| Summary: | Firefox 60.6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, fri, marja11, mhrambo3501, nicolas.salguero, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | rootcerts, nspr, firefox, firefox-l10n | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-03-19 13:10:22 CET
Firefox build failed: http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20190319121625.luigiwalser.duvel.35403/log/firefox-60.6.0-1.mga6/build.0.20190319121711.log with: 0:03.48 mozbuild.configure.options.InvalidOptionError: Unknown option: --with-google-api-keyfile Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two of our great FF security fixers :-) CC:
(none) =>
marja11, mrambo, nicolas.salguero For the record, I assigned for help with this: (In reply to David Walser from comment #1) > Firefox build failed: > http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/ > 20190319121625.luigiwalser.duvel.35403/log/firefox-60.6.0-1.mga6/build.0. > 20190319121711.log > > with: > 0:03.48 mozbuild.configure.options.InvalidOptionError: Unknown option: > --with-google-api-keyfile Hi, According to https://forum.manjaro.org/t/out-of-band-update-2019-03-18-firefox-66-0/79554/2, the option "--with-google-api-keyfile" was replaced by two other options: "--with-google-location-service-api-keyfile" and "--with-google-safebrowsing-api-keyfile" in Firefox 66. Maybe for Firefox ESR 60.6, this change also applies. Best regards, Nico. Nicolas changed the release tag (we should be able to re-push ARM without doing that, with sysadmin help) for firefox, so now it's: firefox-60.6.0-2.mga6 firefox-devel-60.6.0-2.mga6 from firefox-60.6.0-2.mga6.src.rpm firefox-l10n is building now, so everything should be available soon. Release notes and security advisories have been posted. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18506 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9791 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9796 https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ Assignee:
pkg-bugs =>
qa-bugs RedHat has issued an advisory for this today (March 20): https://access.redhat.com/errata/RHSA-2019:0622 Advisory: ======================== Updated firefox packages fix security vulnerabilities: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506). Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788). Use-after-free when removing in-use DOM elements (CVE-2019-9790). Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791). IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792). Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793). Type-confusion in IonMonkey JIT compiler (CVE-2019-9795). Use-after-free with SMIL animation controller (CVE-2019-9796). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18506 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9790 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9791 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9795 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9796 https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://access.redhat.com/errata/RHSA-2019:0622 64 bit, plasma, nvidia: Simple tests = it works here; Shut down Firefox, upgraded, restarted, and it reopened all tabs OK, remember cookies etc, video is OK, internet bank OK, i just keep on using it a couple hours counting. Note this system updates all to updates_testing. CC:
(none) =>
fri Advisory committed to svn. Testing ok on x86_64 and on i586 under vb. Validating the update. Whiteboard:
(none) =>
MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0116.html Resolution:
(none) =>
FIXED |