Bug 22024

Summary: Firefox 52.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, jim, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK
Source RPM: rootcerts, firefox CVE:
Status comment:

Description David Walser 2017-11-14 22:59:52 CET 
Mozilla has released Firefox 52.5.0 today (November 14):
https://www.mozilla.org/en-US/firefox/52.5.0/releasenotes/

It fixes a few security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/

No advisory from RedHat yet.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7826
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7828
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7830
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
========================

Updated packages in core/updates_testing:
========================
rootcerts-20171025.00-1.mga5
rootcerts-java-20171025.00-1.mga5
nss-3.28.6-1.1.mga5
nss-doc-3.28.6-1.1.mga5
libnss3-3.28.6-1.1.mga5
libnss-devel-3.28.6-1.1.mga5
libnss-static-devel-3.28.6-1.1.mga5
firefox-52.5.0-1.mga5
firefox-devel-52.5.0-1.mga5
firefox-af-52.5.0-1.mga5
firefox-an-52.5.0-1.mga5
firefox-ar-52.5.0-1.mga5
firefox-as-52.5.0-1.mga5
firefox-ast-52.5.0-1.mga5
firefox-az-52.5.0-1.mga5
firefox-bg-52.5.0-1.mga5
firefox-bn_IN-52.5.0-1.mga5
firefox-bn_BD-52.5.0-1.mga5
firefox-br-52.5.0-1.mga5
firefox-bs-52.5.0-1.mga5
firefox-ca-52.5.0-1.mga5
firefox-cs-52.5.0-1.mga5
firefox-cy-52.5.0-1.mga5
firefox-da-52.5.0-1.mga5
firefox-de-52.5.0-1.mga5
firefox-el-52.5.0-1.mga5
firefox-en_GB-52.5.0-1.mga5
firefox-en_US-52.5.0-1.mga5
firefox-en_ZA-52.5.0-1.mga5
firefox-eo-52.5.0-1.mga5
firefox-es_AR-52.5.0-1.mga5
firefox-es_CL-52.5.0-1.mga5
firefox-es_ES-52.5.0-1.mga5
firefox-es_MX-52.5.0-1.mga5
firefox-et-52.5.0-1.mga5
firefox-eu-52.5.0-1.mga5
firefox-fa-52.5.0-1.mga5
firefox-ff-52.5.0-1.mga5
firefox-fi-52.5.0-1.mga5
firefox-fr-52.5.0-1.mga5
firefox-fy_NL-52.5.0-1.mga5
firefox-ga_IE-52.5.0-1.mga5
firefox-gd-52.5.0-1.mga5
firefox-gl-52.5.0-1.mga5
firefox-gu_IN-52.5.0-1.mga5
firefox-he-52.5.0-1.mga5
firefox-hi_IN-52.5.0-1.mga5
firefox-hr-52.5.0-1.mga5
firefox-hsb-52.5.0-1.mga5
firefox-hu-52.5.0-1.mga5
firefox-hy_AM-52.5.0-1.mga5
firefox-id-52.5.0-1.mga5
firefox-is-52.5.0-1.mga5
firefox-it-52.5.0-1.mga5
firefox-ja-52.5.0-1.mga5
firefox-kk-52.5.0-1.mga5
firefox-km-52.5.0-1.mga5
firefox-kn-52.5.0-1.mga5
firefox-ko-52.5.0-1.mga5
firefox-lij-52.5.0-1.mga5
firefox-lt-52.5.0-1.mga5
firefox-lv-52.5.0-1.mga5
firefox-mai-52.5.0-1.mga5
firefox-mk-52.5.0-1.mga5
firefox-ml-52.5.0-1.mga5
firefox-mr-52.5.0-1.mga5
firefox-ms-52.5.0-1.mga5
firefox-nb_NO-52.5.0-1.mga5
firefox-nl-52.5.0-1.mga5
firefox-nn_NO-52.5.0-1.mga5
firefox-or-52.5.0-1.mga5
firefox-pa_IN-52.5.0-1.mga5
firefox-pl-52.5.0-1.mga5
firefox-pt_BR-52.5.0-1.mga5
firefox-pt_PT-52.5.0-1.mga5
firefox-ro-52.5.0-1.mga5
firefox-ru-52.5.0-1.mga5
firefox-si-52.5.0-1.mga5
firefox-sk-52.5.0-1.mga5
firefox-sl-52.5.0-1.mga5
firefox-sq-52.5.0-1.mga5
firefox-sr-52.5.0-1.mga5
firefox-sv_SE-52.5.0-1.mga5
firefox-ta-52.5.0-1.mga5
firefox-te-52.5.0-1.mga5
firefox-th-52.5.0-1.mga5
firefox-tr-52.5.0-1.mga5
firefox-uk-52.5.0-1.mga5
firefox-uz-52.5.0-1.mga5
firefox-vi-52.5.0-1.mga5
firefox-xh-52.5.0-1.mga5
firefox-zh_CN-52.5.0-1.mga5
firefox-zh_TW-52.5.0-1.mga5
rootcerts-20171025.00-1.mga6
rootcerts-java-20171025.00-1.mga6
nss-3.28.6-1.1.mga6
nss-doc-3.28.6-1.1.mga6
libnss3-3.28.6-1.1.mga6
libnss-devel-3.28.6-1.1.mga6
libnss-static-devel-3.28.6-1.1.mga6
firefox-52.5.0-1.mga6
firefox-devel-52.5.0-1.mga6
firefox-af-52.5.0-1.mga6
firefox-an-52.5.0-1.mga6
firefox-ar-52.5.0-1.mga6
firefox-as-52.5.0-1.mga6
firefox-ast-52.5.0-1.mga6
firefox-az-52.5.0-1.mga6
firefox-bg-52.5.0-1.mga6
firefox-bn_IN-52.5.0-1.mga6
firefox-bn_BD-52.5.0-1.mga6
firefox-br-52.5.0-1.mga6
firefox-bs-52.5.0-1.mga6
firefox-ca-52.5.0-1.mga6
firefox-cs-52.5.0-1.mga6
firefox-cy-52.5.0-1.mga6
firefox-da-52.5.0-1.mga6
firefox-de-52.5.0-1.mga6
firefox-el-52.5.0-1.mga6
firefox-en_GB-52.5.0-1.mga6
firefox-en_US-52.5.0-1.mga6
firefox-en_ZA-52.5.0-1.mga6
firefox-eo-52.5.0-1.mga6
firefox-es_AR-52.5.0-1.mga6
firefox-es_CL-52.5.0-1.mga6
firefox-es_ES-52.5.0-1.mga6
firefox-es_MX-52.5.0-1.mga6
firefox-et-52.5.0-1.mga6
firefox-eu-52.5.0-1.mga6
firefox-fa-52.5.0-1.mga6
firefox-ff-52.5.0-1.mga6
firefox-fi-52.5.0-1.mga6
firefox-fr-52.5.0-1.mga6
firefox-fy_NL-52.5.0-1.mga6
firefox-ga_IE-52.5.0-1.mga6
firefox-gd-52.5.0-1.mga6
firefox-gl-52.5.0-1.mga6
firefox-gu_IN-52.5.0-1.mga6
firefox-he-52.5.0-1.mga6
firefox-hi_IN-52.5.0-1.mga6
firefox-hr-52.5.0-1.mga6
firefox-hsb-52.5.0-1.mga6
firefox-hu-52.5.0-1.mga6
firefox-hy_AM-52.5.0-1.mga6
firefox-id-52.5.0-1.mga6
firefox-is-52.5.0-1.mga6
firefox-it-52.5.0-1.mga6
firefox-ja-52.5.0-1.mga6
firefox-kk-52.5.0-1.mga6
firefox-km-52.5.0-1.mga6
firefox-kn-52.5.0-1.mga6
firefox-ko-52.5.0-1.mga6
firefox-lij-52.5.0-1.mga6
firefox-lt-52.5.0-1.mga6
firefox-lv-52.5.0-1.mga6
firefox-mai-52.5.0-1.mga6
firefox-mk-52.5.0-1.mga6
firefox-ml-52.5.0-1.mga6
firefox-mr-52.5.0-1.mga6
firefox-ms-52.5.0-1.mga6
firefox-nb_NO-52.5.0-1.mga6
firefox-nl-52.5.0-1.mga6
firefox-nn_NO-52.5.0-1.mga6
firefox-or-52.5.0-1.mga6
firefox-pa_IN-52.5.0-1.mga6
firefox-pl-52.5.0-1.mga6
firefox-pt_BR-52.5.0-1.mga6
firefox-pt_PT-52.5.0-1.mga6
firefox-ro-52.5.0-1.mga6
firefox-ru-52.5.0-1.mga6
firefox-si-52.5.0-1.mga6
firefox-sk-52.5.0-1.mga6
firefox-sl-52.5.0-1.mga6
firefox-sq-52.5.0-1.mga6
firefox-sr-52.5.0-1.mga6
firefox-sv_SE-52.5.0-1.mga6
firefox-ta-52.5.0-1.mga6
firefox-te-52.5.0-1.mga6
firefox-th-52.5.0-1.mga6
firefox-tr-52.5.0-1.mga6
firefox-uk-52.5.0-1.mga6
firefox-uz-52.5.0-1.mga6
firefox-vi-52.5.0-1.mga6
firefox-xh-52.5.0-1.mga6
firefox-zh_CN-52.5.0-1.mga6
firefox-zh_TW-52.5.0-1.mga6

from SRPMS:
rootcerts-20171025.00-1.mga5.src.rpm
nss-3.28.6-1.1.mga5.src.rpm
firefox-52.5.0-1.mga5.src.rpm
firefox-l10n-52.5.0-1.mga5.src.rpm
rootcerts-20171025.00-1.mga6.src.rpm
nss-3.28.6-1.1.mga6.src.rpm
firefox-52.5.0-1.mga6.src.rpm
firefox-l10n-52.5.0-1.mga6.src.rpm
David Walser 2017-11-14 23:00:00 CET

Whiteboard: (none) => MGA5TOO

Comment 1 James Kerr 2017-11-15 16:25:29 CET 
on mga6-64

packages installed cleanly

- firefox-52.5.0-1.mga6.x86_64
- firefox-en_GB-52.5.0-1.mga6.noarch
- lib64nss3-3.28.6-1.1.mga6.x86_64
- nss-3.28.6-1.1.mga6.x86_64
- rootcerts-20171025.00-1.mga6.noarch
- rootcerts-java-20171025.00-1.mga6.noarch

tested on a variey of web sites
played video and streaming video

no regressions noted

OK for mga6-64

CC: (none) => jim
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 2 Len Lawrence 2017-11-15 17:18:27 CET 
Mageia 6 on x86_64

Updated from Firefox 52.4 to 53.5 with firefox-en components.
Restarted firefox with all previous tabs and checked bookmarking, add-ons, youtube and retrieving bookmarked pages.  Linked OK from emails. 

Hopefully other language packs can be checked by other testers.

CC: (none) => tarazed25

Comment 3 James Kerr 2017-11-15 17:40:42 CET 
on mga6-32 in a vbox VM

packages installed cleanly:
- firefox-52.5.0-1.mga6.i586
- firefox-en_GB-52.5.0-1.mga6.noarch
- libnss3-3.28.6-1.1.mga6.i586
- nss-3.28.6-1.1.mga6.i586
- rootcerts-20171025.00-1.mga6.noarch
- rootcerts-java-20171025.00-1.mga6.noarch

tested on a number of websites
played videos and streaming video

no regressions noted

OK for mga6-32

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK

Comment 4 Herman Viaene 2017-11-16 14:54:20 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
View images, video from newspaper and youtube, no obvious setbacks.

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 James Kerr 2017-11-16 16:08:18 CET 
on mga5-64, packages installed cleanly:
- firefox-52.5.0-1.mga5.x86_64
- firefox-en_GB-52.5.0-1.mga5.noarch
- lib64nss3-3.28.6-1.1.mga5.x86_64
- nss-3.28.6-1.1.mga5.x86_64
- rootcerts-20171025.00-1.mga5.noarch
- rootcerts-java-20171025.00-1.mga5.noarch

firefox-sync settings restored OK
Tested on a variety of web sites, including video and streaming video.

No regressions noted

OK for mga5-64

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK

Comment 6 James Kerr 2017-11-16 16:10:30 CET 
restored Herman's OK - sorry

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK

Comment 7 David Walser 2017-11-17 19:59:49 CET 
RedHat has issued an advisory for this today (November 17):
https://access.redhat.com/errata/RHSA-2017:3247

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2017-7826, CVE-2017-7828, CVE-2017-7830).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7826
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7828
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7830
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2017:3247
Comment 8 James Kerr 2017-11-18 13:47:14 CET 
Only a few tests but no problems detected and this is only a sub-version update, and so I have validated it.

The Advisory in comment#7 needs to be uploaded to SVN

The update can then be pushed

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Lewis Smith 2017-11-19 10:56:38 CET

Keywords: (none) => advisory

Comment 9 Mageia Robot 2017-11-19 12:20:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0418.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED