{"schema_version":"1.7.2","id":"OESA-2025-1720","modified":"2025-07-04T14:42:52Z","published":"2025-07-04T14:42:52Z","upstream":["CVE-2025-6424","CVE-2025-6425","CVE-2025-6429","CVE-2025-6430"],"summary":"firefox security update","details":"Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global moz_debug_prefix /lib/debug %global moz_debug_dir /lib/debug/ %global uname_m %(uname -m) %global symbols_file_name -.en-US.-%(uname.crashreporter-symbols.zip %global symbols_file_path /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip %global _find_debuginfo_opts -p /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip -o debugcrashreporter.list %global crashreporter_pkg_name mozilla-crashreporter--debuginfo\r\n\r\nSecurity Fix(es):\n\nA vulnerability was found in Mozilla Firefox up to 139 (Web Browser). It has been rated as critical.Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Impacted is confidentiality, integrity, and availability.Upgrading to version 140 eliminates this vulnerability.(CVE-2025-6424)\n\nAn attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox \u0026lt; 140, Firefox ESR \u0026lt; 115.25, Firefox ESR \u0026lt; 128.12, Thunderbird \u0026lt; 140, and Thunderbird \u0026lt; 128.12.(CVE-2025-6425)\n\nFirefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag.  This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox \u0026lt; 140 and Firefox ESR \u0026lt; 128.12.(CVE-2025-6429)\n\nWhen a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `\u0026amp;lt;embed\u0026amp;gt;` or `\u0026amp;lt;object\u0026amp;gt;` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox \u0026lt; 140 and Firefox ESR \u0026lt; 128.12.(CVE-2025-6430)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"firefox","purl":"pkg:rpm/openEuler/firefox\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.12.0-1.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["firefox-128.12.0-1.oe2403sp1.aarch64.rpm","firefox-debuginfo-128.12.0-1.oe2403sp1.aarch64.rpm","firefox-debugsource-128.12.0-1.oe2403sp1.aarch64.rpm"],"src":["firefox-128.12.0-1.oe2403sp1.src.rpm"],"x86_64":["firefox-128.12.0-1.oe2403sp1.x86_64.rpm","firefox-debuginfo-128.12.0-1.oe2403sp1.x86_64.rpm","firefox-debugsource-128.12.0-1.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1720"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6424"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6425"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6429"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6430"}],"database_specific":{"severity":"Critical"}}