Bug 19789

Summary: Firefox 45.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/706580/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: nspr, rootcerts, nss, firefox, firefox-l10n CVE:
Status comment:

Description David Walser 2016-11-15 16:49:08 CET 
Firefox 45.5.0 is out.  It should be announced today:
https://www.mozilla.org/en-US/firefox/45.5.0/releasenotes/

There is also an nspr/rootcerts/nss update with this, which will hopefully fix issues some users have had with non-browser apps that use the ca-bundle.crt certificates file.

Advisory to come later.

Update is currently building, the package list will be the following.

Updated packages in core/updates_testing:
================
libnspr4-4.13.1-1.mga5
libnspr-devel-4.13.1-1.mga5
rootcerts-20160922.00-1.mga5
rootcerts-java-20160922.00-1.mga5
nss-3.27.1-1.mga5
nss-doc-3.27.1-1.mga5
libnss3-3.27.1-1.mga5
libnss-devel-3.27.1-1.mga5
libnss-static-devel-3.27.1-1.mga5
firefox-45.5.0-1.mga5
firefox-af-45.5.0-1.mga5
firefox-an-45.5.0-1.mga5
firefox-ar-45.5.0-1.mga5
firefox-as-45.5.0-1.mga5
firefox-ast-45.5.0-1.mga5
firefox-az-45.5.0-1.mga5
firefox-be-45.5.0-1.mga5
firefox-bg-45.5.0-1.mga5
firefox-bn_BD-45.5.0-1.mga5
firefox-bn_IN-45.5.0-1.mga5
firefox-br-45.5.0-1.mga5
firefox-bs-45.5.0-1.mga5
firefox-ca-45.5.0-1.mga5
firefox-cs-45.5.0-1.mga5
firefox-cy-45.5.0-1.mga5
firefox-da-45.5.0-1.mga5
firefox-de-45.5.0-1.mga5
firefox-devel-45.5.0-1.mga5
firefox-el-45.5.0-1.mga5
firefox-en_GB-45.5.0-1.mga5
firefox-en_US-45.5.0-1.mga5
firefox-en_ZA-45.5.0-1.mga5
firefox-eo-45.5.0-1.mga5
firefox-es_AR-45.5.0-1.mga5
firefox-es_CL-45.5.0-1.mga5
firefox-es_ES-45.5.0-1.mga5
firefox-es_MX-45.5.0-1.mga5
firefox-et-45.5.0-1.mga5
firefox-eu-45.5.0-1.mga5
firefox-fa-45.5.0-1.mga5
firefox-ff-45.5.0-1.mga5
firefox-fi-45.5.0-1.mga5
firefox-fr-45.5.0-1.mga5
firefox-fy_NL-45.5.0-1.mga5
firefox-ga_IE-45.5.0-1.mga5
firefox-gd-45.5.0-1.mga5
firefox-gl-45.5.0-1.mga5
firefox-gu_IN-45.5.0-1.mga5
firefox-he-45.5.0-1.mga5
firefox-hi_IN-45.5.0-1.mga5
firefox-hr-45.5.0-1.mga5
firefox-hsb-45.5.0-1.mga5
firefox-hu-45.5.0-1.mga5
firefox-hy_AM-45.5.0-1.mga5
firefox-id-45.5.0-1.mga5
firefox-is-45.5.0-1.mga5
firefox-it-45.5.0-1.mga5
firefox-ja-45.5.0-1.mga5
firefox-kk-45.5.0-1.mga5
firefox-km-45.5.0-1.mga5
firefox-kn-45.5.0-1.mga5
firefox-ko-45.5.0-1.mga5
firefox-lij-45.5.0-1.mga5
firefox-lt-45.5.0-1.mga5
firefox-lv-45.5.0-1.mga5
firefox-mai-45.5.0-1.mga5
firefox-mk-45.5.0-1.mga5
firefox-ml-45.5.0-1.mga5
firefox-mr-45.5.0-1.mga5
firefox-ms-45.5.0-1.mga5
firefox-nb_NO-45.5.0-1.mga5
firefox-nl-45.5.0-1.mga5
firefox-nn_NO-45.5.0-1.mga5
firefox-or-45.5.0-1.mga5
firefox-pa_IN-45.5.0-1.mga5
firefox-pl-45.5.0-1.mga5
firefox-pt_BR-45.5.0-1.mga5
firefox-pt_PT-45.5.0-1.mga5
firefox-ro-45.5.0-1.mga5
firefox-ru-45.5.0-1.mga5
firefox-si-45.5.0-1.mga5
firefox-sk-45.5.0-1.mga5
firefox-sl-45.5.0-1.mga5
firefox-sq-45.5.0-1.mga5
firefox-sr-45.5.0-1.mga5
firefox-sv_SE-45.5.0-1.mga5
firefox-ta-45.5.0-1.mga5
firefox-te-45.5.0-1.mga5
firefox-th-45.5.0-1.mga5
firefox-tr-45.5.0-1.mga5
firefox-uk-45.5.0-1.mga5
firefox-uz-45.5.0-1.mga5
firefox-vi-45.5.0-1.mga5
firefox-xh-45.5.0-1.mga5
firefox-zh_CN-45.5.0-1.mga5
firefox-zh_TW-45.5.0-1.mga5

from SRPMS:
nspr-4.13.1-1.mga5.src.rpm
rootcerts-20160922.00-1.mga5.src.rpm
nss-3.27.1-1.mga5.src.rpm
firefox-45.5.0-1.mga5.src.rpm
firefox-l10n-45.5.0-1.mga5.src.rpm
Comment 2 Len Lawrence 2016-11-16 09:53:21 CET 
lib64nspr4-4.13.1-1.mga5
lib64nspr-devel-4.13.1-1.mga5
rootcerts-20160922.00-1.mga5
rootcerts-java-20160922.00-1.mga5
nss-3.27.1-1.mga5
nss-doc-3.27.1-1.mga5
lib64nss3-3.27.1-1.mga5
lib64nss-devel-3.27.1-1.mga5
lib64nss-static-devel-3.27.1-1.mga5

noarch packages:
firefox-en_GB-45.5.0-1.mga5
firefox-uk-45.5.0-1.mga5
firefox-en_ZA-45.5.0-1.mga5
firefox-45.5.0-1.mga5

Installed and running on x86_64.

CC: (none) => tarazed25

Comment 4 David Walser 2016-11-16 14:13:20 CET 
I believe the nss update also fixed CVE-2016-9074 from the MFSA referenced above.
Comment 5 David Walser 2016-11-16 14:16:09 CET 
Advisory:
========================

Updated nss and firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290).

A flaw was found in the way Add-on update process was handled by Firefox. A
Man-in-the-Middle attacker could use this flaw to install a malicious signed
add-on update (CVE-2016-9064).

An existing mitigation of timing side-channel attacks in NSS before 3.26.1 is
insufficient in some circumstances (CVE-2016-9074).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074
https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2016-2780.html
Comment 6 David Walser 2016-11-16 14:18:14 CET 
Working fine on my x86_64 workstation at work and my i586 laptop.

I even managed to get Pidgin working on my laptop again, though the rootcerts don't appear to have been the real issue.  I had to copy the certs in ~/.purple/certificates/x509/tls_peers/ from a computer where it was working (which fixed AIM) and set the Connect server to talk.google.com for my Google Talk account.

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

David Walser 2016-11-16 19:26:45 CET

URL: (none) => http://lwn.net/Vulnerabilities/706580/

Dave Hodgins 2016-11-16 21:26:45 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Nicolas Lécureuil 2016-11-17 09:38:04 CET 
can you fix firefox-l10n version in the advisory ?
thanks

CC: (none) => mageia

Comment 8 Mageia Robot 2016-11-17 15:11:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0379.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2016-11-17 16:49:31 CET 
LWN reference for CVE-2016-9074:
http://lwn.net/Vulnerabilities/706734/