CVE-2022-36067 vm2:  Sandbox Escape in vm2

5. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2020-28915  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1729  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2526  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-22576  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-27666  
https://access.redhat.com/security/cve/CVE-2022-27774  
https://access.redhat.com/security/cve/CVE-2022-27776  
https://access.redhat.com/security/cve/CVE-2022-27782  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-31150  
https://access.redhat.com/security/cve/CVE-2022-31151  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-36067  
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0j9zjgjWX9erEAQjV3w/+OF8DMlMu34xmKbbhZ3feepdH06CvnKpN  
JZjnO16620E+eAJD5Cn+uKUXFEuSvz/JWAkIX9w2C0Z5tiKiwd5ggpiquFRSKYBv  
GK3NXD4GoRxkMbFxJPlM/iaId7JbNR89/kaJDYnWVmqlF6JrJi6mVxPbOrAkMq2g  
anQzh/RwQ9GkK9SmYHicwzRJpsVDvkm7lCcaAk6viVzdXITwG3rHqjc4v0soY48w  
n+hY1oEUi7wfMc+yUQBGU/Sc91jhcQ0HGppi8lBSZzH3VS5D0xyTnSJQ6++FE8Li  
hkl3aRD39YhUNrDYHgtMLyfF09cJ8CiTGc7XSeA4KmiMcZyKIHv05Xn85De6nn75  
SE/Xo8JyDxp9tOlk3BOhFCC1lnv8t/YgKPz41s0mdlhSqfIqBiTjrLpWYZFpqLTP  
vtu5TU3ayHTuuKwGQ1c3OOaIhffxTkA3E9PdK2n4/dyW8tUE3tuAJppcv4FIbpTF  
ejenradoq4GNiR0RyUmNElY1sFlXdzBvP0LThjRJg72AyjvJPOfrYzWt/jMRukbV  
WJr7hMp7naL3pBWMeuUEyCexeYR+WbHtZk/PHZyI14dIFs0KEzKeaWjCgFHwIHEH  
tKjjMX5PLe3vgM61OHunO4C5SZvWvJZBhTGOuhEX6u3cHLgF9CeVq7CPlHXKKr3t  
x6qljk3DN3s=  
=aNSP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6696-01

Red Hat Security Advisory 2022-6700-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6700-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6700  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.3.0-6.el9_0.src.rpm

aarch64:  
firefox-102.3.0-6.el9_0.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el9_0.aarch64.rpm  
firefox-debugsource-102.3.0-6.el9_0.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el9_0.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el9_0.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el9_0.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el9_0.s390x.rpm  
firefox-debuginfo-102.3.0-6.el9_0.s390x.rpm  
firefox-debugsource-102.3.0-6.el9_0.s390x.rpm

x86_64:  
firefox-102.3.0-6.el9_0.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el9_0.x86_64.rpm  
firefox-debugsource-102.3.0-6.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0g9zjgjWX9erEAQi/KA//ZzK9nVVUCVg7lC1rep2cJtZ5GT59QqlP  
QGuCkAnW8O05DBBjHnBIMLhioph2GFGw/A4oBxWijtZXshI5GB/AdQ70GJsbrYJ6  
V7zOE/AO3QOZIWytLjm1wamuIAy2q0ffHVPXuMFyLQ7iU+1RjzEEZOALzVm8p67s  
9mxnDTchhaq+ebDkmYk3qsS83WtQwCIhvz5gu+pXbbAzt9dGg/qc0i+QVedZ0cZX  
LxvbO2F28q/NnjPEmJAWVXgG8HgR7QjmBrVGzYWMOfmXG94sVYCp/dyQy/tOHL6t  
LUZexJJwwihGpveSEDv2KiIfk7IdzSUS93yCL1k0PcU6vvRh8QR977jHYEcpHOrW  
7EsVF+0wUHde9AYaJWfNxGHOWLVbKVR4J1jHZNnfU9eFzeZcRQzXqUPy57mX6yVY  
2n7wE7J34A4Py7lH0QsZzTY0tW0ByL0WXrX63vrij5sugr4LlIZOJcf6xEPeL79A  
YS9Ggc11KvNpMZ0/9fI8fvbP3GMX+QWUWU7f6KI5LBloi+/aRE8+jx9hYtZwtTmV  
tOEqqX5T0ZMvlvEHjdeTM5SpjeInZqS/EbVArWwFjWeprKhz5prtsyApKgHXlRRw  
J1DrNnRvBAAsb5MTzn3zQMHxrl2LwujdKzEZDL2QOEOOybHu+tKGhLB1r7kVpKoZ  
q9To96uLFnE=  
=GZRD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6700-01

Red Hat Security Advisory 2022-6701-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6701-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6701  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.3.0-6.el8_4.src.rpm

aarch64:  
firefox-102.3.0-6.el8_4.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el8_4.aarch64.rpm  
firefox-debugsource-102.3.0-6.el8_4.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el8_4.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_4.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_4.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el8_4.s390x.rpm  
firefox-debuginfo-102.3.0-6.el8_4.s390x.rpm  
firefox-debugsource-102.3.0-6.el8_4.s390x.rpm

x86_64:  
firefox-102.3.0-6.el8_4.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_4.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0edzjgjWX9erEAQhqBQ/6Ak5GcRn6T8IHAXY/o/+AtiO4v468xq31  
CtcUN4PhJLFaW71flbYmwM80wjUGzUwme6ZMJTTdL4frq45XeUhGMXm7RxXdD/6l  
8xXe/d2/C/KOSNFbnhMsGcBt2VHIFkZsbCSvKq9yX5nUByvYZ8hMYek9DtNDZIHt  
oCt4rUXHVcr/WQHg0TBIy/EnUoD60Fn/TlXNMEYXRzY40WMw28JEsPwQGKecjqxl  
YXmRiPtoCUjqM50hPL37meSeDwGLV7c/vxGZ3yTTQQSx9mm8ylvnV+eiE3UFKPy6  
dF1/ldIdfkzJB9YzbIUxfU4nGYMwdUXxp+hRtjU+/cNBt68PGbN9EUywZ8/Nhi2W  
ukJTdOMfW3FrzgC+sUAL+M2pCVOE3edXUlc6s+uHjkzuoYK7mt8gLwqZrjGslYKf  
71trCB56dBZlc2S+g39XqZVu4NWyUwHWEC74gNztDrJPfKlcSs7hkFTkzPST7nJf  
lkmkrRd1ElQrHx4U8xdPPdEh6Cdb4jdyfBcJuiPc/ISlB4/3McYwS75sZ6ko/9BF  
UPDHyrQR5lwV20MpCHptfFHWFS4T3Fp7cF+Oup5v2y7HoZccDaY2UkLIxJgf0ioT  
XtUVXOJpHfrqkVCbgIHW3/5nJL8qibPj0jQz4+cOv2Zkq3QQ9zfGj96BHou8Im0T  
cEMEwtK16iE=  
=7F+k  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6701-01

Red Hat Security Advisory 2022-6702-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6702-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6702  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.3.0-6.el8_6.src.rpm

aarch64:  
firefox-102.3.0-6.el8_6.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el8_6.aarch64.rpm  
firefox-debugsource-102.3.0-6.el8_6.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el8_6.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_6.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_6.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el8_6.s390x.rpm  
firefox-debuginfo-102.3.0-6.el8_6.s390x.rpm  
firefox-debugsource-102.3.0-6.el8_6.s390x.rpm

x86_64:  
firefox-102.3.0-6.el8_6.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_6.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0b9zjgjWX9erEAQjsCA//RRcwMcwRGfgQ9cAGMZ3ba3+kMmPoAxTP  
NkvTCyngoO+dEnyUWyOBW5VjdHW4Oswj8ZwQyW2JDBhvgveh7+5UOpjSOy242cJ/  
3etJgTwowzzD0LbwooeYHn4n/GDTlLJyZ0m0EE8agAnxYqDKElQ6mGhkSeayueuq  
gc4s+R0J2p7eiEZ5Wng5JuDLjNoGbblYkHoQcEeIhC4vyOwsDkDwKLWkWyiO55H8  
k2i+ZV/ae8f/rvui43qMShUTxS/8UtWFTvdVQeGP4sS39oi0tFBH75gsSW8Xy0zE  
A9JxAIjisdrIMlAyg2s44eMef2vQUxSYpwlPsJ7LIumtOmG6Wz3TTViz2fWnqxdP  
iZMENdC6YHW+abLlYQreRoYP5a2HtqmTkX5j1B30wsmJnhSNByJ0YLcDRXedIKtG  
2toV40uX/ECoLqeD1Xm0RP2AHaUABkxhjT7FNBHTSCeV8y4+JFpIIZR8hbSg0eho  
m47FitR2dRmCyA7EI5TUD05lzumBLRQGd5ULvgdZMdIffV46gX9iwTXTxERI48Dg  
6WsJ59cwjyGeWHUeG/pIGJxW+jh+bdAK/CUvMhidzgx5FCb/IEXTKANhzSPyZ5ro  
a3+jGPtroycoaOvMuc6bTjkMzF88EXCucDdBba5tTfs0z8ho5ZqEoSFpYiAafqaf  
2qaEr+QRDNk=  
=IkCE  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6702-01

Red Hat Security Advisory 2022-6703-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6703-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6703  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.3.0-6.el8_1.src.rpm

ppc64le:  
firefox-102.3.0-6.el8_1.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_1.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_1.ppc64le.rpm

x86_64:  
firefox-102.3.0-6.el8_1.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_1.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0YtzjgjWX9erEAQiFCg/6A22FZMDDiBFcw5xxNzawSZ7L4bdBC/QX  
CnYtzed0BFF4irQctN2nkvYJV3E6mWYKUnO1brqyixlnZtk8mjo97CgNoijEM6JP  
mA2qNRleC6KNU4mmz0GWwkJqz/iIWQ78X6CV7AnZSOQQrMh0cT743jO/+/bf/QW8  
NGSlLtYDdAkv6u/Nwdzp3VnzCO8IJFz2kQ7txIATnyw2eEUAlEXfkkPPGCCtIVuL  
23eVFQndO1rB1qblx3jsO/43xtyBoiMsf5UKJGitRLhWOV6/Z4w2Hk+L7i55N7sy  
FRFyvmJ76TefD5ymIoKDi3EN7tIEdOs1ousR6rbNljH1DF/czQliMRm/u2WdKUkL  
UfBEDT924UABK5wPOg6uaponT9GlOTW1jXaQsyDi+nLmxHV6I1l8kuY+d63VHeOs  
N0kcV00oq4FRPURc99wJAjo0uosY0Wm6elQJBTT0F20UMoaPtXDWFka+bp35lT02  
ufWuxsN8550DL/6lx6TePGQ0Z84NKY4FUnmy59Xbct7lCUyBewnZwme0VMK57a4+  
8WfDgLdk/rc0eLPjvwuEIoh6wqfocEh63Wy62imzo1QeDm25NAnH7VXzpXH2PMwF  
BSyUNzdVl2icVGFbXi9u7eU1b30sm7MsA7PvqzJiwpmA9eu8bky23zDGO3TKIEup  
CDxPUlXH9ys=  
=G7Tz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6703-01

Red Hat Security Advisory 2022-6707-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6707-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6707  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
firefox-102.3.0-6.el8_2.src.rpm

aarch64:  
firefox-102.3.0-6.el8_2.aarch64.rpm  
firefox-debuginfo-102.3.0-6.el8_2.aarch64.rpm  
firefox-debugsource-102.3.0-6.el8_2.aarch64.rpm

ppc64le:  
firefox-102.3.0-6.el8_2.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_2.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_2.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el8_2.s390x.rpm  
firefox-debuginfo-102.3.0-6.el8_2.s390x.rpm  
firefox-debugsource-102.3.0-6.el8_2.s390x.rpm

x86_64:  
firefox-102.3.0-6.el8_2.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_2.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0VtzjgjWX9erEAQgniQ/8CCA4KMNvro67ndbv00AxPxKJIbzFRIP5  
B2GFFWQJFZisvpgnU2Nmb8t382AqZdqJZuGJDVBAEkPZ/KQHMD9KiE0Ucb2gxAk0  
YT/4TSk9o5aY3S577yblz7YbvUXKXclaa+pECwui77GLr+G9HO7q/CT1PKDQlSSM  
CVjjvdASJSbnjZwuLHzzvsItSyGFHB605e6eKq92QDP90bFxAhNrXVGjJU0zLhE/  
c8eIpp0NVOnz2nCUf/SrsqiADYMQyyBHdwVB+7PsmJ2NsB2gj8cqI2rOJ5r10mr3  
bC5SMK1LbX4ha7iw99WU/5Z5VFnxq4dPJK4wAhBwUscb1iHUBU6UDTclTJxPgarY  
YcRs+GTgppP8dbq8/5SuU78we3OeDiJW+7CZeuA5B9DgR6hOkSL9xtusYAhQmnE1  
OOlgxe31RVaBON/5TjQqrSKn8wq4ijbOaLKCQszfLG4rz+bGjBsR7vfCWzt3QZ6Q  
1C8/BJpRpl5cujcWxvc/FT0x3J2nKUuL8g3OM5zvJdskibsZIyHCoi4yU0+KrKJZ  
ZAw3FRPXahXkTG97Ua9Xd4CwRHSrmNxxjA8Za1FV/daRTPkcFG4e0+EdOaAynT7V  
Wcm4ypDVL60VCnqupiuIkRImLumECzysaPQfA1E1MyXdq2aFMHtRWCC8NQA2QT0k  
SoINctHlA4U=  
=/8E1  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6707-01

Red Hat Security Advisory 2022-6708-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6708-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6708  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-3032 CVE-2022-3033 CVE-2022-3034   
                   CVE-2022-36059 CVE-2022-40956 CVE-2022-40957   
                   CVE-2022-40958 CVE-2022-40959 CVE-2022-40960   
                   CVE-2022-40962   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.3.0.

Security Fix(es):

* Mozilla: Leaking of sensitive information when composing a response to an  
HTML email with a META refresh tag (CVE-2022-3033)

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Remote content specified in an HTML document that was nested  
inside an iframe's srcdoc attribute was not blocked (CVE-2022-3032)

* Mozilla: An iframe element in an HTML email could trigger a network  
request (CVE-2022-3034)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to  
denial-of-service attack (CVE-2022-36059)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2123255 - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked  
2123256 - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag  
2123257 - CVE-2022-3034 Mozilla: An iframe element in an HTML email could trigger a network request  
2123258 - CVE-2022-36059 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack  
2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-102.3.0-3.el8_6.src.rpm

aarch64:  
thunderbird-102.3.0-3.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.aarch64.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.3.0-3.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.3.0-3.el8_6.s390x.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.s390x.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.s390x.rpm

x86_64:  
thunderbird-102.3.0-3.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el8_6.x86_64.rpm  
thunderbird-debugsource-102.3.0-3.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3032  
https://access.redhat.com/security/cve/CVE-2022-3033  
https://access.redhat.com/security/cve/CVE-2022-3034  
https://access.redhat.com/security/cve/CVE-2022-36059  
https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0TNzjgjWX9erEAQiB3RAAkahXHjRspQ+guIITh2rYcmBoQL3GvQZd  
XEI1V8Dk6rnjdt/+6FgYgfggr+73qIj/1/qGYoJofdAPLRUd1pvUTRixC+emHE+W  
iVgo/URHjOBqkMRmc4wUjLkb0xn/voirDTooLAx7opbhzT5FPRAEitGYUbWsI7l2  
9r2f7CJS4sYu/PA3bEm0I+EJDNAHZuL9+9mmbRQNNHT/vwT9R66jdqoZY8wbpvL6  
T899ruuHWEuorCvhsdBsL2BHPxYDQFASlKvkXppPQFjNy09GvmfgbSci//Foy3Uf  
1Sl22PV6QxI+haIg/SWhzrFUQRQpfRtrn5v8Y47yRiqXsat0Zpgn7xcLey/fW4Kj  
rchBJXtvm4lQZwow7Dim/6YdLXsXl0btf9VuV5275qOm5ywYYzUg/f5bDSDLY7Cu  
lfsFo1AybY9TYnzGhL7bTrKZuW/jMHa8T2ftD3LhTudG+VOO2zBepXR1/bH7SYUE  
jndbovr8vpws34oQsSUeTKsd/u9jUJ683IG3G875BmtcxfnA7fBDy8yZ3SB1l+2Q  
8AobvEi/5c+zcXoUirub3X+fxEA/VKjwHUNEYLif3p8DVBNiCTQot1KHHbTxGgKf  
1vMEOdptvYDiZm8l0AZOag/Ew1Fc2PZIhI8JBoDWPc/JNqxSz6V0pzNi0iEGLJL+  
rbfDeg3UhFQ=  
=Gluw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6708-01

Red Hat Security Advisory 2022-6710-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:6710-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6710  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-3032 CVE-2022-3033 CVE-2022-3034   
                   CVE-2022-36059 CVE-2022-40956 CVE-2022-40957   
                   CVE-2022-40958 CVE-2022-40959 CVE-2022-40960   
                   CVE-2022-40962   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.3.0.

Security Fix(es):

* Mozilla: Leaking of sensitive information when composing a response to an  
HTML email with a META refresh tag (CVE-2022-3033)

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Remote content specified in an HTML document that was nested  
inside an iframe's srcdoc attribute was not blocked (CVE-2022-3032)

* Mozilla: An iframe element in an HTML email could trigger a network  
request (CVE-2022-3034)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to  
denial-of-service attack (CVE-2022-36059)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2123255 - CVE-2022-3032 Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked  
2123256 - CVE-2022-3033 Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag  
2123257 - CVE-2022-3034 Mozilla: An iframe element in an HTML email could trigger a network request  
2123258 - CVE-2022-36059 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack  
2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.3.0-3.el7_9.src.rpm

x86_64:  
thunderbird-102.3.0-3.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.3.0-3.el7_9.src.rpm

ppc64le:  
thunderbird-102.3.0-3.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.3.0-3.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.3.0-3.el7_9.src.rpm

x86_64:  
thunderbird-102.3.0-3.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.3.0-3.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3032  
https://access.redhat.com/security/cve/CVE-2022-3033  
https://access.redhat.com/security/cve/CVE-2022-3034  
https://access.redhat.com/security/cve/CVE-2022-36059  
https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0QtzjgjWX9erEAQjJ/g/8DhFo8FzyNIYAclnV2nX0os649M45iqF+  
kHbnTz7+YvxlY4U7GI7CL/Fxa8spHH3gOjKEsj602MnZ/R3jC422YuLTcIhlQx+o  
B4q1Knfr3ZPLY9rsSB4u6TbtjEC0paNNBfzKahLcZ1OorBXiARf7FaAfBBTCgtM0  
XWivpKkESba4svLKhSioFN3aX75ws8vj0K3eeraPE9+/IBrqgCj4Tj9Te0oL1tGO  
6rDx0t35EeXFCwUurvO5upx3eMzQFTzIqAGQFgdKj6Yfhe6nIE0TSC+eJw237+Ai  
wOZpenjQfWijve/bGuNk/+XB6/KtYcdaMU7NO6VwfxvawmqwbTkkXU3PpU5jxl47  
5f88goZJqB0FPrnU6kB6mqNo2pMHdUs00WcIp0XCrC0XEMYQ+BCH2mAnNfWhcl1O  
mJNdaeYBeWhfE8j6n8khImBOarQISomVwfBk0a/r0gdZlrTEVH68kLC4UkpL9//n  
aH4DqXSeseg4jBTt8+YAVp2iLRJRAHSWtXZW4G4Erhnd2XI80rNd+C69Aznv/UcJ  
+UIwFXZS701yju9wl0sdAIYpcskUphrUchvZgiolbX8wwPHN36O0U1dBRyqM835J  
nv5Vtf9eycdfwHZy0vEyIo8HG7gz7hG+E4MUEzsPP3yov1j7RJNKt8vTWbyxCg0U  
rrW/j52Y4QM=  
=gF6E  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6710-01

Red Hat Security Advisory 2022-6711-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6711-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6711  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.3.0-6.el7_9.src.rpm

x86_64:  
firefox-102.3.0-6.el7_9.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.3.0-6.el7_9.i686.rpm  
firefox-debuginfo-102.3.0-6.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.3.0-6.el7_9.src.rpm

ppc64:  
firefox-102.3.0-6.el7_9.ppc64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.ppc64.rpm

ppc64le:  
firefox-102.3.0-6.el7_9.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el7_9.ppc64le.rpm

s390x:  
firefox-102.3.0-6.el7_9.s390x.rpm  
firefox-debuginfo-102.3.0-6.el7_9.s390x.rpm

x86_64:  
firefox-102.3.0-6.el7_9.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.3.0-6.el7_9.i686.rpm  
firefox-debuginfo-102.3.0-6.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.3.0-6.el7_9.src.rpm

x86_64:  
firefox-102.3.0-6.el7_9.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.3.0-6.el7_9.i686.rpm  
firefox-debuginfo-102.3.0-6.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0N9zjgjWX9erEAQiAwg//X0LKGgOodugK6kITzPEX6kret9uH7Nd6  
eWOYy6LlObGhfm89Fo7oaUy+j2B6a1+8fou0wnp2zCDmKHfvj/M4NatO4PamXA90  
BykutKi0zZ/HtAWymmQzlp8unXSqolUB6m0QhsIFBdfbK1czpbRxUh2jPu2Ta5+W  
ajb2TNcG85Oo54QwGQ1ZEzqd2nkqmk2lIipy9xtgINrtOy8C0s9Cw6sPbn1RXmd7  
n804j9USNLV/vEVMUjUBI+NB6RAzJvZ5j7ECy8pTQsLdUOjGIS5FT8sC7ea92qXS  
IVfuv4oeY4LMMQJKZ0AekdMGnrLFh7RXoWBZkTPa64skrDAOG4b7Mp8fGMrZeJS6  
mIf4ZfxiTjHXLgbwfQLoo5RCPVOrKmdgNzKN3ZPfDtY54kRuOOR0Q8tS9mo+ktb4  
G+3N8uBUiEKw+Sd9qV/OKoEaV39YcE9+P0t2EAj6EzYXgKMZNH46HcBBwRcRQ8sF  
gSdbvSGgazHyCkckOZRzSbhj6M8HOqOQiVbL/uInw8V9IRs7PwSa9rc4QY7LEDLF  
nliD6kQ0NbYz7vdVRRqlawvXZrfpj3M0/kMCgvDsDDd6VFnr0qPugLYZvm2HMNL5  
zhCdXDMNpxH7ezWICJ9vFU5m8o7dohHWBS2vnyogIcaYDZ4CBao8vTDC49VaD9GZ  
NQ6pu/VK9bU=  
=5O5C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#red_hat