ALASFIREFOX-2024-033

Amazon Linux 2 Security Advisory: ALASFIREFOX-2024-033
Advisory Release Date: 2024-12-05 01:00 Pacific
Advisory Updated Date: 2024-12-19 14:30 Pacific

Severity: Medium

References: CVE-2024-11694
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP `frame-src` bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, and Thunderbird < 128.5. (CVE-2024-11694)

Affected Packages:

firefox

Note:

This advisory is applicable to Amazon Linux 2 - Firefox Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update firefox to update your system.

New Packages:

aarch64:
    firefox-115.18.0-1.amzn2.0.1.aarch64
    firefox-debuginfo-115.18.0-1.amzn2.0.1.aarch64

src:
    firefox-115.18.0-1.amzn2.0.1.src

x86_64:
    firefox-115.18.0-1.amzn2.0.1.x86_64
    firefox-debuginfo-115.18.0-1.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2024-11694

Mitre: CVE-2024-11694

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALASFIREFOX-2024-033

Additional References