Bug 19133

Summary: Firefox 45.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, marja11, sysadmin-bugs, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/696206/
Whiteboard: has_procedure mga5-32-ok mga5-64-ok advisory
Source RPM: rootcerts, nss, firefox CVE:
Status comment:

Description David Walser 2016-08-05 22:17:41 CEST 
Mozilla has released Firefox 45.3.0 on August 2:
https://www.mozilla.org/en-US/firefox/45.3.0/releasenotes/

They have also released nss 3.26 today (August 5) with a rootcerts update:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.26_release_notes

Everything is updated in SVN.  Freeze push requested for Cauldron.

RedHat has issued an advisory for Firefox on August 3:
https://rhn.redhat.com/errata/RHSA-2016-1551.html

Advisory for update-to-come to follow.
Comment 1 David Walser 2016-08-05 22:24:02 CEST 
Advisory:
================

Updated firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2016-2836, CVE-2016-5258, CVE-2016-5259, CVE-2016-5252, CVE-2016-5263,
CVE-2016-2830, CVE-2016-2838, CVE-2016-5254, CVE-2016-5262, CVE-2016-5264,
CVE-2016-5265, CVE-2016-2837).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5258
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5259
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5262
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5265
https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2016-1551.html
Comment 2 David Walser 2016-08-05 22:26:20 CEST 
Package list will be as follows.

Updated packages in core/updates_testing:
================
rootcerts-20160805.00-1.mga5
rootcerts-java-20160805.00-1.mga5
nss-3.26.0-1.mga5
nss-doc-3.26.0-1.mga5
libnss3-3.26.0-1.mga5
libnss-devel-3.26.0-1.mga5
libnss-static-devel-3.26.0-1.mga5
firefox-45.3.0-1.mga5
firefox-af-45.3.0-1.mga5
firefox-an-45.3.0-1.mga5
firefox-ar-45.3.0-1.mga5
firefox-as-45.3.0-1.mga5
firefox-ast-45.3.0-1.mga5
firefox-az-45.3.0-1.mga5
firefox-be-45.3.0-1.mga5
firefox-bg-45.3.0-1.mga5
firefox-bn_BD-45.3.0-1.mga5
firefox-bn_IN-45.3.0-1.mga5
firefox-br-45.3.0-1.mga5
firefox-bs-45.3.0-1.mga5
firefox-ca-45.3.0-1.mga5
firefox-cs-45.3.0-1.mga5
firefox-cy-45.3.0-1.mga5
firefox-da-45.3.0-1.mga5
firefox-de-45.3.0-1.mga5
firefox-devel-45.3.0-2.mga5
firefox-el-45.3.0-1.mga5
firefox-en_GB-45.3.0-1.mga5
firefox-en_US-45.3.0-1.mga5
firefox-en_ZA-45.3.0-1.mga5
firefox-eo-45.3.0-1.mga5
firefox-es_AR-45.3.0-1.mga5
firefox-es_CL-45.3.0-1.mga5
firefox-es_ES-45.3.0-1.mga5
firefox-es_MX-45.3.0-1.mga5
firefox-et-45.3.0-1.mga5
firefox-eu-45.3.0-1.mga5
firefox-fa-45.3.0-1.mga5
firefox-ff-45.3.0-1.mga5
firefox-fi-45.3.0-1.mga5
firefox-fr-45.3.0-1.mga5
firefox-fy_NL-45.3.0-1.mga5
firefox-ga_IE-45.3.0-1.mga5
firefox-gd-45.3.0-1.mga5
firefox-gl-45.3.0-1.mga5
firefox-gu_IN-45.3.0-1.mga5
firefox-he-45.3.0-1.mga5
firefox-hi_IN-45.3.0-1.mga5
firefox-hr-45.3.0-1.mga5
firefox-hsb-45.3.0-1.mga5
firefox-hu-45.3.0-1.mga5
firefox-hy_AM-45.3.0-1.mga5
firefox-id-45.3.0-1.mga5
firefox-is-45.3.0-1.mga5
firefox-it-45.3.0-1.mga5
firefox-ja-45.3.0-1.mga5
firefox-kk-45.3.0-1.mga5
firefox-km-45.3.0-1.mga5
firefox-kn-45.3.0-1.mga5
firefox-ko-45.3.0-1.mga5
firefox-lij-45.3.0-1.mga5
firefox-lt-45.3.0-1.mga5
firefox-lv-45.3.0-1.mga5
firefox-mai-45.3.0-1.mga5
firefox-mk-45.3.0-1.mga5
firefox-ml-45.3.0-1.mga5
firefox-mr-45.3.0-1.mga5
firefox-ms-45.3.0-1.mga5
firefox-nb_NO-45.3.0-1.mga5
firefox-nl-45.3.0-1.mga5
firefox-nn_NO-45.3.0-1.mga5
firefox-or-45.3.0-1.mga5
firefox-pa_IN-45.3.0-1.mga5
firefox-pl-45.3.0-1.mga5
firefox-pt_BR-45.3.0-1.mga5
firefox-pt_PT-45.3.0-1.mga5
firefox-ro-45.3.0-1.mga5
firefox-ru-45.3.0-1.mga5
firefox-si-45.3.0-1.mga5
firefox-sk-45.3.0-1.mga5
firefox-sl-45.3.0-1.mga5
firefox-sq-45.3.0-1.mga5
firefox-sr-45.3.0-1.mga5
firefox-sv_SE-45.3.0-1.mga5
firefox-ta-45.3.0-1.mga5
firefox-te-45.3.0-1.mga5
firefox-th-45.3.0-1.mga5
firefox-tr-45.3.0-1.mga5
firefox-uk-45.3.0-1.mga5
firefox-uz-45.3.0-1.mga5
firefox-vi-45.3.0-1.mga5
firefox-xh-45.3.0-1.mga5
firefox-zh_CN-45.3.0-1.mga5
firefox-zh_TW-45.3.0-1.mga5

from SRPMS:
rootcerts-20160805.00-1.mga5.src.rpm
nss-3.26.0-1.mga5.src.rpm
firefox-45.3.0-1.mga5.src.rpm
firefox-l10n-45.3.0-1.mga5.src.rpm
Comment 3 Marja Van Waes 2016-08-06 08:18:14 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 4 David Walser 2016-08-06 19:27:12 CEST 
Packages submitted to build system, should be available within a couple of hours.

Advisory in Comment 1, package list in Comment 2.

Assignee: pkg-bugs => qa-bugs

Comment 5 Bill Wilkinson 2016-08-07 15:02:54 CEST 
tested mga5-64

General browsing, javatester, acid3, jetstream, flash game for flash, video on youtube, all OK.

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga4-64-ok

Bill Wilkinson 2016-08-07 16:29:26 CEST

Whiteboard: has_procedure mga4-64-ok => has_procedure mga5-64-ok

Dave Hodgins 2016-08-08 11:35:41 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 David Walser 2016-08-08 21:36:58 CEST 
Mageia 5 i586 also works fine.

URL: (none) => http://lwn.net/Vulnerabilities/696206/
Whiteboard: has_procedure mga5-64-ok advisory => has_procedure mga5-32-ok mga5-64-ok advisory

Comment 7 Mageia Robot 2016-08-09 10:59:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0278.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED