Bug 16571

Summary: Firefox 38.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/654275/
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory
Source RPM: firefox, rootcerts, nss CVE:
Status comment:

Description David Walser 2015-08-11 17:23:34 CEST 
Firefox 38.2 is out.  The upstream advisories haven't been posted yet, nor has the Thunderbird 38.2 tarball, so the advisory and Thunderbird update will come later.

This update will also include the rootcerts/nss update for some update root CA certificates:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes

Updated packages uploaded for Mageia 4 and Mageia 5.

Updated packages in core/updates_testing:
========================
rootcerts-20150709.00-1.mga4
rootcerts-java-20150709.00-1.mga4
nss-3.19.3-1.mga4
nss-doc-3.19.3-1.mga4
libnss3-3.19.3-1.mga4
libnss-devel-3.19.3-1.mga4
libnss-static-devel-3.19.3-1.mga4
firefox-38.2.0-1.mga4
firefox-devel-38.2.0-1.mga4
firefox-af-38.2.0-1.mga4
firefox-an-38.2.0-1.mga4
firefox-ar-38.2.0-1.mga4
firefox-as-38.2.0-1.mga4
firefox-ast-38.2.0-1.mga4
firefox-az-38.2.0-1.mga4
firefox-be-38.2.0-1.mga4
firefox-bg-38.2.0-1.mga4
firefox-bn_IN-38.2.0-1.mga4
firefox-bn_BD-38.2.0-1.mga4
firefox-br-38.2.0-1.mga4
firefox-bs-38.2.0-1.mga4
firefox-ca-38.2.0-1.mga4
firefox-cs-38.2.0-1.mga4
firefox-cy-38.2.0-1.mga4
firefox-da-38.2.0-1.mga4
firefox-de-38.2.0-1.mga4
firefox-el-38.2.0-1.mga4
firefox-en_GB-38.2.0-1.mga4
firefox-en_US-38.2.0-1.mga4
firefox-en_ZA-38.2.0-1.mga4
firefox-eo-38.2.0-1.mga4
firefox-es_AR-38.2.0-1.mga4
firefox-es_CL-38.2.0-1.mga4
firefox-es_ES-38.2.0-1.mga4
firefox-es_MX-38.2.0-1.mga4
firefox-et-38.2.0-1.mga4
firefox-eu-38.2.0-1.mga4
firefox-fa-38.2.0-1.mga4
firefox-ff-38.2.0-1.mga4
firefox-fi-38.2.0-1.mga4
firefox-fr-38.2.0-1.mga4
firefox-fy_NL-38.2.0-1.mga4
firefox-ga_IE-38.2.0-1.mga4
firefox-gd-38.2.0-1.mga4
firefox-gl-38.2.0-1.mga4
firefox-gu_IN-38.2.0-1.mga4
firefox-he-38.2.0-1.mga4
firefox-hi_IN-38.2.0-1.mga4
firefox-hr-38.2.0-1.mga4
firefox-hsb-38.2.0-1.mga4
firefox-hu-38.2.0-1.mga4
firefox-hy_AM-38.2.0-1.mga4
firefox-id-38.2.0-1.mga4
firefox-is-38.2.0-1.mga4
firefox-it-38.2.0-1.mga4
firefox-ja-38.2.0-1.mga4
firefox-kk-38.2.0-1.mga4
firefox-km-38.2.0-1.mga4
firefox-kn-38.2.0-1.mga4
firefox-ko-38.2.0-1.mga4
firefox-lij-38.2.0-1.mga4
firefox-lt-38.2.0-1.mga4
firefox-lv-38.2.0-1.mga4
firefox-mai-38.2.0-1.mga4
firefox-mk-38.2.0-1.mga4
firefox-ml-38.2.0-1.mga4
firefox-mr-38.2.0-1.mga4
firefox-ms-38.2.0-1.mga4
firefox-nb_NO-38.2.0-1.mga4
firefox-nl-38.2.0-1.mga4
firefox-nn_NO-38.2.0-1.mga4
firefox-or-38.2.0-1.mga4
firefox-pa_IN-38.2.0-1.mga4
firefox-pl-38.2.0-1.mga4
firefox-pt_BR-38.2.0-1.mga4
firefox-pt_PT-38.2.0-1.mga4
firefox-ro-38.2.0-1.mga4
firefox-ru-38.2.0-1.mga4
firefox-si-38.2.0-1.mga4
firefox-sk-38.2.0-1.mga4
firefox-sl-38.2.0-1.mga4
firefox-sq-38.2.0-1.mga4
firefox-sr-38.2.0-1.mga4
firefox-sv_SE-38.2.0-1.mga4
firefox-ta-38.2.0-1.mga4
firefox-te-38.2.0-1.mga4
firefox-th-38.2.0-1.mga4
firefox-tr-38.2.0-1.mga4
firefox-uk-38.2.0-1.mga4
firefox-uz-38.2.0-1.mga4
firefox-vi-38.2.0-1.mga4
firefox-xh-38.2.0-1.mga4
firefox-zh_CN-38.2.0-1.mga4
firefox-zh_TW-38.2.0-1.mga4
rootcerts-20150709.00-1.mga5
rootcerts-java-20150709.00-1.mga5
nss-3.19.3-1.mga5
nss-doc-3.19.3-1.mga5
libnss3-3.19.3-1.mga5
libnss-devel-3.19.3-1.mga5
libnss-static-devel-3.19.3-1.mga5
firefox-38.2.0-1.mga5
firefox-devel-38.2.0-1.mga5
firefox-af-38.2.0-1.mga5
firefox-an-38.2.0-1.mga5
firefox-ar-38.2.0-1.mga5
firefox-as-38.2.0-1.mga5
firefox-ast-38.2.0-1.mga5
firefox-az-38.2.0-1.mga5
firefox-be-38.2.0-1.mga5
firefox-bg-38.2.0-1.mga5
firefox-bn_IN-38.2.0-1.mga5
firefox-bn_BD-38.2.0-1.mga5
firefox-br-38.2.0-1.mga5
firefox-bs-38.2.0-1.mga5
firefox-ca-38.2.0-1.mga5
firefox-cs-38.2.0-1.mga5
firefox-cy-38.2.0-1.mga5
firefox-da-38.2.0-1.mga5
firefox-de-38.2.0-1.mga5
firefox-el-38.2.0-1.mga5
firefox-en_GB-38.2.0-1.mga5
firefox-en_US-38.2.0-1.mga5
firefox-en_ZA-38.2.0-1.mga5
firefox-eo-38.2.0-1.mga5
firefox-es_AR-38.2.0-1.mga5
firefox-es_CL-38.2.0-1.mga5
firefox-es_ES-38.2.0-1.mga5
firefox-es_MX-38.2.0-1.mga5
firefox-et-38.2.0-1.mga5
firefox-eu-38.2.0-1.mga5
firefox-fa-38.2.0-1.mga5
firefox-ff-38.2.0-1.mga5
firefox-fi-38.2.0-1.mga5
firefox-fr-38.2.0-1.mga5
firefox-fy_NL-38.2.0-1.mga5
firefox-ga_IE-38.2.0-1.mga5
firefox-gd-38.2.0-1.mga5
firefox-gl-38.2.0-1.mga5
firefox-gu_IN-38.2.0-1.mga5
firefox-he-38.2.0-1.mga5
firefox-hi_IN-38.2.0-1.mga5
firefox-hr-38.2.0-1.mga5
firefox-hsb-38.2.0-1.mga5
firefox-hu-38.2.0-1.mga5
firefox-hy_AM-38.2.0-1.mga5
firefox-id-38.2.0-1.mga5
firefox-is-38.2.0-1.mga5
firefox-it-38.2.0-1.mga5
firefox-ja-38.2.0-1.mga5
firefox-kk-38.2.0-1.mga5
firefox-km-38.2.0-1.mga5
firefox-kn-38.2.0-1.mga5
firefox-ko-38.2.0-1.mga5
firefox-lij-38.2.0-1.mga5
firefox-lt-38.2.0-1.mga5
firefox-lv-38.2.0-1.mga5
firefox-mai-38.2.0-1.mga5
firefox-mk-38.2.0-1.mga5
firefox-ml-38.2.0-1.mga5
firefox-mr-38.2.0-1.mga5
firefox-ms-38.2.0-1.mga5
firefox-nb_NO-38.2.0-1.mga5
firefox-nl-38.2.0-1.mga5
firefox-nn_NO-38.2.0-1.mga5
firefox-or-38.2.0-1.mga5
firefox-pa_IN-38.2.0-1.mga5
firefox-pl-38.2.0-1.mga5
firefox-pt_BR-38.2.0-1.mga5
firefox-pt_PT-38.2.0-1.mga5
firefox-ro-38.2.0-1.mga5
firefox-ru-38.2.0-1.mga5
firefox-si-38.2.0-1.mga5
firefox-sk-38.2.0-1.mga5
firefox-sl-38.2.0-1.mga5
firefox-sq-38.2.0-1.mga5
firefox-sr-38.2.0-1.mga5
firefox-sv_SE-38.2.0-1.mga5
firefox-ta-38.2.0-1.mga5
firefox-te-38.2.0-1.mga5
firefox-th-38.2.0-1.mga5
firefox-tr-38.2.0-1.mga5
firefox-uk-38.2.0-1.mga5
firefox-uz-38.2.0-1.mga5
firefox-vi-38.2.0-1.mga5
firefox-xh-38.2.0-1.mga5
firefox-zh_CN-38.2.0-1.mga5
firefox-zh_TW-38.2.0-1.mga5

from SRPMS:
rootcerts-20150709.00-1.mga4.src.rpm
nss-3.19.3-1.mga4.src.rpm
firefox-38.2.0-1.mga4.src.rpm
firefox-l10n-38.2.0-1.mga4.src.rpm
rootcerts-20150709.00-1.mga5.src.rpm
nss-3.19.3-1.mga5.src.rpm
firefox-38.2.0-1.mga5.src.rpm
firefox-l10n-38.2.0-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-11 17:23:41 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-08-11 19:19:19 CEST 
The upstream advisories have been posted:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

None of the issues are listed as affecting Thunderbird, so I guess there won't be a Thunderbird 38.2.

I'll post the advisory when RedHat posts their update.

I was concerned about MFSA2015-89, since it says the issue is with libvpx, but there are no changes in the bundled libvpx code between Firefox 38.1 and 38.2, so I guess the fixes must have gone into the Firefox code itself.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4493
https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Comment 2 David Walser 2015-08-11 19:20:15 CEST 
Working fine for me, Mageia 4 and Mageia 5 i586.

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK MGA5-32-OK

David Walser 2015-08-11 19:23:53 CEST

Severity: normal => critical

Comment 3 Bill Wilkinson 2015-08-11 20:07:06 CEST 
mga5-64, usual battery but with JetStream in place of sunspider, javatester, general browsing, youtube for flash, all OK.

CC: (none) => wrw105
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok

Dave Hodgins 2015-08-11 20:58:07 CEST

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Dave Hodgins 2015-08-11 21:11:35 CEST 
Removing the advisory tag. Updated the wrong bug. I'll fix that shortly.

Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok

Comment 5 Dave Hodgins 2015-08-11 21:16:11 CEST 
Also removing the validated_update update keyword until the advisory is
available.

Keywords: validated_update => (none)

Comment 6 David Walser 2015-08-11 21:28:18 CEST 
RedHat has issued an advisory for this today (August 11):
https://rhn.redhat.com/errata/RHSA-2015-1586.html

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479,
CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485,
CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4493
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2015-1586.html
Dave Hodgins 2015-08-11 21:40:50 CEST

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory

Comment 7 Mageia Robot 2015-08-11 22:23:47 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0312.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-12 20:05:20 CEST

URL: (none) => http://lwn.net/Vulnerabilities/654275/