Updated rootcerts, nss & firefox packages fix security vulnerabilities
Publication date: 02 Jul 2025Modification date: 02 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430
Description
CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. CVE-2025-6425: An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. CVE-2025-6429: Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. CVE-2025-6430: When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a
References
- https://bugs.mageia.org/show_bug.cgi?id=34393
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113.html
- https://www.mozilla.org/en-US/firefox/128.12.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6424
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6425
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6429
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6430
SRPMS
9/core
- firefox-128.12.0-1.1.mga9
- firefox-l10n-128.12.0-1.1.mga9
- rootcerts-20250613.00-1.mga9
- nss-3.113.0-1.mga9