Amazon Linux 2023 Security Advisory: ALAS2023-2025-1055
Advisory Released Date: 2025-07-10
Advisory Updated Date: 2025-07-10
FAQs regarding Amazon Linux ALAS/CVE Severity
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. (CVE-2025-6424)
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. (CVE-2025-6425)
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. (CVE-2025-6429)
When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack. (CVE-2025-6430)
Affected Packages:
firefox
Issue Correction:
Run dnf update firefox --releasever 2023.8.20250707 to update your system.
aarch64:
firefox-debuginfo-128.12.0-1.amzn2023.0.1.aarch64
firefox-128.12.0-1.amzn2023.0.1.aarch64
firefox-debugsource-128.12.0-1.amzn2023.0.1.aarch64
src:
firefox-128.12.0-1.amzn2023.0.1.src
x86_64:
firefox-debuginfo-128.12.0-1.amzn2023.0.1.x86_64
firefox-128.12.0-1.amzn2023.0.1.x86_64
firefox-debugsource-128.12.0-1.amzn2023.0.1.x86_64