Bug 15607

Summary: Firefox and Thunderbird 31.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, sysadmin-bugs, wrw105
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/638720/
Whiteboard: has_procedure advisory mga4-64-ok mga4-32-OK
Source RPM: firefox, thunderbird, rootcerts, nss CVE:
Status comment:

Description David Walser 2015-04-01 16:21:28 CEST 
Mozilla has issued advisories on March 31:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/

Corresponding to these CVEs that affect ESR:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816

These were just posted here:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/

There is no rootcerts update, so nss is being rebuilt against it.  There are not newer versions of nspr and nss available at this time.

RedHat has issued advisories for this today (April 1, and it's no joke):
https://rhn.redhat.com/errata/RHSA-2015-0766.html
https://rhn.redhat.com/errata/RHSA-2015-0771.html

Updated packages are in the process of being built.

The advisory will be as follows:

Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running it (CVE-2015-0801, CVE-2015-0813, CVE-2015-0815).

A flaw was found in the Beacon interface implementation in Firefox and
Thunderbird. A web page containing malicious content could allow a remote
attacker to conduct a Cross-Site Request Forgery (CSRF) attack
(CVE-2015-0807).

A flaw was found in the way documents were loaded via resource URLs in, for
example, Firefox's PDF.js PDF file viewer. An attacker could use this flaw
to bypass certain restrictions and under certain conditions even execute
arbitrary code with the privileges of the user running Firefox or Thunderbird
(CVE-2015-0816)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816
https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/
https://rhn.redhat.com/errata/RHSA-2015-0766.html
https://rhn.redhat.com/errata/RHSA-2015-0771.html
========================

Updated packages in core/updates_testing:
========================
rootcerts-20150326.00-1.mga4
rootcerts-java-20150326.00-1.mga4
nss-3.18.0-1.1.mga4
nss-doc-3.18.0-1.1.mga4
libnss3-3.18.0-1.1.mga4
libnss-devel-3.18.0-1.1.mga4
libnss-static-devel-3.18.0-1.1.mga4
firefox-31.6.0-1.mga4
firefox-devel-31.6.0-1.mga4
firefox-af-31.6.0-1.mga4
firefox-ar-31.6.0-1.mga4
firefox-as-31.6.0-1.mga4
firefox-ast-31.6.0-1.mga4
firefox-be-31.6.0-1.mga4
firefox-bg-31.6.0-1.mga4
firefox-bn_IN-31.6.0-1.mga4
firefox-bn_BD-31.6.0-1.mga4
firefox-br-31.6.0-1.mga4
firefox-bs-31.6.0-1.mga4
firefox-ca-31.6.0-1.mga4
firefox-cs-31.6.0-1.mga4
firefox-csb-31.6.0-1.mga4
firefox-cy-31.6.0-1.mga4
firefox-da-31.6.0-1.mga4
firefox-de-31.6.0-1.mga4
firefox-el-31.6.0-1.mga4
firefox-en_GB-31.6.0-1.mga4
firefox-en_ZA-31.6.0-1.mga4
firefox-eo-31.6.0-1.mga4
firefox-es_AR-31.6.0-1.mga4
firefox-es_CL-31.6.0-1.mga4
firefox-es_ES-31.6.0-1.mga4
firefox-es_MX-31.6.0-1.mga4
firefox-et-31.6.0-1.mga4
firefox-eu-31.6.0-1.mga4
firefox-fa-31.6.0-1.mga4
firefox-ff-31.6.0-1.mga4
firefox-fi-31.6.0-1.mga4
firefox-fr-31.6.0-1.mga4
firefox-fy-31.6.0-1.mga4
firefox-ga_IE-31.6.0-1.mga4
firefox-gd-31.6.0-1.mga4
firefox-gl-31.6.0-1.mga4
firefox-gu_IN-31.6.0-1.mga4
firefox-he-31.6.0-1.mga4
firefox-hi-31.6.0-1.mga4
firefox-hr-31.6.0-1.mga4
firefox-hu-31.6.0-1.mga4
firefox-hy-31.6.0-1.mga4
firefox-id-31.6.0-1.mga4
firefox-is-31.6.0-1.mga4
firefox-it-31.6.0-1.mga4
firefox-ja-31.6.0-1.mga4
firefox-kk-31.6.0-1.mga4
firefox-ko-31.6.0-1.mga4
firefox-km-31.6.0-1.mga4
firefox-kn-31.6.0-1.mga4
firefox-ku-31.6.0-1.mga4
firefox-lij-31.6.0-1.mga4
firefox-lt-31.6.0-1.mga4
firefox-lv-31.6.0-1.mga4
firefox-mai-31.6.0-1.mga4
firefox-mk-31.6.0-1.mga4
firefox-ml-31.6.0-1.mga4
firefox-mr-31.6.0-1.mga4
firefox-nb_NO-31.6.0-1.mga4
firefox-nl-31.6.0-1.mga4
firefox-nn_NO-31.6.0-1.mga4
firefox-or-31.6.0-1.mga4
firefox-pa_IN-31.6.0-1.mga4
firefox-pl-31.6.0-1.mga4
firefox-pt_BR-31.6.0-1.mga4
firefox-pt_PT-31.6.0-1.mga4
firefox-ro-31.6.0-1.mga4
firefox-ru-31.6.0-1.mga4
firefox-si-31.6.0-1.mga4
firefox-sk-31.6.0-1.mga4
firefox-sl-31.6.0-1.mga4
firefox-sq-31.6.0-1.mga4
firefox-sr-31.6.0-1.mga4
firefox-sv_SE-31.6.0-1.mga4
firefox-ta-31.6.0-1.mga4
firefox-te-31.6.0-1.mga4
firefox-th-31.6.0-1.mga4
firefox-tr-31.6.0-1.mga4
firefox-uk-31.6.0-1.mga4
firefox-vi-31.6.0-1.mga4
firefox-zh_CN-31.6.0-1.mga4
firefox-zh_TW-31.6.0-1.mga4
firefox-zu-31.6.0-1.mga4
thunderbird-31.6.0-1.mga4
thunderbird-enigmail-31.6.0-1.mga4
nsinstall-31.6.0-1.mga4
thunderbird-ar-31.6.0-1.mga4
thunderbird-ast-31.6.0-1.mga4
thunderbird-be-31.6.0-1.mga4
thunderbird-bg-31.6.0-1.mga4
thunderbird-bn_BD-31.6.0-1.mga4
thunderbird-br-31.6.0-1.mga4
thunderbird-ca-31.6.0-1.mga4
thunderbird-cs-31.6.0-1.mga4
thunderbird-da-31.6.0-1.mga4
thunderbird-de-31.6.0-1.mga4
thunderbird-el-31.6.0-1.mga4
thunderbird-en_GB-31.6.0-1.mga4
thunderbird-es_AR-31.6.0-1.mga4
thunderbird-es_ES-31.6.0-1.mga4
thunderbird-et-31.6.0-1.mga4
thunderbird-eu-31.6.0-1.mga4
thunderbird-fi-31.6.0-1.mga4
thunderbird-fr-31.6.0-1.mga4
thunderbird-fy-31.6.0-1.mga4
thunderbird-ga-31.6.0-1.mga4
thunderbird-gd-31.6.0-1.mga4
thunderbird-gl-31.6.0-1.mga4
thunderbird-he-31.6.0-1.mga4
thunderbird-hr-31.6.0-1.mga4
thunderbird-hu-31.6.0-1.mga4
thunderbird-hy-31.6.0-1.mga4
thunderbird-id-31.6.0-1.mga4
thunderbird-is-31.6.0-1.mga4
thunderbird-it-31.6.0-1.mga4
thunderbird-ja-31.6.0-1.mga4
thunderbird-ko-31.6.0-1.mga4
thunderbird-lt-31.6.0-1.mga4
thunderbird-nb_NO-31.6.0-1.mga4
thunderbird-nl-31.6.0-1.mga4
thunderbird-nn_NO-31.6.0-1.mga4
thunderbird-pl-31.6.0-1.mga4
thunderbird-pa_IN-31.6.0-1.mga4
thunderbird-pt_BR-31.6.0-1.mga4
thunderbird-pt_PT-31.6.0-1.mga4
thunderbird-ro-31.6.0-1.mga4
thunderbird-ru-31.6.0-1.mga4
thunderbird-si-31.6.0-1.mga4
thunderbird-sk-31.6.0-1.mga4
thunderbird-sl-31.6.0-1.mga4
thunderbird-sq-31.6.0-1.mga4
thunderbird-sv_SE-31.6.0-1.mga4
thunderbird-ta_LK-31.6.0-1.mga4
thunderbird-tr-31.6.0-1.mga4
thunderbird-uk-31.6.0-1.mga4
thunderbird-vi-31.6.0-1.mga4
thunderbird-zh_CN-31.6.0-1.mga4
thunderbird-zh_TW-31.6.0-1.mga4

from SRPMS:
rootcerts-20150326.00-1.mga4.src.rpm
nss-3.18.0-1.1.mga4.src.rpm
firefox-31.6.0-1.mga4.src.rpm
firefox-l10n-31.6.0-1.mga4.src.rpm
thunderbird-31.6.0-1.mga4.src.rpm
thunderbird-l10n-31.6.0-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-04-01 19:17:06 CEST 
Updated packages are on their way to mirrors now, and should be generally available within the next couple hours.  Advisory and package list in Comment 0.

Assignee: bugsquad => qa-bugs

David Walser 2015-04-01 20:29:31 CEST

URL: (none) => http://lwn.net/Vulnerabilities/638720/

Comment 2 Lewis Smith 2015-04-01 21:11:34 CEST 
Testing MGA4 x64
Updated just the essential Firefox (I do not use Thunderbird) + a language pack. Have played with it looking at interactive maps and a YouTube music number, no problems noted.

CC: (none) => lewyssmith

Comment 3 Bill Wilkinson 2015-04-02 15:06:57 CEST 
tested mga4-64

Updated thunderbird, firefox, rootcerts, nss

Firefox:
general browsing, acid3, sunspider for javascript, javatester for java, youtube for flash, all OK

Thunderbird:

Mail: Send/receive/move/delete over SMTP/IMAP
connected to freenode and joined #mageia-qa to test chat.

All OK.

CC: (none) => wrw105
Whiteboard: (none) => mga4-64-ok has_procedure

Comment 4 Bill Wilkinson 2015-04-02 16:24:59 CEST 
Tested mga4-32 as above. All OK.

validating.  Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
Whiteboard: mga4-64-ok has_procedure => has_procedure mga4-64-ok mga4-32-OK
CC: (none) => sysadmin-bugs

Comment 5 claire robinson 2015-04-03 13:39:43 CEST 
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok mga4-32-OK => has_procedure advisory mga4-64-ok mga4-32-OK

Comment 6 Mageia Robot 2015-04-03 15:12:13 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0131.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED