摘要:
firefox security update
安全等级: Critical
公告ID: KylinSec-SA-2025-2690
发布日期: 2025年9月11日
关联CVE: CVE-2025-6429 CVE-2025-6424 CVE-2025-6425 CVE-2025-6430
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global moz_debug_prefix /lib/debug %global moz_debug_dir /lib/debug/ %global uname_m %(uname -m) %global symbols_file_name -.en-US.-%(uname.crashreporter-symbols.zip %global symbols_file_path /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip %global _find_debuginfo_opts -p /lib/debug//-.en-US.-%(uname.crashreporter-symbols.zip -o debugcrashreporter.list %global crashreporter_pkg_name mozilla-crashreporter--debuginfo
Security Fix(es):
A vulnerability was found in Mozilla Firefox up to 139 (Web Browser). It has been rated as critical.Using CWE to declare the problem leads to CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Impacted is confidentiality, integrity, and availability.Upgrading to version 140 eliminates this vulnerability.(CVE-2025-6424)
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.(CVE-2025-6425)
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.(CVE-2025-6429)
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.(CVE-2025-6430)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-6429 | V6 | firefox | Fixed |
| CVE-2025-6424 | V6 | firefox | Fixed |
| CVE-2025-6425 | V6 | firefox | Fixed |
| CVE-2025-6430 | V6 | firefox | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| firefox | x86_64 | 128.13.0-1.ks6.kb1 |
| firefox | aarch64 | 128.13.0-1.ks6.kb1 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
