Bug 10946

Summary: firefox/thunderbird new security issues fixed in 17.0.8
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, geiger.david68210, luigiwalser, sysadmin-bugs, tmb, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/562438/
Whiteboard: MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok mga3-32-ok
Source RPM: firefox, thunderbird CVE:
Status comment:

Description Oden Eriksson 2013-08-07 09:48:14 CEST 
======================================================
Name: CVE-2013-1701
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1701
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-63.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=880734
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=888107

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey
before 2.20 allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.



======================================================
Name: CVE-2013-1702
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1702
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-63.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=844088
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=854157
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=855331
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=858060
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=861530
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=862185
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=870200
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=874974
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=878703
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=879139
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=893684

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers
to cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors.



======================================================
Name: CVE-2013-1704
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1704
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-64.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=883313

Use-after-free vulnerability in the nsINode::GetParentNode function in
Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote
attackers to execute arbitrary code or cause a denial of service (heap
memory corruption and application crash) via vectors involving a DOM
modification at the time of a SetBody mutation event.



======================================================
Name: CVE-2013-1705
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1705
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-65.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=882865

Heap-based buffer underflow in the cryptojs_interpret_key_gen_type
function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20
allows remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted Certificate Request Message
Format (CRMF) request.



======================================================
Name: CVE-2013-1706
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1706
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-66.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=888361

Stack-based buffer overflow in maintenanceservice.exe in the Mozilla
Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x
before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x
before 17.0.8 allows local users to gain privileges via a long
pathname on the command line.



======================================================
Name: CVE-2013-1707
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1707
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-66.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=888314

Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox
before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before
17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to
gain privileges via a long pathname on the command line to the Mozilla
Maintenance Service.



======================================================
Name: CVE-2013-1708
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1708
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-67.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=879924

Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote
attackers to cause a denial of service (application crash) via a
crafted WAV file that is not properly handled by the nsCString::CharAt
function.



======================================================
Name: CVE-2013-1709
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1709
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-68.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=848253

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8,
Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and
SeaMonkey before 2.20 do not properly handle the interaction between
FRAME elements and history, which allows remote attackers to conduct
cross-site scripting (XSS) attacks via vectors involving spoofing a
relative location in a previously visited document.



======================================================
Name: CVE-2013-1710
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1710
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-69.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=871368

The crypto.generateCRMFRequest function in Mozilla Firefox before
23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8,
Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows
remote attackers to execute arbitrary JavaScript code or conduct
cross-site scripting (XSS) attacks via vectors related to Certificate
Request Message Format (CRMF) request generation.



======================================================
Name: CVE-2013-1711
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1711
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-70.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=843829

The XrayWrapper implementation in Mozilla Firefox before 23.0 and
SeaMonkey before 2.20 does not properly address the possibility of an
XBL scope bypass resulting from non-native arguments in XBL function
calls, which makes it easier for remote attackers to conduct
cross-site scripting (XSS) attacks by leveraging access to an
unprivileged object.



======================================================
Name: CVE-2013-1712
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1712
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-71.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=859072

Multiple untrusted search path vulnerabilities in updater.exe in
Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x
before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x
before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and
Windows Server 2012 allow local users to gain privileges via a Trojan
horse DLL in (1) the update directory or (2) the current working
directory.



======================================================
Name: CVE-2013-1713
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1713
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-72.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=887098

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8,
Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and
SeaMonkey before 2.20 use an incorrect URI within unspecified
comparisons during enforcement of the Same Origin Policy, which allows
remote attackers to conduct cross-site scripting (XSS) attacks or
install arbitrary add-ons via a crafted web site.



======================================================
Name: CVE-2013-1714
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1714
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-73.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=879787

The Web Workers implementation in Mozilla Firefox before 23.0, Firefox
ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR
17.x before 17.0.8, and SeaMonkey before 2.20 does not properly
restrict XMLHttpRequest calls, which allows remote attackers to bypass
the Same Origin Policy and conduct cross-site scripting (XSS) attacks
via unspecified vectors.



======================================================
Name: CVE-2013-1715
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1715
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-74.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=883165

Multiple untrusted search path vulnerabilities in the (1) full
installer and (2) stub installer in Mozilla Firefox before 23.0 on
Windows allow local users to gain privileges via a Trojan horse DLL in
the default downloads directory.  NOTE: this issue exists because of an
incomplete fix for CVE-2012-4206.



======================================================
Name: CVE-2013-1717
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference:
CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-75.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=406541

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8,
Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and
SeaMonkey before 2.20 do not properly restrict local-filesystem access
by Java applets, which allows user-assisted remote attackers to read
arbitrary files by leveraging a download to a fixed pathname or other
predictable pathname.

Reproducible: 

Steps to Reproduce:
David Walser 2013-08-07 20:24:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/562438/
Version: 2 => 3
Summary: Multiple vulnerabilities in firefox/thunderbird => firefox/thunderbird new security issues fixed in 17.0.8
Whiteboard: (none) => MGA2TOO

David Walser 2013-08-07 20:24:53 CEST

Source RPM: firefox => firefox, thunderbird

Comment 2 David Walser 2013-08-09 15:31:41 CEST 
Note that nss and nspr also need to be updated:
https://rhn.redhat.com/errata/RHSA-2013-1144.html
Comment 3 Oden Eriksson 2013-08-09 15:58:50 CEST 
I think this was fixed earlier, at least here:

http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:050/(In reply to David Walser from comment #2)
> Note that nss and nspr also need to be updated:
> https://rhn.redhat.com/errata/RHSA-2013-1144.html

I think this was fixed earlier, at least here:

http://www.mandriva.com/en/support/security/advisories/advisory/MDVA-2013:001/
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:050/
Comment 4 David Walser 2013-08-11 16:37:29 CEST 
(In reply to Oden Eriksson from comment #3)
> I think this was fixed earlier, at least here:
> 
> http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:
> 050/(In reply to David Walser from comment #2)
> > Note that nss and nspr also need to be updated:
> > https://rhn.redhat.com/errata/RHSA-2013-1144.html
> 
> I think this was fixed earlier, at least here:
> 
> http://www.mandriva.com/en/support/security/advisories/advisory/MDVA-2013:
> 001/
> http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:
> 050/

Yep, fixed in nss 3.14.3 in Bug 9141.

CC: (none) => luigiwalser

Comment 5 David Walser 2013-08-11 16:37:54 CEST 
I guess we can wait to push the new nspr and nss until ESR 24.
Comment 6 David Walser 2013-08-11 16:47:23 CEST 
Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2013-1701).

Mozilla security researcher moz_bug_r_a4 reported that through an
interaction of frames and browser history it was possible to make
the browser believe attacker-supplied content came from the location
of a previous page in browser history. This allows for cross-site
scripting (XSS) attacks by loading scripts from a misrepresented
malicious site through relative locations and the potential access
of stored credentials of a spoofed site (CVE-2013-1709).

Mozilla security researcher moz_bug_r_a4 reported a mechanism to
execute arbitrary code or a cross-site scripting (XSS) attack when
Certificate Request Message Format (CRMF) request is generated in
certain circumstances (CVE-2013-1710).

Security researcher Cody Crews reported that some Javascript components
will perform checks against the wrong uniform resource identifier
(URI) before performing security sensitive actions. This will return
an incorrect location for the originator of the call. This could be
used to bypass same-origin policy, allowing for cross-site scripting
(XSS) or the installation of malicious add-ons from third-party pages
(CVE-2013-1713).

Mozilla community member Federico Lanusse reported a mechanism where
a web worker can violate same-origin policy and bypass cross-origin
checks through XMLHttpRequest. This could allow for cross-site
scripting (XSS) attacks by web workers (CVE-2013-1714).

Security researcher Georgi Guninski reported an issue with Java
applets where in some circumstances the applet could access files on
the local system when loaded using the a file:/// URI and violate file
origin policy due to interaction with the codebase parameter. This
affects applets running on the local file system. Mozilla developer
John Schoenick later discovered that fixes for this issue were
inadequate and allowed the invocation of Java applets to bypass
security checks in additional circumstances. This could lead to
untrusted Java applets having read-only access on the local files
system if used in conjunction with a method to download a file to a
known or guessable path (CVE-2013-1717).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1701
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1709
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717
http://www.mozilla.org/security/announce/2013/mfsa2013-63.html
http://www.mozilla.org/security/announce/2013/mfsa2013-68.html
http://www.mozilla.org/security/announce/2013/mfsa2013-69.html
http://www.mozilla.org/security/announce/2013/mfsa2013-72.html
http://www.mozilla.org/security/announce/2013/mfsa2013-73.html
http://www.mozilla.org/security/announce/2013/mfsa2013-75.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:210/
========================

Source RPMs:
firefox-17.0.8-1.mga2.src.rpm
firefox-l10n-17.0.8-1.mga2.src.rpm
thunderbird-17.0.8-1.mga2.src.rpm
thunderbird-l10n-17.0.8-1.mga2.src.rpm
firefox-17.0.8-1.mga3.src.rpm
firefox-l10n-17.0.8-1.mga3.src.rpm
thunderbird-17.0.8-1.mga3.src.rpm
thunderbird-l10n-17.0.8-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 7 David Walser 2013-08-11 17:20:08 CEST 
Full package list:
firefox-17.0.8-1.mga2
firefox-devel-17.0.8-1.mga2
firefox-af-17.0.8-1.mga2
firefox-ar-17.0.8-1.mga2
firefox-ast-17.0.8-1.mga2
firefox-be-17.0.8-1.mga2
firefox-bg-17.0.8-1.mga2
firefox-bn_BD-17.0.8-1.mga2
firefox-bn_IN-17.0.8-1.mga2
firefox-br-17.0.8-1.mga2
firefox-bs-17.0.8-1.mga2
firefox-ca-17.0.8-1.mga2
firefox-cs-17.0.8-1.mga2
firefox-cy-17.0.8-1.mga2
firefox-da-17.0.8-1.mga2
firefox-de-17.0.8-1.mga2
firefox-el-17.0.8-1.mga2
firefox-en_GB-17.0.8-1.mga2
firefox-en_ZA-17.0.8-1.mga2
firefox-eo-17.0.8-1.mga2
firefox-es_AR-17.0.8-1.mga2
firefox-es_CL-17.0.8-1.mga2
firefox-es_ES-17.0.8-1.mga2
firefox-es_MX-17.0.8-1.mga2
firefox-et-17.0.8-1.mga2
firefox-eu-17.0.8-1.mga2
firefox-fa-17.0.8-1.mga2
firefox-fi-17.0.8-1.mga2
firefox-fr-17.0.8-1.mga2
firefox-fy-17.0.8-1.mga2
firefox-ga_IE-17.0.8-1.mga2
firefox-gd-17.0.8-1.mga2
firefox-gl-17.0.8-1.mga2
firefox-gu_IN-17.0.8-1.mga2
firefox-he-17.0.8-1.mga2
firefox-hi-17.0.8-1.mga2
firefox-hr-17.0.8-1.mga2
firefox-hu-17.0.8-1.mga2
firefox-hy-17.0.8-1.mga2
firefox-id-17.0.8-1.mga2
firefox-is-17.0.8-1.mga2
firefox-it-17.0.8-1.mga2
firefox-ja-17.0.8-1.mga2
firefox-kk-17.0.8-1.mga2
firefox-kn-17.0.8-1.mga2
firefox-ko-17.0.8-1.mga2
firefox-ku-17.0.8-1.mga2
firefox-lg-17.0.8-1.mga2
firefox-lt-17.0.8-1.mga2
firefox-lv-17.0.8-1.mga2
firefox-mai-17.0.8-1.mga2
firefox-mk-17.0.8-1.mga2
firefox-ml-17.0.8-1.mga2
firefox-mr-17.0.8-1.mga2
firefox-nb_NO-17.0.8-1.mga2
firefox-nl-17.0.8-1.mga2
firefox-nn_NO-17.0.8-1.mga2
firefox-nso-17.0.8-1.mga2
firefox-or-17.0.8-1.mga2
firefox-pa_IN-17.0.8-1.mga2
firefox-pl-17.0.8-1.mga2
firefox-pt_BR-17.0.8-1.mga2
firefox-pt_PT-17.0.8-1.mga2
firefox-ro-17.0.8-1.mga2
firefox-ru-17.0.8-1.mga2
firefox-si-17.0.8-1.mga2
firefox-sk-17.0.8-1.mga2
firefox-sl-17.0.8-1.mga2
firefox-sq-17.0.8-1.mga2
firefox-sr-17.0.8-1.mga2
firefox-sv_SE-17.0.8-1.mga2
firefox-ta-17.0.8-1.mga2
firefox-ta_LK-17.0.8-1.mga2
firefox-te-17.0.8-1.mga2
firefox-th-17.0.8-1.mga2
firefox-tr-17.0.8-1.mga2
firefox-uk-17.0.8-1.mga2
firefox-vi-17.0.8-1.mga2
firefox-zh_CN-17.0.8-1.mga2
firefox-zh_TW-17.0.8-1.mga2
firefox-zu-17.0.8-1.mga2
thunderbird-17.0.8-1.mga2
thunderbird-enigmail-17.0.8-1.mga2
nsinstall-17.0.8-1.mga2
thunderbird-ar-17.0.8-1.mga2
thunderbird-ast-17.0.8-1.mga2
thunderbird-be-17.0.8-1.mga2
thunderbird-bg-17.0.8-1.mga2
thunderbird-bn_BD-17.0.8-1.mga2
thunderbird-br-17.0.8-1.mga2
thunderbird-ca-17.0.8-1.mga2
thunderbird-cs-17.0.8-1.mga2
thunderbird-da-17.0.8-1.mga2
thunderbird-de-17.0.8-1.mga2
thunderbird-el-17.0.8-1.mga2
thunderbird-en_GB-17.0.8-1.mga2
thunderbird-es_AR-17.0.8-1.mga2
thunderbird-es_ES-17.0.8-1.mga2
thunderbird-et-17.0.8-1.mga2
thunderbird-eu-17.0.8-1.mga2
thunderbird-fi-17.0.8-1.mga2
thunderbird-fr-17.0.8-1.mga2
thunderbird-fy-17.0.8-1.mga2
thunderbird-ga-17.0.8-1.mga2
thunderbird-gd-17.0.8-1.mga2
thunderbird-gl-17.0.8-1.mga2
thunderbird-he-17.0.8-1.mga2
thunderbird-hu-17.0.8-1.mga2
thunderbird-id-17.0.8-1.mga2
thunderbird-is-17.0.8-1.mga2
thunderbird-it-17.0.8-1.mga2
thunderbird-ja-17.0.8-1.mga2
thunderbird-ko-17.0.8-1.mga2
thunderbird-lt-17.0.8-1.mga2
thunderbird-nb_NO-17.0.8-1.mga2
thunderbird-nl-17.0.8-1.mga2
thunderbird-nn_NO-17.0.8-1.mga2
thunderbird-pa_IN-17.0.8-1.mga2
thunderbird-pl-17.0.8-1.mga2
thunderbird-pt_BR-17.0.8-1.mga2
thunderbird-pt_PT-17.0.8-1.mga2
thunderbird-ro-17.0.8-1.mga2
thunderbird-ru-17.0.8-1.mga2
thunderbird-si-17.0.8-1.mga2
thunderbird-sk-17.0.8-1.mga2
thunderbird-sl-17.0.8-1.mga2
thunderbird-sq-17.0.8-1.mga2
thunderbird-sv_SE-17.0.8-1.mga2
thunderbird-ta_LK-17.0.8-1.mga2
thunderbird-tr-17.0.8-1.mga2
thunderbird-uk-17.0.8-1.mga2
thunderbird-vi-17.0.8-1.mga2
thunderbird-zh_CN-17.0.8-1.mga2
thunderbird-zh_TW-17.0.8-1.mga2
firefox-17.0.8-1.mga3
firefox-devel-17.0.8-1.mga3
firefox-af-17.0.8-1.mga3
firefox-ar-17.0.8-1.mga3
firefox-ast-17.0.8-1.mga3
firefox-be-17.0.8-1.mga3
firefox-bg-17.0.8-1.mga3
firefox-bn_BD-17.0.8-1.mga3
firefox-bn_IN-17.0.8-1.mga3
firefox-br-17.0.8-1.mga3
firefox-bs-17.0.8-1.mga3
firefox-ca-17.0.8-1.mga3
firefox-cs-17.0.8-1.mga3
firefox-cy-17.0.8-1.mga3
firefox-da-17.0.8-1.mga3
firefox-de-17.0.8-1.mga3
firefox-el-17.0.8-1.mga3
firefox-en_GB-17.0.8-1.mga3
firefox-en_ZA-17.0.8-1.mga3
firefox-eo-17.0.8-1.mga3
firefox-es_AR-17.0.8-1.mga3
firefox-es_CL-17.0.8-1.mga3
firefox-es_ES-17.0.8-1.mga3
firefox-es_MX-17.0.8-1.mga3
firefox-et-17.0.8-1.mga3
firefox-eu-17.0.8-1.mga3
firefox-fa-17.0.8-1.mga3
firefox-fi-17.0.8-1.mga3
firefox-fr-17.0.8-1.mga3
firefox-fy-17.0.8-1.mga3
firefox-ga_IE-17.0.8-1.mga3
firefox-gd-17.0.8-1.mga3
firefox-gl-17.0.8-1.mga3
firefox-gu_IN-17.0.8-1.mga3
firefox-he-17.0.8-1.mga3
firefox-hi-17.0.8-1.mga3
firefox-hr-17.0.8-1.mga3
firefox-hu-17.0.8-1.mga3
firefox-hy-17.0.8-1.mga3
firefox-id-17.0.8-1.mga3
firefox-is-17.0.8-1.mga3
firefox-it-17.0.8-1.mga3
firefox-ja-17.0.8-1.mga3
firefox-kk-17.0.8-1.mga3
firefox-kn-17.0.8-1.mga3
firefox-ko-17.0.8-1.mga3
firefox-ku-17.0.8-1.mga3
firefox-lg-17.0.8-1.mga3
firefox-lt-17.0.8-1.mga3
firefox-lv-17.0.8-1.mga3
firefox-mai-17.0.8-1.mga3
firefox-mk-17.0.8-1.mga3
firefox-ml-17.0.8-1.mga3
firefox-mr-17.0.8-1.mga3
firefox-nb_NO-17.0.8-1.mga3
firefox-nl-17.0.8-1.mga3
firefox-nn_NO-17.0.8-1.mga3
firefox-nso-17.0.8-1.mga3
firefox-or-17.0.8-1.mga3
firefox-pa_IN-17.0.8-1.mga3
firefox-pl-17.0.8-1.mga3
firefox-pt_BR-17.0.8-1.mga3
firefox-pt_PT-17.0.8-1.mga3
firefox-ro-17.0.8-1.mga3
firefox-ru-17.0.8-1.mga3
firefox-si-17.0.8-1.mga3
firefox-sk-17.0.8-1.mga3
firefox-sl-17.0.8-1.mga3
firefox-sq-17.0.8-1.mga3
firefox-sr-17.0.8-1.mga3
firefox-sv_SE-17.0.8-1.mga3
firefox-ta-17.0.8-1.mga3
firefox-ta_LK-17.0.8-1.mga3
firefox-te-17.0.8-1.mga3
firefox-th-17.0.8-1.mga3
firefox-tr-17.0.8-1.mga3
firefox-uk-17.0.8-1.mga3
firefox-vi-17.0.8-1.mga3
firefox-zh_CN-17.0.8-1.mga3
firefox-zh_TW-17.0.8-1.mga3
firefox-zu-17.0.8-1.mga3
thunderbird-17.0.8-1.mga3
thunderbird-enigmail-17.0.8-1.mga3
nsinstall-17.0.8-1.mga3
thunderbird-ar-17.0.8-1.mga3
thunderbird-ast-17.0.8-1.mga3
thunderbird-be-17.0.8-1.mga3
thunderbird-bg-17.0.8-1.mga3
thunderbird-bn_BD-17.0.8-1.mga3
thunderbird-br-17.0.8-1.mga3
thunderbird-ca-17.0.8-1.mga3
thunderbird-cs-17.0.8-1.mga3
thunderbird-da-17.0.8-1.mga3
thunderbird-de-17.0.8-1.mga3
thunderbird-el-17.0.8-1.mga3
thunderbird-en_GB-17.0.8-1.mga3
thunderbird-es_AR-17.0.8-1.mga3
thunderbird-es_ES-17.0.8-1.mga3
thunderbird-et-17.0.8-1.mga3
thunderbird-eu-17.0.8-1.mga3
thunderbird-fi-17.0.8-1.mga3
thunderbird-fr-17.0.8-1.mga3
thunderbird-fy-17.0.8-1.mga3
thunderbird-ga-17.0.8-1.mga3
thunderbird-gd-17.0.8-1.mga3
thunderbird-gl-17.0.8-1.mga3
thunderbird-he-17.0.8-1.mga3
thunderbird-hu-17.0.8-1.mga3
thunderbird-id-17.0.8-1.mga3
thunderbird-is-17.0.8-1.mga3
thunderbird-it-17.0.8-1.mga3
thunderbird-ja-17.0.8-1.mga3
thunderbird-ko-17.0.8-1.mga3
thunderbird-lt-17.0.8-1.mga3
thunderbird-nb_NO-17.0.8-1.mga3
thunderbird-nl-17.0.8-1.mga3
thunderbird-nn_NO-17.0.8-1.mga3
thunderbird-pa_IN-17.0.8-1.mga3
thunderbird-pl-17.0.8-1.mga3
thunderbird-pt_BR-17.0.8-1.mga3
thunderbird-pt_PT-17.0.8-1.mga3
thunderbird-ro-17.0.8-1.mga3
thunderbird-ru-17.0.8-1.mga3
thunderbird-si-17.0.8-1.mga3
thunderbird-sk-17.0.8-1.mga3
thunderbird-sl-17.0.8-1.mga3
thunderbird-sq-17.0.8-1.mga3
thunderbird-sv_SE-17.0.8-1.mga3
thunderbird-ta_LK-17.0.8-1.mga3
thunderbird-tr-17.0.8-1.mga3
thunderbird-uk-17.0.8-1.mga3
thunderbird-vi-17.0.8-1.mga3
thunderbird-zh_CN-17.0.8-1.mga3
thunderbird-zh_TW-17.0.8-1.mga3
Comment 8 Bill Wilkinson 2013-08-11 20:13:06 CEST 
A quick perusal of securityfocus did not show working PoC for bugs.

Tested mga3-64.  

Firefox:
general browsing, sunspider javascript testing, javatester.org test working java, youtube to test flash. All OK

Thunderbird:

send/recieve/move/delete messages on IMAP servers. All OK.

CC: (none) => wrw105
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok

Comment 9 David GEIGER 2013-08-11 20:18:03 CEST 
Testing complete for firefox 17.0.8-1 mga3_32, Ok for me nothing to report.


Testing complete for firefox 17.0.8-1 mga3_64, Ok for me nothing to report, too.


-firefox-17.0.8-1.mga3
-firefox-fr-17.0.8-1.mga3

CC: (none) => geiger.david68210

Comment 10 claire robinson 2013-08-11 21:02:40 CEST 
Testing complete mga2 32

Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok

Comment 11 claire robinson 2013-08-11 21:06:03 CEST 
Oops thunderbird wasn't tested mga2 64 yet

Whiteboard: MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok => MGA2TOO mga3-64-ok mga2-32-ok

David Walser 2013-08-11 21:59:17 CEST

Severity: normal => critical

Comment 12 Dave Hodgins 2013-08-12 01:31:53 CEST 
Advisory 10946.adv uploaded to svn. Testing shortly.

CC: (none) => davidwhodgins

Comment 13 Dave Hodgins 2013-08-12 02:45:14 CEST 
Having trouble with thunderbird-enigmail. Trying to send a signed, encrypted
message is returning
Send operation aborted.
Error - encryption command failed

This is on Mageia 2 i586.

As shown below, using gpg to sign/encrypt a file using the same keys,
is working, so the keys are there and marked as trusted.  I also have
the idea plugin installed, and have "load-extension idea" in gpg.conf.

[dave@i2v ~]$ gpg -sea -r 98B013E0 -r i2vqatest -r x2vqatest msg

You need a passphrase to unlock the secret key for
user: "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>"
4096-bit RSA key, ID 838ED2F8, created 2013-08-02

[dave@i2v ~]$ gpg msg.asc

You need a passphrase to unlock the secret key for
user: "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>"
4096-bit RSA key, ID FCFECCEB, created 2013-08-02 (main key ID 838ED2F8)

gpg: encrypted with 1024-bit ELG-E key, ID 97F8A432, created 2013-08-02
      "x2vqatest <dave@x2v.hodgins.homeip.net>"
gpg: encrypted with 4096-bit ELG-E key, ID A3B12EFE, created 1998-03-20
      "David W. Hodgins <davidwhodgins@gmail.com>"
gpg: encrypted with 4096-bit RSA key, ID FCFECCEB, created 2013-08-02
      "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>"
File `msg' exists. Overwrite? (y/N) y
gpg: Signature made Sun 11 Aug 2013 08:40:18 PM EDT using RSA key ID 838ED2F8
gpg: Good signature from "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>

I'll revert to the prior version, to see if this is a regression.
Comment 14 Dave Hodgins 2013-08-12 02:48:41 CEST 
Not a regression. I'll debug/file a bug report for it later.
Comment 15 Dave Hodgins 2013-08-12 03:16:13 CEST 
Testing complete on Mageia 2 and 3, i586 and x86_64.

Enigmail is only failing on Mageia 2 i586. On the others, it's working.

Could someone from the sysadmin team push 10946.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO mga3-64-ok mga2-32-ok => MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 16 Dave Hodgins 2013-08-12 03:28:16 CEST 
Just fyi, figured out the problem with enigmail on i2 (Mageia 2 i586).
Had the wrong key selected as the default, for the account, so it
couldn't find the secret key, when trying to sign.
Comment 17 Thomas Backlund 2013-08-12 15:55:37 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0248.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 18 David GEIGER 2013-08-12 18:28:35 CEST 
The update was only pushed for mga2 but not for mga3.
Comment 19 Thomas Backlund 2013-08-12 18:37:06 CEST 
gah, me screwed up again :/

now fixed