Bug 11945

Summary: Firefox and Thunderbird 24.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, dmorganec, fundawang, mageia, oe, sysadmin-bugs, tmb, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/576583/
Whiteboard: mga3-64-ok mga3-32-ok advisory
Source RPM: firefox, thunderbird, rootcerts, nss, thunderbird-lightning CVE:
Status comment:

Description David Walser 2013-12-10 22:19:22 CET 
Upstream has released version 24.2 today (December 10) fixing several security issues:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-10 22:19:35 CET

CC: (none) => fundawang
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-12-11 17:57:48 CET 
rootcerts and nss packages are built (solving MFSA 2013-117), as are firefox and firefox-l10n.  Now we just need thunderbird and thunderbird-l10n.

Packages built so far:
rootcerts-20131204.00-1.mga3
rootcerts-java-20131204.00-1.mga3
nss-3.15.3.1-1.mga3
nss-doc-3.15.3.1-1.mga3
libnss3-3.15.3.1-1.mga3
libnss-devel-3.15.3.1-1.mga3
libnss-static-devel-3.15.3.1-1.mga3
firefox-24.2.0-1.mga3
firefox-devel-24.2.0-1.mga3
firefox-af-24.2.0-1.mga3
firefox-ar-24.2.0-1.mga3
firefox-as-24.2.0-1.mga3
firefox-ast-24.2.0-1.mga3
firefox-be-24.2.0-1.mga3
firefox-bg-24.2.0-1.mga3
firefox-bn_IN-24.2.0-1.mga3
firefox-bn_BD-24.2.0-1.mga3
firefox-br-24.2.0-1.mga3
firefox-bs-24.2.0-1.mga3
firefox-ca-24.2.0-1.mga3
firefox-cs-24.2.0-1.mga3
firefox-csb-24.2.0-1.mga3
firefox-cy-24.2.0-1.mga3
firefox-da-24.2.0-1.mga3
firefox-de-24.2.0-1.mga3
firefox-el-24.2.0-1.mga3
firefox-en_GB-24.2.0-1.mga3
firefox-en_ZA-24.2.0-1.mga3
firefox-eo-24.2.0-1.mga3
firefox-es_AR-24.2.0-1.mga3
firefox-es_CL-24.2.0-1.mga3
firefox-es_ES-24.2.0-1.mga3
firefox-es_MX-24.2.0-1.mga3
firefox-et-24.2.0-1.mga3
firefox-eu-24.2.0-1.mga3
firefox-fa-24.2.0-1.mga3
firefox-ff-24.2.0-1.mga3
firefox-fi-24.2.0-1.mga3
firefox-fr-24.2.0-1.mga3
firefox-fy-24.2.0-1.mga3
firefox-ga_IE-24.2.0-1.mga3
firefox-gd-24.2.0-1.mga3
firefox-gl-24.2.0-1.mga3
firefox-gu_IN-24.2.0-1.mga3
firefox-he-24.2.0-1.mga3
firefox-hi-24.2.0-1.mga3
firefox-hr-24.2.0-1.mga3
firefox-hu-24.2.0-1.mga3
firefox-hy-24.2.0-1.mga3
firefox-id-24.2.0-1.mga3
firefox-is-24.2.0-1.mga3
firefox-it-24.2.0-1.mga3
firefox-ja-24.2.0-1.mga3
firefox-kk-24.2.0-1.mga3
firefox-ko-24.2.0-1.mga3
firefox-km-24.2.0-1.mga3
firefox-kn-24.2.0-1.mga3
firefox-ku-24.2.0-1.mga3
firefox-lg-24.2.0-1.mga3
firefox-lij-24.2.0-1.mga3
firefox-lt-24.2.0-1.mga3
firefox-lv-24.2.0-1.mga3
firefox-mai-24.2.0-1.mga3
firefox-mk-24.2.0-1.mga3
firefox-ml-24.2.0-1.mga3
firefox-mr-24.2.0-1.mga3
firefox-nb_NO-24.2.0-1.mga3
firefox-nl-24.2.0-1.mga3
firefox-nn_NO-24.2.0-1.mga3
firefox-nso-24.2.0-1.mga3
firefox-or-24.2.0-1.mga3
firefox-pa_IN-24.2.0-1.mga3
firefox-pl-24.2.0-1.mga3
firefox-pt_BR-24.2.0-1.mga3
firefox-pt_PT-24.2.0-1.mga3
firefox-ro-24.2.0-1.mga3
firefox-ru-24.2.0-1.mga3
firefox-si-24.2.0-1.mga3
firefox-sk-24.2.0-1.mga3
firefox-sl-24.2.0-1.mga3
firefox-sq-24.2.0-1.mga3
firefox-sr-24.2.0-1.mga3
firefox-sv_SE-24.2.0-1.mga3
firefox-ta-24.2.0-1.mga3
firefox-ta_LK-24.2.0-1.mga3
firefox-te-24.2.0-1.mga3
firefox-th-24.2.0-1.mga3
firefox-tr-24.2.0-1.mga3
firefox-uk-24.2.0-1.mga3
firefox-vi-24.2.0-1.mga3
firefox-zh_CN-24.2.0-1.mga3
firefox-zh_TW-24.2.0-1.mga3
firefox-zu-24.2.0-1.mga3

from SRPMS:
rootcerts-20131204.00-1.mga3.src.rpm
nss-3.15.3.1-1.mga3.src.rpm
firefox-24.2.0-1.mga3.src.rpm
firefox-l10n-24.2.0-1.mga3.src.rpm
Comment 2 David Walser 2013-12-11 21:07:46 CET 
rootcerts and nss were also pushed in Cauldron, but firefox still needs to be.
Comment 3 David Walser 2013-12-11 21:08:03 CET 
RedHat has issued an advisory for this today (December 11):
https://rhn.redhat.com/errata/RHSA-2013-1812.html
David Walser 2013-12-11 21:08:12 CET

URL: (none) => http://lwn.net/Vulnerabilities/576583/

Comment 4 David Walser 2013-12-12 17:12:08 CET 
RedHat reference for Thunderbird also:
https://rhn.redhat.com/errata/RHSA-2013-1823.html
Dave Hodgins 2013-12-12 22:36:35 CET

Blocks: (none) => 11726

Comment 5 Oden Eriksson 2013-12-18 10:27:59 CET 
thunderbird-24.2.0-1.mga3 + thunderbird-l10n-24.2.0-1.mga3 was just submitted.

CC: (none) => oe

Comment 6 Oden Eriksson 2013-12-18 11:21:15 CET 
ff + tb 24.2.0 has been committed to subversion for cauldron. needs someone to submit these.
Comment 7 David Walser 2013-12-18 12:17:26 CET 
Thanks Oden.  CC'ing Olivier Blin, because we'll also need thunderbird-lightning 2.6.4 to go along with the Thunderbird update.

CC: (none) => mageia

Comment 8 David Walser 2013-12-18 16:13:36 CET 
Thunderbird packages built so far:
thunderbird-24.2.0-1.mga3
thunderbird-enigmail-24.2.0-1.mga3
nsinstall-24.2.0-1.mga3
thunderbird-ar-24.2.0-1.mga3
thunderbird-ast-24.2.0-1.mga3
thunderbird-be-24.2.0-1.mga3
thunderbird-bg-24.2.0-1.mga3
thunderbird-bn_BD-24.2.0-1.mga3
thunderbird-br-24.2.0-1.mga3
thunderbird-ca-24.2.0-1.mga3
thunderbird-cs-24.2.0-1.mga3
thunderbird-da-24.2.0-1.mga3
thunderbird-de-24.2.0-1.mga3
thunderbird-el-24.2.0-1.mga3
thunderbird-en_GB-24.2.0-1.mga3
thunderbird-es_AR-24.2.0-1.mga3
thunderbird-es_ES-24.2.0-1.mga3
thunderbird-et-24.2.0-1.mga3
thunderbird-eu-24.2.0-1.mga3
thunderbird-fi-24.2.0-1.mga3
thunderbird-fr-24.2.0-1.mga3
thunderbird-fy-24.2.0-1.mga3
thunderbird-ga-24.2.0-1.mga3
thunderbird-gd-24.2.0-1.mga3
thunderbird-gl-24.2.0-1.mga3
thunderbird-he-24.2.0-1.mga3
thunderbird-hr-24.2.0-1.mga3
thunderbird-hu-24.2.0-1.mga3
thunderbird-hy-24.2.0-1.mga3
thunderbird-id-24.2.0-1.mga3
thunderbird-is-24.2.0-1.mga3
thunderbird-it-24.2.0-1.mga3
thunderbird-ja-24.2.0-1.mga3
thunderbird-ko-24.2.0-1.mga3
thunderbird-lt-24.2.0-1.mga3
thunderbird-nb_NO-24.2.0-1.mga3
thunderbird-nl-24.2.0-1.mga3
thunderbird-nn_NO-24.2.0-1.mga3
thunderbird-pl-24.2.0-1.mga3
thunderbird-pa_IN-24.2.0-1.mga3
thunderbird-pt_BR-24.2.0-1.mga3
thunderbird-pt_PT-24.2.0-1.mga3
thunderbird-ro-24.2.0-1.mga3
thunderbird-ru-24.2.0-1.mga3
thunderbird-si-24.2.0-1.mga3
thunderbird-sk-24.2.0-1.mga3
thunderbird-sl-24.2.0-1.mga3
thunderbird-sq-24.2.0-1.mga3
thunderbird-sv_SE-24.2.0-1.mga3
thunderbird-ta_LK-24.2.0-1.mga3
thunderbird-tr-24.2.0-1.mga3
thunderbird-uk-24.2.0-1.mga3
thunderbird-vi-24.2.0-1.mga3
thunderbird-zh_CN-24.2.0-1.mga3
thunderbird-zh_TW-24.2.0-1.mga3

from SRPMS:
thunderbird-24.2.0-1.mga3.src.rpm
thunderbird-l10n-24.2.0-1.mga3.src.rpm
Comment 9 David Walser 2013-12-20 23:28:27 CET 
RedHat has issued an advisory for the rootcerts update on December 19:
https://rhn.redhat.com/errata/RHSA-2013-1861.html

from http://lwn.net/Vulnerabilities/577884/
Comment 10 Oden Eriksson 2013-12-22 12:39:21 CET 
(In reply to David Walser from comment #9)
> RedHat has issued an advisory for the rootcerts update on December 19:
> https://rhn.redhat.com/errata/RHSA-2013-1861.html
> 
> from http://lwn.net/Vulnerabilities/577884/

This seems to have been fixed with rootcerts-20131204.00-1.mga3.src.rpm + nss-3.15.3.1-1.mga3.src.rpm in mga3 updates_testing. And fixed in cauldron.

Look for Distrust "Distrusted AC DG Tresor SSL" in the certdata-20131204.00.txt file.

https://hg.mozilla.org/projects/nss/rev/5a7944776645

But, cauldron also has ca-certificates and its status unknown to me.
Comment 11 David Walser 2013-12-22 16:19:40 CET 
(In reply to Oden Eriksson from comment #10)
> But, cauldron also has ca-certificates and its status unknown to me.

Yes, this issue is unfixed in that package and it needs to be updated and synced with Fedora.  It is only currently required by java-1.8.0-openjdk, so it doesn't affect anything important.

CC: (none) => dmorganec

Comment 13 David Walser 2014-01-03 18:52:14 CET 
Updated packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
terminate unexpectedly or, potentially, execute arbitrary code with the
privileges of the user running Firefox or Thunderbird (CVE-2013-5609,
CVE-2013-5616, CVE-2013-5618, CVE-2013-6671, CVE-2013-5613).

It was found that a subordinate Certificate Authority (CA) mis-issued an
intermediate certificate, which could be used to conduct man-in-the-middle
attacks. This update renders that particular intermediate certificate as
untrusted (MFSA 2013-117).

The rootcerts and nss packages have been updated to fix the MFSA 2013-117
issue.  The thunderbird-lightning package has been updated to a version
that is compatible with the updated thunderbird.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5616
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5618
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6671
http://www.mozilla.org/security/announce/2013/mfsa2013-104.html
http://www.mozilla.org/security/announce/2013/mfsa2013-108.html
http://www.mozilla.org/security/announce/2013/mfsa2013-109.html
http://www.mozilla.org/security/announce/2013/mfsa2013-111.html
http://www.mozilla.org/security/announce/2013/mfsa2013-114.html
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
https://rhn.redhat.com/errata/RHSA-2013-1812.html
https://rhn.redhat.com/errata/RHSA-2013-1823.html
https://rhn.redhat.com/errata/RHSA-2013-1861.html
========================

Updated packages in core/updates_testing:
========================
rootcerts-20131204.00-1.mga3
rootcerts-java-20131204.00-1.mga3
nss-3.15.3.1-1.mga3
nss-doc-3.15.3.1-1.mga3
libnss3-3.15.3.1-1.mga3
libnss-devel-3.15.3.1-1.mga3
libnss-static-devel-3.15.3.1-1.mga3
firefox-24.2.0-1.mga3
firefox-devel-24.2.0-1.mga3
firefox-af-24.2.0-1.mga3
firefox-ar-24.2.0-1.mga3
firefox-as-24.2.0-1.mga3
firefox-ast-24.2.0-1.mga3
firefox-be-24.2.0-1.mga3
firefox-bg-24.2.0-1.mga3
firefox-bn_IN-24.2.0-1.mga3
firefox-bn_BD-24.2.0-1.mga3
firefox-br-24.2.0-1.mga3
firefox-bs-24.2.0-1.mga3
firefox-ca-24.2.0-1.mga3
firefox-cs-24.2.0-1.mga3
firefox-csb-24.2.0-1.mga3
firefox-cy-24.2.0-1.mga3
firefox-da-24.2.0-1.mga3
firefox-de-24.2.0-1.mga3
firefox-el-24.2.0-1.mga3
firefox-en_GB-24.2.0-1.mga3
firefox-en_ZA-24.2.0-1.mga3
firefox-eo-24.2.0-1.mga3
firefox-es_AR-24.2.0-1.mga3
firefox-es_CL-24.2.0-1.mga3
firefox-es_ES-24.2.0-1.mga3
firefox-es_MX-24.2.0-1.mga3
firefox-et-24.2.0-1.mga3
firefox-eu-24.2.0-1.mga3
firefox-fa-24.2.0-1.mga3
firefox-ff-24.2.0-1.mga3
firefox-fi-24.2.0-1.mga3
firefox-fr-24.2.0-1.mga3
firefox-fy-24.2.0-1.mga3
firefox-ga_IE-24.2.0-1.mga3
firefox-gd-24.2.0-1.mga3
firefox-gl-24.2.0-1.mga3
firefox-gu_IN-24.2.0-1.mga3
firefox-he-24.2.0-1.mga3
firefox-hi-24.2.0-1.mga3
firefox-hr-24.2.0-1.mga3
firefox-hu-24.2.0-1.mga3
firefox-hy-24.2.0-1.mga3
firefox-id-24.2.0-1.mga3
firefox-is-24.2.0-1.mga3
firefox-it-24.2.0-1.mga3
firefox-ja-24.2.0-1.mga3
firefox-kk-24.2.0-1.mga3
firefox-ko-24.2.0-1.mga3
firefox-km-24.2.0-1.mga3
firefox-kn-24.2.0-1.mga3
firefox-ku-24.2.0-1.mga3
firefox-lg-24.2.0-1.mga3
firefox-lij-24.2.0-1.mga3
firefox-lt-24.2.0-1.mga3
firefox-lv-24.2.0-1.mga3
firefox-mai-24.2.0-1.mga3
firefox-mk-24.2.0-1.mga3
firefox-ml-24.2.0-1.mga3
firefox-mr-24.2.0-1.mga3
firefox-nb_NO-24.2.0-1.mga3
firefox-nl-24.2.0-1.mga3
firefox-nn_NO-24.2.0-1.mga3
firefox-nso-24.2.0-1.mga3
firefox-or-24.2.0-1.mga3
firefox-pa_IN-24.2.0-1.mga3
firefox-pl-24.2.0-1.mga3
firefox-pt_BR-24.2.0-1.mga3
firefox-pt_PT-24.2.0-1.mga3
firefox-ro-24.2.0-1.mga3
firefox-ru-24.2.0-1.mga3
firefox-si-24.2.0-1.mga3
firefox-sk-24.2.0-1.mga3
firefox-sl-24.2.0-1.mga3
firefox-sq-24.2.0-1.mga3
firefox-sr-24.2.0-1.mga3
firefox-sv_SE-24.2.0-1.mga3
firefox-ta-24.2.0-1.mga3
firefox-ta_LK-24.2.0-1.mga3
firefox-te-24.2.0-1.mga3
firefox-th-24.2.0-1.mga3
firefox-tr-24.2.0-1.mga3
firefox-uk-24.2.0-1.mga3
firefox-vi-24.2.0-1.mga3
firefox-zh_CN-24.2.0-1.mga3
firefox-zh_TW-24.2.0-1.mga3
firefox-zu-24.2.0-1.mga3
thunderbird-24.2.0-1.mga3
thunderbird-enigmail-24.2.0-1.mga3
nsinstall-24.2.0-1.mga3
thunderbird-ar-24.2.0-1.mga3
thunderbird-ast-24.2.0-1.mga3
thunderbird-be-24.2.0-1.mga3
thunderbird-bg-24.2.0-1.mga3
thunderbird-bn_BD-24.2.0-1.mga3
thunderbird-br-24.2.0-1.mga3
thunderbird-ca-24.2.0-1.mga3
thunderbird-cs-24.2.0-1.mga3
thunderbird-da-24.2.0-1.mga3
thunderbird-de-24.2.0-1.mga3
thunderbird-el-24.2.0-1.mga3
thunderbird-en_GB-24.2.0-1.mga3
thunderbird-es_AR-24.2.0-1.mga3
thunderbird-es_ES-24.2.0-1.mga3
thunderbird-et-24.2.0-1.mga3
thunderbird-eu-24.2.0-1.mga3
thunderbird-fi-24.2.0-1.mga3
thunderbird-fr-24.2.0-1.mga3
thunderbird-fy-24.2.0-1.mga3
thunderbird-ga-24.2.0-1.mga3
thunderbird-gd-24.2.0-1.mga3
thunderbird-gl-24.2.0-1.mga3
thunderbird-he-24.2.0-1.mga3
thunderbird-hr-24.2.0-1.mga3
thunderbird-hu-24.2.0-1.mga3
thunderbird-hy-24.2.0-1.mga3
thunderbird-id-24.2.0-1.mga3
thunderbird-is-24.2.0-1.mga3
thunderbird-it-24.2.0-1.mga3
thunderbird-ja-24.2.0-1.mga3
thunderbird-ko-24.2.0-1.mga3
thunderbird-lt-24.2.0-1.mga3
thunderbird-nb_NO-24.2.0-1.mga3
thunderbird-nl-24.2.0-1.mga3
thunderbird-nn_NO-24.2.0-1.mga3
thunderbird-pl-24.2.0-1.mga3
thunderbird-pa_IN-24.2.0-1.mga3
thunderbird-pt_BR-24.2.0-1.mga3
thunderbird-pt_PT-24.2.0-1.mga3
thunderbird-ro-24.2.0-1.mga3
thunderbird-ru-24.2.0-1.mga3
thunderbird-si-24.2.0-1.mga3
thunderbird-sk-24.2.0-1.mga3
thunderbird-sl-24.2.0-1.mga3
thunderbird-sq-24.2.0-1.mga3
thunderbird-sv_SE-24.2.0-1.mga3
thunderbird-ta_LK-24.2.0-1.mga3
thunderbird-tr-24.2.0-1.mga3
thunderbird-uk-24.2.0-1.mga3
thunderbird-vi-24.2.0-1.mga3
thunderbird-zh_CN-24.2.0-1.mga3
thunderbird-zh_TW-24.2.0-1.mga3
thunderbird-lightning-2.6.4-1.mga3

from SRPMS:
rootcerts-20131204.00-1.mga3.src.rpm
nss-3.15.3.1-1.mga3.src.rpm
firefox-24.2.0-1.mga3.src.rpm
firefox-l10n-24.2.0-1.mga3.src.rpm
thunderbird-24.2.0-1.mga3.src.rpm
thunderbird-l10n-24.2.0-1.mga3.src.rpm
thunderbird-lightning-2.6.4-1.mga3.src.rpm

Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: bugsquad => qa-bugs
Source RPM: firefox, thunderbird => firefox, thunderbird, rootcerts, nss, thunderbird-lightning
Whiteboard: MGA3TOO => (none)
Severity: normal => critical

Comment 14 Bill Wilkinson 2014-01-04 00:22:14 CET 
No PoCs on SecurityFocus.

Tested mga3-64.

Firefox: Tested general browsing, sunspider for javascript, youtube for flash, javatester.org for java. All OK.

Thunderbird: send/receive/move/delete over SMTP/IMAP.  Tested updating a calendar event in lightning, all OK

CC: (none) => wrw105
Whiteboard: (none) => mga3-64-ok

Bill Wilkinson 2014-01-04 00:55:48 CET

Whiteboard: mga3-64-ok => mga3-64-ok mga3-32-ok

Comment 15 Bill Wilkinson 2014-01-04 00:56:50 CET 
Tested mga3-32 as above. All OK.

If anyone can test other languages, that would be good, and we still need the advisory uploaded to svn.
Comment 16 Dave Hodgins 2014-01-05 20:11:50 CET 
Advisory uploaded to svn. Validating the update.

Someone from the sysadmin team please push 11945.adv to updates.

Keywords: (none) => validated_update
Whiteboard: mga3-64-ok mga3-32-ok => mga3-64-ok mga3-32-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 17 Thomas Backlund 2014-01-06 02:37:36 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0006.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED