Bug 15555

Actually it was to deal with two bugs, issued on March 20:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/

Ubuntu has issued an advisory for this on March 22:
http://www.ubuntu.com/usn/usn-2538-1/

NSS 3.18 has also been released, and new rootcerts are available:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes

Version: 4 => Cauldron
Summary: Firefox new security updates in 31.5.3 => Firefox new security issues CVE-2015-0817 and CVE-2015-0818
Whiteboard: (none) => MGA5TOO, MGA4TOO
Severity: normal => critical

Updates checked into SVN.  Freeze push requested for Cauldron.

Saving the advisory for later when this is uploaded.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A flaw was discovered in the implementation of typed array bounds checking
in the Javascript just-in-time compilation. If a user were tricked in to
opening a specially crafted website, an attacked could exploit this to
execute arbitrary code with the privileges of the user invoking Firefox
(CVE-2015-0817).

Mariusz Mlynski discovered a flaw in the processing of SVG format content
navigation. If a user were tricked in to opening a specially crafted
website, an attacker could exploit this to run arbitrary script in a
privileged context (CVE-2015-0818).

The firefox package has been updated to version 31.5.3 to fix these issues.

Also, the nss package has been updated to version 3.18, which enables TLS
and DTLS 1.2, increases the default RSA key size created by certutil to 2048
bits, and has some CA root certificate updates.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0818
https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
http://www.ubuntu.com/usn/usn-2538-1/
========================

Updated packages in core/updates_testing:
========================
rootcerts-20150226.00-1.mga4
rootcerts-java-20150226.00-1.mga4
nss-3.18.0-1.mga4
nss-doc-3.18.0-1.mga4
libnss3-3.18.0-1.mga4
libnss-devel-3.18.0-1.mga4
libnss-static-devel-3.18.0-1.mga4
firefox-31.5.3-1.mga4
firefox-devel-31.5.3-1.mga4
firefox-af-31.5.3-1.mga4
firefox-ar-31.5.3-1.mga4
firefox-as-31.5.3-1.mga4
firefox-ast-31.5.3-1.mga4
firefox-be-31.5.3-1.mga4
firefox-bg-31.5.3-1.mga4
firefox-bn_IN-31.5.3-1.mga4
firefox-bn_BD-31.5.3-1.mga4
firefox-br-31.5.3-1.mga4
firefox-bs-31.5.3-1.mga4
firefox-ca-31.5.3-1.mga4
firefox-cs-31.5.3-1.mga4
firefox-csb-31.5.3-1.mga4
firefox-cy-31.5.3-1.mga4
firefox-da-31.5.3-1.mga4
firefox-de-31.5.3-1.mga4
firefox-el-31.5.3-1.mga4
firefox-en_GB-31.5.3-1.mga4
firefox-en_ZA-31.5.3-1.mga4
firefox-eo-31.5.3-1.mga4
firefox-es_AR-31.5.3-1.mga4
firefox-es_CL-31.5.3-1.mga4
firefox-es_ES-31.5.3-1.mga4
firefox-es_MX-31.5.3-1.mga4
firefox-et-31.5.3-1.mga4
firefox-eu-31.5.3-1.mga4
firefox-fa-31.5.3-1.mga4
firefox-ff-31.5.3-1.mga4
firefox-fi-31.5.3-1.mga4
firefox-fr-31.5.3-1.mga4
firefox-fy-31.5.3-1.mga4
firefox-ga_IE-31.5.3-1.mga4
firefox-gd-31.5.3-1.mga4
firefox-gl-31.5.3-1.mga4
firefox-gu_IN-31.5.3-1.mga4
firefox-he-31.5.3-1.mga4
firefox-hi-31.5.3-1.mga4
firefox-hr-31.5.3-1.mga4
firefox-hu-31.5.3-1.mga4
firefox-hy-31.5.3-1.mga4
firefox-id-31.5.3-1.mga4
firefox-is-31.5.3-1.mga4
firefox-it-31.5.3-1.mga4
firefox-ja-31.5.3-1.mga4
firefox-kk-31.5.3-1.mga4
firefox-ko-31.5.3-1.mga4
firefox-km-31.5.3-1.mga4
firefox-kn-31.5.3-1.mga4
firefox-ku-31.5.3-1.mga4
firefox-lij-31.5.3-1.mga4
firefox-lt-31.5.3-1.mga4
firefox-lv-31.5.3-1.mga4
firefox-mai-31.5.3-1.mga4
firefox-mk-31.5.3-1.mga4
firefox-ml-31.5.3-1.mga4
firefox-mr-31.5.3-1.mga4
firefox-nb_NO-31.5.3-1.mga4
firefox-nl-31.5.3-1.mga4
firefox-nn_NO-31.5.3-1.mga4
firefox-or-31.5.3-1.mga4
firefox-pa_IN-31.5.3-1.mga4
firefox-pl-31.5.3-1.mga4
firefox-pt_BR-31.5.3-1.mga4
firefox-pt_PT-31.5.3-1.mga4
firefox-ro-31.5.3-1.mga4
firefox-ru-31.5.3-1.mga4
firefox-si-31.5.3-1.mga4
firefox-sk-31.5.3-1.mga4
firefox-sl-31.5.3-1.mga4
firefox-sq-31.5.3-1.mga4
firefox-sr-31.5.3-1.mga4
firefox-sv_SE-31.5.3-1.mga4
firefox-ta-31.5.3-1.mga4
firefox-te-31.5.3-1.mga4
firefox-th-31.5.3-1.mga4
firefox-tr-31.5.3-1.mga4
firefox-uk-31.5.3-1.mga4
firefox-vi-31.5.3-1.mga4
firefox-zh_CN-31.5.3-1.mga4
firefox-zh_TW-31.5.3-1.mga4
firefox-zu-31.5.3-1.mga4

from SRPMS:
rootcerts-20150226.00-1.mga4.src.rpm
nss-3.18.0-1.mga4.src.rpm
firefox-31.5.3-1.mga4.src.rpm
firefox-l10n-31.5.3-1.mga4.src.rpm

Updated packages uploaded for Mageia 4 and Cauldron.

See Comment 3 for the advisory and package list.

URL: (none) => http://lwn.net/Vulnerabilities/637568/
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

David: 

Mozilla was only showing the one on the firefox ESR page, but both on the Seamonkey page.  Maybe I was too quick!

Tested MGA4-64

General browsing, sunspider for javascript, javatester for java plugin, youtube for flash plugin, https logins for nss and rootcerts, acid3.  All OK

CC: (none) => wrw105
Whiteboard: (none) => mga4-64-ok has_procedure

Confirmed everything is working fine on Mageia 4 i586 as well.

Whiteboard: mga4-64-ok has_procedure => has_procedure MGA4-32-OK mga4-64-ok

validating

Can someone from the sysadmin team please push to core/updates?

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory uploaded.

CC: (none) => remi
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure MGA4-32-OK mga4-64-ok advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0115.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED