An update for firefox is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1086 Final 1.0 1.0 2025-01-24 Initial 2025-01-24 2025-01-24 openEuler SA Tool V1.0 2025-01-24 firefox security update An update for firefox is now available for openEuler-24.03-LTS-SP1 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. Security Fix(es): The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.(CVE-2025-0237) When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.(CVE-2025-0241) Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6.(CVE-2025-0242) An update for firefox is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP1/openEuler-22.03-LTS-SP3/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium firefox https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1086 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-0237 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-0241 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-0242 https://nvd.nist.gov/vuln/detail/CVE-2025-0237 https://nvd.nist.gov/vuln/detail/CVE-2025-0241 https://nvd.nist.gov/vuln/detail/CVE-2025-0242 openEuler-24.03-LTS-SP1 firefox-128.6.0-1.oe2403sp1.aarch64.rpm firefox-debuginfo-128.6.0-1.oe2403sp1.aarch64.rpm firefox-debugsource-128.6.0-1.oe2403sp1.aarch64.rpm firefox-128.6.0-1.oe2403sp1.src.rpm firefox-128.6.0-1.oe2403sp1.x86_64.rpm firefox-debuginfo-128.6.0-1.oe2403sp1.x86_64.rpm firefox-debugsource-128.6.0-1.oe2403sp1.x86_64.rpm The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. 2025-01-24 CVE-2025-0237 openEuler-24.03-LTS-SP1 Medium 5.5 AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L firefox security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1086 When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. 2025-01-24 CVE-2025-0241 openEuler-24.03-LTS-SP1 Medium 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L firefox security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1086 Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. 2025-01-24 CVE-2025-0242 openEuler-24.03-LTS-SP1 Medium 6.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L firefox security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1086