Bug 20178

Summary: Firefox 45.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: jim, lewyssmith, sysadmin-bugs, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/712491/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: firefox CVE:
Status comment:

Description David Walser 2017-01-25 01:54:51 CET 
Firefox 45.7.0 has been released today (January 24):
https://www.mozilla.org/en-US/firefox/45.7.0/releasenotes/

It fixes one set of security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/

While NSS 3.28.1 is available, we will not be updating it at this time as it causes regressions and incompatibilities.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396
https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

Updated packages in core/updates_testing:
================
firefox-45.7.0-1.mga5
firefox-af-45.7.0-1.mga5
firefox-an-45.7.0-1.mga5
firefox-ar-45.7.0-1.mga5
firefox-as-45.7.0-1.mga5
firefox-ast-45.7.0-1.mga5
firefox-az-45.7.0-1.mga5
firefox-be-45.7.0-1.mga5
firefox-bg-45.7.0-1.mga5
firefox-bn_BD-45.7.0-1.mga5
firefox-bn_IN-45.7.0-1.mga5
firefox-br-45.7.0-1.mga5
firefox-bs-45.7.0-1.mga5
firefox-ca-45.7.0-1.mga5
firefox-cs-45.7.0-1.mga5
firefox-cy-45.7.0-1.mga5
firefox-da-45.7.0-1.mga5
firefox-de-45.7.0-1.mga5
firefox-devel-45.7.0-1.mga5
firefox-el-45.7.0-1.mga5
firefox-en_GB-45.7.0-1.mga5
firefox-en_US-45.7.0-1.mga5
firefox-en_ZA-45.7.0-1.mga5
firefox-eo-45.7.0-1.mga5
firefox-es_AR-45.7.0-1.mga5
firefox-es_CL-45.7.0-1.mga5
firefox-es_ES-45.7.0-1.mga5
firefox-es_MX-45.7.0-1.mga5
firefox-et-45.7.0-1.mga5
firefox-eu-45.7.0-1.mga5
firefox-fa-45.7.0-1.mga5
firefox-ff-45.7.0-1.mga5
firefox-fi-45.7.0-1.mga5
firefox-fr-45.7.0-1.mga5
firefox-fy_NL-45.7.0-1.mga5
firefox-ga_IE-45.7.0-1.mga5
firefox-gd-45.7.0-1.mga5
firefox-gl-45.7.0-1.mga5
firefox-gu_IN-45.7.0-1.mga5
firefox-he-45.7.0-1.mga5
firefox-hi_IN-45.7.0-1.mga5
firefox-hr-45.7.0-1.mga5
firefox-hsb-45.7.0-1.mga5
firefox-hu-45.7.0-1.mga5
firefox-hy_AM-45.7.0-1.mga5
firefox-id-45.7.0-1.mga5
firefox-is-45.7.0-1.mga5
firefox-it-45.7.0-1.mga5
firefox-ja-45.7.0-1.mga5
firefox-kk-45.7.0-1.mga5
firefox-km-45.7.0-1.mga5
firefox-kn-45.7.0-1.mga5
firefox-ko-45.7.0-1.mga5
firefox-lij-45.7.0-1.mga5
firefox-lt-45.7.0-1.mga5
firefox-lv-45.7.0-1.mga5
firefox-mai-45.7.0-1.mga5
firefox-mk-45.7.0-1.mga5
firefox-ml-45.7.0-1.mga5
firefox-mr-45.7.0-1.mga5
firefox-ms-45.7.0-1.mga5
firefox-nb_NO-45.7.0-1.mga5
firefox-nl-45.7.0-1.mga5
firefox-nn_NO-45.7.0-1.mga5
firefox-or-45.7.0-1.mga5
firefox-pa_IN-45.7.0-1.mga5
firefox-pl-45.7.0-1.mga5
firefox-pt_BR-45.7.0-1.mga5
firefox-pt_PT-45.7.0-1.mga5
firefox-ro-45.7.0-1.mga5
firefox-ru-45.7.0-1.mga5
firefox-si-45.7.0-1.mga5
firefox-sk-45.7.0-1.mga5
firefox-sl-45.7.0-1.mga5
firefox-sq-45.7.0-1.mga5
firefox-sr-45.7.0-1.mga5
firefox-sv_SE-45.7.0-1.mga5
firefox-ta-45.7.0-1.mga5
firefox-te-45.7.0-1.mga5
firefox-th-45.7.0-1.mga5
firefox-tr-45.7.0-1.mga5
firefox-uk-45.7.0-1.mga5
firefox-uz-45.7.0-1.mga5
firefox-vi-45.7.0-1.mga5
firefox-xh-45.7.0-1.mga5
firefox-zh_CN-45.7.0-1.mga5
firefox-zh_TW-45.7.0-1.mga5

from SRPMS:
firefox-45.7.0-1.mga5.src.rpm
firefox-l10n-45.7.0-1.mga5.src.rpm
Comment 1 Bill Wilkinson 2017-01-25 05:17:49 CET 
Tested mga5-64

Plugins: Java & flash (Twisted little flash game)

Jetstream for javascript, acid 3 for general use, youtube for html5 video, and general browsing, all OK

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga5-64-ok

Comment 2 David Walser 2017-01-25 12:40:58 CET 
RedHat has issued an advisory for this today (January 25):
https://rhn.redhat.com/errata/RHSA-2017-0190.html

Advisory:
================

Updated firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380,
CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396
https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2017-0190.html
Comment 3 James Kerr 2017-01-25 17:04:21 CET 
On mga5-32

Packages installed:
$ rpm -qa | grep firefox
firefox-en_GB-45.7.0-1.mga5
firefox-45.7.0-1.mga5

Packages installed cleanly. 

Java, flash, html5 all OK
No regressions noted.

OK for mga5-32

CC: (none) => jim

Comment 4 James Kerr 2017-01-25 17:35:40 CET 
On mga5-64

Packages installed:
- firefox-45.7.0-1.mga5.x86_64
- firefox-en_GB-45.7.0-1.mga5.noarch

Packages installed cleanly. 

Java, flash, html5 all OK
No regressions noted.

OK for mga5-64
Comment 5 David Walser 2017-01-25 23:48:45 CET 
James, thanks for testing.  Please post the OK's to the whiteboard when you do.

URL: (none) => https://lwn.net/Vulnerabilities/712491/
Whiteboard: has_procedure mga5-64-ok => has_procedure MGA5-32-OK MGA5-64-OK

Comment 6 James Kerr 2017-01-26 00:28:14 CET 
I thought that we usually wanted more than one test on each arch for important applications like Firefox. I must have mis-remembered.
Comment 7 David Walser 2017-01-26 01:15:04 CET 
(In reply to James Kerr from comment #6)
> I thought that we usually wanted more than one test on each arch for
> important applications like Firefox. I must have mis-remembered.

On the contrary, highly critical ones that are usually trivial to test, that we need to get out in a timely manner, you need to not be afraid to OK and validate.  The ones where we want multiple testers mostly tend to be highly hardware-dependent ones like the kernel or some drivers, or where many different configurations need to be tested and have been volatile in the past like virtualbox.
Comment 8 Lewis Smith 2017-01-26 19:48:21 CET 
Validated.
Advisory from comments 0 & 2.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2017-01-27 10:19:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0023.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED