| Summary: | Firefox 52.6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, j.alberto.vc, mageia, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | rootcerts, nspr, firefox, firefox-l10n | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 22434 | ||
|
Description
David Walser
2018-01-20 19:14:55 CET
David Walser
2018-01-20 19:15:02 CET
Whiteboard:
(none) =>
MGA5TOO Builds in progress for Mageia 6. Updated packages in core/updates_testing: ======================== libnspr4-4.18-1.mga6 libnspr-devel-4.18-1.mga6 rootcerts-20180104.00-1.mga6 rootcerts-java-20180104.00-1.mga6 nss-3.28.6-1.3.mga6 nss-doc-3.28.6-1.3.mga6 libnss3-3.28.6-1.3.mga6 libnss-devel-3.28.6-1.3.mga6 libnss-static-devel-3.28.6-1.3.mga6 firefox-52.6.0-1.mga6 firefox-devel-52.6.0-1.mga6 firefox-af-52.6.0-1.mga6 firefox-an-52.6.0-1.mga6 firefox-ar-52.6.0-1.mga6 firefox-as-52.6.0-1.mga6 firefox-ast-52.6.0-1.mga6 firefox-az-52.6.0-1.mga6 firefox-bg-52.6.0-1.mga6 firefox-bn_IN-52.6.0-1.mga6 firefox-bn_BD-52.6.0-1.mga6 firefox-br-52.6.0-1.mga6 firefox-bs-52.6.0-1.mga6 firefox-ca-52.6.0-1.mga6 firefox-cs-52.6.0-1.mga6 firefox-cy-52.6.0-1.mga6 firefox-da-52.6.0-1.mga6 firefox-de-52.6.0-1.mga6 firefox-el-52.6.0-1.mga6 firefox-en_GB-52.6.0-1.mga6 firefox-en_US-52.6.0-1.mga6 firefox-en_ZA-52.6.0-1.mga6 firefox-eo-52.6.0-1.mga6 firefox-es_AR-52.6.0-1.mga6 firefox-es_CL-52.6.0-1.mga6 firefox-es_ES-52.6.0-1.mga6 firefox-es_MX-52.6.0-1.mga6 firefox-et-52.6.0-1.mga6 firefox-eu-52.6.0-1.mga6 firefox-fa-52.6.0-1.mga6 firefox-ff-52.6.0-1.mga6 firefox-fi-52.6.0-1.mga6 firefox-fr-52.6.0-1.mga6 firefox-fy_NL-52.6.0-1.mga6 firefox-ga_IE-52.6.0-1.mga6 firefox-gd-52.6.0-1.mga6 firefox-gl-52.6.0-1.mga6 firefox-gu_IN-52.6.0-1.mga6 firefox-he-52.6.0-1.mga6 firefox-hi_IN-52.6.0-1.mga6 firefox-hr-52.6.0-1.mga6 firefox-hsb-52.6.0-1.mga6 firefox-hu-52.6.0-1.mga6 firefox-hy_AM-52.6.0-1.mga6 firefox-id-52.6.0-1.mga6 firefox-is-52.6.0-1.mga6 firefox-it-52.6.0-1.mga6 firefox-ja-52.6.0-1.mga6 firefox-kk-52.6.0-1.mga6 firefox-km-52.6.0-1.mga6 firefox-kn-52.6.0-1.mga6 firefox-ko-52.6.0-1.mga6 firefox-lij-52.6.0-1.mga6 firefox-lt-52.6.0-1.mga6 firefox-lv-52.6.0-1.mga6 firefox-mai-52.6.0-1.mga6 firefox-mk-52.6.0-1.mga6 firefox-ml-52.6.0-1.mga6 firefox-mr-52.6.0-1.mga6 firefox-ms-52.6.0-1.mga6 firefox-nb_NO-52.6.0-1.mga6 firefox-nl-52.6.0-1.mga6 firefox-nn_NO-52.6.0-1.mga6 firefox-or-52.6.0-1.mga6 firefox-pa_IN-52.6.0-1.mga6 firefox-pl-52.6.0-1.mga6 firefox-pt_BR-52.6.0-1.mga6 firefox-pt_PT-52.6.0-1.mga6 firefox-ro-52.6.0-1.mga6 firefox-ru-52.6.0-1.mga6 firefox-si-52.6.0-1.mga6 firefox-sk-52.6.0-1.mga6 firefox-sl-52.6.0-1.mga6 firefox-sq-52.6.0-1.mga6 firefox-sr-52.6.0-1.mga6 firefox-sv_SE-52.6.0-1.mga6 firefox-ta-52.6.0-1.mga6 firefox-te-52.6.0-1.mga6 firefox-th-52.6.0-1.mga6 firefox-tr-52.6.0-1.mga6 firefox-uk-52.6.0-1.mga6 firefox-uz-52.6.0-1.mga6 firefox-vi-52.6.0-1.mga6 firefox-xh-52.6.0-1.mga6 firefox-zh_CN-52.6.0-1.mga6 firefox-zh_TW-52.6.0-1.mga6 from SRPMS: nspr-4.18-1.mga6.src.rpm rootcerts-20180104.00-1.mga6.src.rpm nss-3.28.6-1.3.mga6.src.rpm firefox-52.6.0-1.mga6.src.rpm firefox-l10n-52.6.0-1.mga6.src.rpm
David Walser
2018-01-21 02:01:29 CET
Blocks:
(none) =>
22434 Mageia 5 moved to Bug 22434. QA can begin testing the Mageia 6 packages now. Advisory to come later. Assignee:
sysadmin-bugs =>
qa-bugs $ uname -a Linux localhost 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This is a gnome instance The following 10 packages are going to be installed: - firefox-52.6.0-1.mga6.x86_64 - firefox-en_GB-52.6.0-1.mga6.noarch - firefox-en_US-52.6.0-1.mga6.noarch - firefox-en_ZA-52.6.0-1.mga6.noarch - glibc-2.22-27.mga6.x86_64 - glibc-devel-2.22-27.mga6.x86_64 - lib64nspr4-4.18-1.mga6.x86_64 - lib64rpm7-4.13.0.2-3.2.mga6.x86_64 - python3-rpm-4.13.0.2-3.2.mga6.x86_64 - rpm-4.13.0.2-3.2.mga6.x86_64 4.3KB of additional disk space will be used. Installed and rebooted Able to get to Email, play youtube, etc. Working as designed. CC:
(none) =>
brtians1 This has been running for several days on this 64-bit machine with Mageia 6. CC:
(none) =>
tarazed25 Running fine on this 64-bit Intel Core2Duo-based machine. Using it now to write this comment. Did a fine job on Facebook. CC:
(none) =>
andrewsfarm Extra tests on Mageia 6 with local RPMs. $ rpm -qilp oneplay-dvd-1.1.3-1.x86_64.rpm Name : oneplay-dvd Version : 1.1.3 Release : 1 Architecture: x86_64 Install Date: (not installed) Group : Applications/Internet Size : 26139454 License : Proprietary Signature : (none) Source RPM : oneplay-dvd-1.1.3-1.src.rpm Build Date : Fri 05 Jun 2015 12:27:51 BST Build Host : ubuntu1004-64.vmbuild.lan Relocations : /opt/oneplay-dvd Packager : Fluendo S.A. <support@fluendo.com> Vendor : Fluendo S.A. URL : http://www.fluendo.com/ Summary : ONEPLAY DVD player Description : Fluendo DVD Player is a software application specially designed to reproduce DVD on Linux/Unix platforms, which provides end users with high quality standards. * Full DVD Playback * DVD Menu support ..................................... $ sudo rpm -i mplayer-skins-1.8-1.nodist.rf.noarch.rpm seemed to go OK. mga6 tkimg package already installed so this was expected to fail. $ rpm -i --test tkimg-1.4-20.fc21.x86_64.rpm file /usr/lib64/tcl8.6/Img1.4/libjpegtcl8.2.so from install of tkimg-1.4-20.fc21.x86_64 conflicts with file from package tkimg-1.4-7.mga6.x86_64 file /usr/lib64/tcl8.6/Img1.4/libpngtcl1.4.3.so from install of tkimg-1.4-20.fc21.x86_64 conflicts with file from package tkimg-1.4-7.mga6.x86_64 ..................................... OK for 64 bits. What the ...! Just noticed that this (comment 7) was posted on the wrong bug. Apologies. Installed on real hardware, Athlon X2 7750, 8GB, nvidia340, Atheros wifi, 64-bit Plasma and server kernel. Looks good here. Same hardware as Comment 9, this time a 32-bit Xfce system, server kernel. Still looks good. RedHat has issued an advisory for this today (January 24): https://access.redhat.com/errata/RHSA-2018:0122 Advisory: ======================== Updated firefox packages fix security vulnerabilities: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2018-5089, CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117). To mitigate timing-based side-channel attacks similar to "Spectre" and "Meltdown", the resolution of performance.now() has been reduced from 5μs to 20μs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117 https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://access.redhat.com/errata/RHSA-2018:0122 Installed and tested without regressions. Tested multiple websites, including WebGL, flash, video/audio sites. Installed packages: - firefox-52.6.0-1.mga6.x86_64 - firefox-pt_PT-52.6.0-1.mga6.noarch - lib64nspr-devel-4.18-1.mga6.x86_64 - lib64nspr4-4.18-1.mga6.x86_64 - lib64nss-devel-3.28.6-1.3.mga6.x86_64 - lib64nss3-3.28.6-1.3.mga6.x86_64 - nss-3.28.6-1.3.mga6.x86_64 - rootcerts-20180104.00-1.mga6.noarch - rootcerts-java-20180104.00-1.mga6.noarch System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux CC:
(none) =>
mageia Testing M6/64 Real hardware with Radeon graphics. lib64nspr4-4.18-1.mga6 rootcerts-20180104.00-1.mga6 rootcerts-java-20180104.00-1.mga6 nss-3.28.6-1.3.mga6 lib64nss3-3.28.6-1.3.mga6 firefox-52.6.0-1.mga6 firefox-cy-52.6.0-1.mga6 firefox-en_GB-52.6.0-1.mga6 Have used this for Bugzilla, BBC site including videos with sound, others not simple. Everything behaved well. Indeed, I wonder whether the awful hesitations of the previous version have gone; which made it almost unusable. I have AdblockPlus, which may be the problem. No - they are still here, but much less evident. OK for me. In the light of all the +ve feedback for both architectures (tnaks TJ for the 32-bit), I am OKing them & validating the update. Whiteboard:
(none) =>
MGA6-64-OK MGA6-32-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0097.html Status:
NEW =>
RESOLVED This version still not put valid information in the lines id= and version= in the file /usr/lib/firefox/distribution/distribution.ini (/usr/lib64/firefox/distribution/distribution.ini for 64 bit systems) https://bugs.mageia.org/show_bug.cgi?id=20617 CC:
(none) =>
j.alberto.vc |