Bug 24361

Summary: Firefox 60.5.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs, wrw105
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK, mga6-64-ok
Source RPM: firefox CVE:
Status comment:

Description David Walser 2019-02-15 00:09:29 CET 
Mozilla has released Firefox 60.5.1 today (February 14):
https://www.mozilla.org/en-US/firefox/60.5.1/releasenotes/

The security issues fixed are listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/

Package builds are starting.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5785
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

Updated packages in core/updates_testing:
========================
firefox-60.5.1-1.mga6
firefox-devel-60.5.1-1.mga6
firefox-af-60.5.1-1.mga6
firefox-an-60.5.1-1.mga6
firefox-ar-60.5.1-1.mga6
firefox-as-60.5.1-1.mga6
firefox-ast-60.5.1-1.mga6
firefox-az-60.5.1-1.mga6
firefox-bg-60.5.1-1.mga6
firefox-bn_IN-60.5.1-1.mga6
firefox-bn_BD-60.5.1-1.mga6
firefox-br-60.5.1-1.mga6
firefox-bs-60.5.1-1.mga6
firefox-ca-60.5.1-1.mga6
firefox-cs-60.5.1-1.mga6
firefox-cy-60.5.1-1.mga6
firefox-da-60.5.1-1.mga6
firefox-de-60.5.1-1.mga6
firefox-el-60.5.1-1.mga6
firefox-en_GB-60.5.1-1.mga6
firefox-en_US-60.5.1-1.mga6
firefox-en_ZA-60.5.1-1.mga6
firefox-eo-60.5.1-1.mga6
firefox-es_AR-60.5.1-1.mga6 
firefox-es_CL-60.5.1-1.mga6 
firefox-es_ES-60.5.1-1.mga6 
firefox-es_MX-60.5.1-1.mga6 
firefox-et-60.5.1-1.mga6 
firefox-eu-60.5.1-1.mga6 
firefox-fa-60.5.1-1.mga6 
firefox-ff-60.5.1-1.mga6 
firefox-fi-60.5.1-1.mga6 
firefox-fr-60.5.1-1.mga6 
firefox-fy_NL-60.5.1-1.mga6 
firefox-ga_IE-60.5.1-1.mga6 
firefox-gd-60.5.1-1.mga6 
firefox-gl-60.5.1-1.mga6 
firefox-gu_IN-60.5.1-1.mga6 
firefox-he-60.5.1-1.mga6 
firefox-hi_IN-60.5.1-1.mga6
firefox-hr-60.5.1-1.mga6 
firefox-hsb-60.5.1-1.mga6 
firefox-hu-60.5.1-1.mga6 
firefox-hy_AM-60.5.1-1.mga6 
firefox-id-60.5.1-1.mga6 
firefox-is-60.5.1-1.mga6 
firefox-it-60.5.1-1.mga6 
firefox-ja-60.5.1-1.mga6 
firefox-kk-60.5.1-1.mga6 
firefox-km-60.5.1-1.mga6 
firefox-kn-60.5.1-1.mga6 
firefox-ko-60.5.1-1.mga6 
firefox-lij-60.5.1-1.mga6 
firefox-lt-60.5.1-1.mga6 
firefox-lv-60.5.1-1.mga6 
firefox-mai-60.5.1-1.mga6 
firefox-mk-60.5.1-1.mga6 
firefox-ml-60.5.1-1.mga6 
firefox-mr-60.5.1-1.mga6 
firefox-ms-60.5.1-1.mga6 
firefox-nb_NO-60.5.1-1.mga6 
firefox-nl-60.5.1-1.mga6 
firefox-nn_NO-60.5.1-1.mga6 
firefox-or-60.5.1-1.mga6 
firefox-pa_IN-60.5.1-1.mga6 
firefox-pl-60.5.1-1.mga6 
firefox-pt_BR-60.5.1-1.mga6 
firefox-pt_PT-60.5.1-1.mga6 
firefox-ro-60.5.1-1.mga6 
firefox-ru-60.5.1-1.mga6 
firefox-si-60.5.1-1.mga6 
firefox-sk-60.5.1-1.mga6 
firefox-sl-60.5.1-1.mga6 
firefox-sq-60.5.1-1.mga6 
firefox-sr-60.5.1-1.mga6 
firefox-sv_SE-60.5.1-1.mga6 
firefox-ta-60.5.1-1.mga6 
firefox-te-60.5.1-1.mga6 
firefox-th-60.5.1-1.mga6 
firefox-tr-60.5.1-1.mga6 
firefox-uk-60.5.1-1.mga6 
firefox-uz-60.5.1-1.mga6 
firefox-vi-60.5.1-1.mga6 
firefox-xh-60.5.1-1.mga6 
firefox-zh_CN-60.5.1-1.mga6 
firefox-zh_TW-60.5.1-1.mga6

from SRPMS:
firefox-60.5.1-1.mga6.src.rpm
firefox-l10n-60.5.1-1.mga6.src.rpm
Comment 1 Herman Viaene 2019-02-15 15:32:37 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues (Dutch version)
This website works OK with it, as does my usual newspaper with text,sound, pictures and Video.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 2 Bill Wilkinson 2019-02-15 16:24:39 CET 
Tested mga6-64.

Acid 3 ok-ish, but no different than usual.
Jetstream ok
General browsing ok
YouTube video ok

Validating, ready for push when advisory uploaded to SVN.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK, mga6-64-ok
CC: (none) => wrw105, sysadmin-bugs

Comment 3 David Walser 2019-02-15 19:03:22 CET 
Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A use-after-free vulnerability in the Skia library can occur when creating a
path, leading to a potentially exploitable crash (CVE-2018-18356).

An integer overflow vulnerability in the Skia library can occur after specific
transform operations, leading to a potentially exploitable crash
(CVE-2019-5785).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5785
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Dave Hodgins 2019-02-17 17:41:01 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2019-02-17 18:19:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0089.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2019-02-19 18:32:40 CET 
RedHat has issued an advisory for this today (February 19):
https://access.redhat.com/errata/RHSA-2019:0374