Advisories ยป MGASA-2025-0201

Updated rootcerts, nss & firefox packages fix security vulnerabilities

Publication date: 02 Jul 2025
Modification date: 02 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-6424 , CVE-2025-6425 , CVE-2025-6429 , CVE-2025-6430

Description

CVE-2025-6424: A use-after-free in FontFaceSet resulted in a potentially
exploitable crash.
CVE-2025-6425: An attacker who enumerated resources from the WebCompat
extension could have obtained a persistent UUID that identified the
browser, and persisted between containers and normal/private browsing
mode, but not profiles.
CVE-2025-6429: Firefox could have incorrectly parsed a URL and rewritten
it to the youtube.com domain when parsing the URL specified in an embed
tag. This could have bypassed website security checks that restricted
which domains users were allowed to embed.
CVE-2025-6430: When a file download is specified via the
Content-Disposition header, that directive would be ignored if the file
was included via a  or  tag, potentially making a website
vulnerable to a cross-site scripting attack.
We can't yet ship this update to the armv7hl architecture; we are
investigating the issue and will try to update firefox for armv7hl as soon as
possible.
                
            

            

            

SRPMS

9/core

  • firefox-128.12.0-1.1.mga9
  • firefox-l10n-128.12.0-1.1.mga9
  • rootcerts-20250613.00-1.mga9
  • nss-3.113.0-1.mga9