Bug 19878

Summary: Firefox 45.5.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: brtians1, lewyssmith, nicolas.salguero, sysadmin-bugs, westel, youpburden
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/707838/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: nss, firefox CVE:
Status comment:

Description David Walser 2016-12-01 15:53:51 CET 
Firefox 45.5.1 has been released on November 30:
https://www.mozilla.org/en-US/firefox/45.5.1/releasenotes/

It fixes one security issue:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/

We will be updating nss with this too:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27.2_release_notes
David Walser 2016-12-01 18:58:46 CET

URL: (none) => https://lwn.net/Vulnerabilities/707838/

Comment 1 David Walser 2016-12-02 00:26:08 CET 
RedHat has issued an advisory for this today (December 1):
https://rhn.redhat.com/errata/RHSA-2016-2843.html

Advisory for our update once it's built is below.

Advisory:
========================

Updated firefox packages fix security vulnerability:

A flaw was found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2016-9079).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9079
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2016-2843.html
================

Updated packages in core/updates_testing:
================
nss-3.27.2-1.mga5
nss-doc-3.27.2-1.mga5
libnss3-3.27.2-1.mga5
libnss-devel-3.27.2-1.mga5
libnss-static-devel-3.27.2-1.mga5
firefox-45.5.1-1.mga5
firefox-af-45.5.1-1.mga5
firefox-an-45.5.1-1.mga5
firefox-ar-45.5.1-1.mga5
firefox-as-45.5.1-1.mga5
firefox-ast-45.5.1-1.mga5
firefox-az-45.5.1-1.mga5
firefox-be-45.5.1-1.mga5
firefox-bg-45.5.1-1.mga5
firefox-bn_BD-45.5.1-1.mga5
firefox-bn_IN-45.5.1-1.mga5
firefox-br-45.5.1-1.mga5
firefox-bs-45.5.1-1.mga5
firefox-ca-45.5.1-1.mga5
firefox-cs-45.5.1-1.mga5
firefox-cy-45.5.1-1.mga5
firefox-da-45.5.1-1.mga5
firefox-de-45.5.1-1.mga5
firefox-devel-45.5.1-1.mga5
firefox-el-45.5.1-1.mga5
firefox-en_GB-45.5.1-1.mga5
firefox-en_US-45.5.1-1.mga5
firefox-en_ZA-45.5.1-1.mga5
firefox-eo-45.5.1-1.mga5
firefox-es_AR-45.5.1-1.mga5
firefox-es_CL-45.5.1-1.mga5
firefox-es_ES-45.5.1-1.mga5
firefox-es_MX-45.5.1-1.mga5
firefox-et-45.5.1-1.mga5
firefox-eu-45.5.1-1.mga5
firefox-fa-45.5.1-1.mga5
firefox-ff-45.5.1-1.mga5
firefox-fi-45.5.1-1.mga5
firefox-fr-45.5.1-1.mga5
firefox-fy_NL-45.5.1-1.mga5
firefox-ga_IE-45.5.1-1.mga5
firefox-gd-45.5.1-1.mga5
firefox-gl-45.5.1-1.mga5
firefox-gu_IN-45.5.1-1.mga5
firefox-he-45.5.1-1.mga5
firefox-hi_IN-45.5.1-1.mga5
firefox-hr-45.5.1-1.mga5
firefox-hsb-45.5.1-1.mga5
firefox-hu-45.5.1-1.mga5
firefox-hy_AM-45.5.1-1.mga5
firefox-id-45.5.1-1.mga5
firefox-is-45.5.1-1.mga5
firefox-it-45.5.1-1.mga5
firefox-ja-45.5.1-1.mga5
firefox-kk-45.5.1-1.mga5
firefox-km-45.5.1-1.mga5
firefox-kn-45.5.1-1.mga5
firefox-ko-45.5.1-1.mga5
firefox-lij-45.5.1-1.mga5
firefox-lt-45.5.1-1.mga5
firefox-lv-45.5.1-1.mga5
firefox-mai-45.5.1-1.mga5
firefox-mk-45.5.1-1.mga5
firefox-ml-45.5.1-1.mga5
firefox-mr-45.5.1-1.mga5
firefox-ms-45.5.1-1.mga5
firefox-nb_NO-45.5.1-1.mga5
firefox-nl-45.5.1-1.mga5
firefox-nn_NO-45.5.1-1.mga5
firefox-or-45.5.1-1.mga5
firefox-pa_IN-45.5.1-1.mga5
firefox-pl-45.5.1-1.mga5
firefox-pt_BR-45.5.1-1.mga5
firefox-pt_PT-45.5.1-1.mga5
firefox-ro-45.5.1-1.mga5
firefox-ru-45.5.1-1.mga5
firefox-si-45.5.1-1.mga5
firefox-sk-45.5.1-1.mga5
firefox-sl-45.5.1-1.mga5
firefox-sq-45.5.1-1.mga5
firefox-sr-45.5.1-1.mga5
firefox-sv_SE-45.5.1-1.mga5
firefox-ta-45.5.1-1.mga5
firefox-te-45.5.1-1.mga5
firefox-th-45.5.1-1.mga5
firefox-tr-45.5.1-1.mga5
firefox-uk-45.5.1-1.mga5
firefox-uz-45.5.1-1.mga5
firefox-vi-45.5.1-1.mga5
firefox-xh-45.5.1-1.mga5
firefox-zh_CN-45.5.1-1.mga5
firefox-zh_TW-45.5.1-1.mga5

from SRPMS:
nss-3.27.2-1.mga5.src.rpm
firefox-45.5.1-1.mga5.src.rpm
firefox-l10n-45.5.1-1.mga5.src.rpm
Comment 2 Nicolas Salguero 2016-12-02 09:33:06 CET 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/ says thunderbird is also affected.  Do we need a separate bug report or can we handle thunderbird in the current one?

CC: (none) => nicolas.salguero

Comment 3 David Walser 2016-12-02 12:49:13 CET 
(In reply to Nicolas Salguero from comment #2)
> https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/ says
> thunderbird is also affected.  Do we need a separate bug report or can we
> handle thunderbird in the current one?

We always handle them separately now.  I can no longer update Thunderbird myself.  Lightning is bundled, but Mozilla screwed up and the l10n files for it are not in the tarball, so those have to be obtained directly from their VCS.  Florian has usually handled it, but he has dropped the ball this time, so someone else needs to do it.  Thunderbird is in Bug 19815.
Comment 4 David Walser 2016-12-02 12:49:47 CET 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory and package list in Comment 1.

Assignee: bugsquad => qa-bugs

Comment 5 David Walser 2016-12-02 15:47:53 CET 
Working fine on Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

Comment 6 Brian Rockwell 2016-12-03 03:38:21 CET 
Linux localhost 4.4.32-desktop-1.mga5 #1 SMP Tue Nov 15 10:10:27 UTC 2016 i686 i686 i686 GNU/Linux



To satisfy dependencies, the following package(s) also need to be installed:

- firefox-en_GB-45.5.1-1.mga5.noarch
- firefox-en_ZA-45.5.1-1.mga5.noarch
- libnss3-3.27.2-1.mga5.i586

15KB of additional disk space will be used.


Tested various sites I access.  It appears to be working fine.

CC: (none) => brtians1
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OK

Brian Rockwell 2016-12-03 03:39:11 CET

Whiteboard: MGA5-64-OK MGA-32-OK => MGA5-64-OK MGA5-32-OK

Comment 7 Ben McMonagle 2016-12-03 04:05:57 CET 
updated to firefox-45.5.1-1.mga5

dependencies:

firefox-en_GB-45.5.1-1.mga5.noarch
firefox-en_ZA-45.5.1-1.mga5.noarch
libnss3-3.27.2-1.mga5.i586

needed to add flash-player-plugin for some sites

tested ok

CC: (none) => westel

Comment 8 Ben McMonagle 2016-12-03 04:29:25 CET 
updated :
 firefox                        45.5.1       1.mga5        x86_64  
  firefox-en_GB                  45.5.1       1.mga5        noarch  
  firefox-en_ZA                  45.5.1       1.mga5        noarch  
  lib64nss3                      3.27.2       1.mga5        x86_64  


(added also flash-player-plugin-11.2.202.644-1.mga5.nonfree.x86_64.rpm)

accessed various websites - ok
youpburden 2016-12-05 21:24:35 CET

Keywords: (none) => validated_update
CC: (none) => youpburden, sysadmin-bugs

Comment 9 Lewis Smith 2016-12-05 21:34:18 CET 
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 10 Mageia Robot 2016-12-05 22:50:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0410.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED