Bug 24549

Summary: Firefox 60.6.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, herman.viaene, lists.jjorge, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: firefox CVE:
Status comment:

Description David Walser 2019-03-23 00:34:11 CET 
Mozilla has released Firefox 60.6.1 today (March 22):
https://www.mozilla.org/en-US/firefox/60.6.1/releasenotes/

It fixes two security issues.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Incorrect alias information in IonMonkey JIT compiler for
Array.prototype.slice method may lead to missing bounds check and a buffer
overflow (CVE-2019-9810).

Incorrect handling of __proto__ mutations may lead to type confusion in
IonMonkey JIT code and can be leveraged for arbitrary memory read and write
(CVE-2019-9813).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9813
https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
========================

Updated packages in core/updates_testing:
========================
firefox-60.6.0-2.mga6
firefox-devel-60.6.0-2.mga6
firefox-af-60.6.1-1.mga6
firefox-an-60.6.1-1.mga6
firefox-ar-60.6.1-1.mga6
firefox-as-60.6.1-1.mga6
firefox-ast-60.6.1-1.mga6
firefox-az-60.6.1-1.mga6
firefox-bg-60.6.1-1.mga6
firefox-bn_IN-60.6.1-1.mga6
firefox-bn_BD-60.6.1-1.mga6
firefox-br-60.6.1-1.mga6
firefox-bs-60.6.1-1.mga6
firefox-ca-60.6.1-1.mga6
firefox-cs-60.6.1-1.mga6
firefox-cy-60.6.1-1.mga6
firefox-da-60.6.1-1.mga6
firefox-de-60.6.1-1.mga6
firefox-el-60.6.1-1.mga6
firefox-en_GB-60.6.1-1.mga6
firefox-en_US-60.6.1-1.mga6
firefox-en_ZA-60.6.1-1.mga6
firefox-eo-60.6.1-1.mga6
firefox-es_AR-60.6.1-1.mga6 
firefox-es_CL-60.6.1-1.mga6 
firefox-es_ES-60.6.1-1.mga6 
firefox-es_MX-60.6.1-1.mga6 
firefox-et-60.6.1-1.mga6 
firefox-eu-60.6.1-1.mga6 
firefox-fa-60.6.1-1.mga6 
firefox-ff-60.6.1-1.mga6 
firefox-fi-60.6.1-1.mga6 
firefox-fr-60.6.1-1.mga6 
firefox-fy_NL-60.6.1-1.mga6 
firefox-ga_IE-60.6.1-1.mga6 
firefox-gd-60.6.1-1.mga6 
firefox-gl-60.6.1-1.mga6 
firefox-gu_IN-60.6.1-1.mga6 
firefox-he-60.6.1-1.mga6 
firefox-hi_IN-60.6.1-1.mga6
firefox-hr-60.6.1-1.mga6 
firefox-hsb-60.6.1-1.mga6 
firefox-hu-60.6.1-1.mga6 
firefox-hy_AM-60.6.1-1.mga6 
firefox-id-60.6.1-1.mga6 
firefox-is-60.6.1-1.mga6 
firefox-it-60.6.1-1.mga6 
firefox-ja-60.6.1-1.mga6 
firefox-kk-60.6.1-1.mga6 
firefox-km-60.6.1-1.mga6 
firefox-kn-60.6.1-1.mga6 
firefox-ko-60.6.1-1.mga6 
firefox-lij-60.6.1-1.mga6 
firefox-lt-60.6.1-1.mga6 
firefox-lv-60.6.1-1.mga6 
firefox-mai-60.6.1-1.mga6 
firefox-mk-60.6.1-1.mga6 
firefox-ml-60.6.1-1.mga6 
firefox-mr-60.6.1-1.mga6 
firefox-ms-60.6.1-1.mga6 
firefox-nb_NO-60.6.1-1.mga6 
firefox-nl-60.6.1-1.mga6 
firefox-nn_NO-60.6.1-1.mga6 
firefox-or-60.6.1-1.mga6 
firefox-pa_IN-60.6.1-1.mga6 
firefox-pl-60.6.1-1.mga6 
firefox-pt_BR-60.6.1-1.mga6 
firefox-pt_PT-60.6.1-1.mga6 
firefox-ro-60.6.1-1.mga6 
firefox-ru-60.6.1-1.mga6 
firefox-si-60.6.1-1.mga6 
firefox-sk-60.6.1-1.mga6 
firefox-sl-60.6.1-1.mga6 
firefox-sq-60.6.1-1.mga6 
firefox-sr-60.6.1-1.mga6 
firefox-sv_SE-60.6.1-1.mga6 
firefox-ta-60.6.1-1.mga6 
firefox-te-60.6.1-1.mga6 
firefox-th-60.6.1-1.mga6 
firefox-tr-60.6.1-1.mga6 
firefox-uk-60.6.1-1.mga6 
firefox-uz-60.6.1-1.mga6 
firefox-vi-60.6.1-1.mga6 
firefox-xh-60.6.1-1.mga6 
firefox-zh_CN-60.6.1-1.mga6 
firefox-zh_TW-60.6.1-1.mga6

from SRPMS:
firefox-60.6.0-2.mga6.src.rpm
firefox-l10n-60.6.0-1.mga6.src.rpm
Comment 1 Herman Viaene 2019-03-23 12:03:18 CET 
@ David
Is this list corrrect? As far as I can see is firefox-60.6.0-2.mga6 the current version in our repo.

CC: (none) => herman.viaene

Comment 2 David Walser 2019-03-23 15:32:36 CET 
(In reply to Herman Viaene from comment #1)
> @ David
> Is this list corrrect? As far as I can see is firefox-60.6.0-2.mga6 the
> current version in our repo.

Yes, that's what my list shows.
Comment 3 David Walser 2019-03-23 15:33:28 CET 
(In reply to David Walser from comment #2)
> (In reply to Herman Viaene from comment #1)
> > @ David
> > Is this list corrrect? As far as I can see is firefox-60.6.0-2.mga6 the
> > current version in our repo.
> 
> Yes, that's what my list shows.

Oh I see the typo now.  Sorry.
Comment 4 David Walser 2019-03-23 15:34:26 CET 
Updated packages in core/updates_testing:
========================
firefox-60.6.1-2.mga6
firefox-devel-60.6.1-2.mga6
firefox-af-60.6.1-1.mga6
firefox-an-60.6.1-1.mga6
firefox-ar-60.6.1-1.mga6
firefox-as-60.6.1-1.mga6
firefox-ast-60.6.1-1.mga6
firefox-az-60.6.1-1.mga6
firefox-bg-60.6.1-1.mga6
firefox-bn_IN-60.6.1-1.mga6
firefox-bn_BD-60.6.1-1.mga6
firefox-br-60.6.1-1.mga6
firefox-bs-60.6.1-1.mga6
firefox-ca-60.6.1-1.mga6
firefox-cs-60.6.1-1.mga6
firefox-cy-60.6.1-1.mga6
firefox-da-60.6.1-1.mga6
firefox-de-60.6.1-1.mga6
firefox-el-60.6.1-1.mga6
firefox-en_GB-60.6.1-1.mga6
firefox-en_US-60.6.1-1.mga6
firefox-en_ZA-60.6.1-1.mga6
firefox-eo-60.6.1-1.mga6
firefox-es_AR-60.6.1-1.mga6 
firefox-es_CL-60.6.1-1.mga6 
firefox-es_ES-60.6.1-1.mga6 
firefox-es_MX-60.6.1-1.mga6 
firefox-et-60.6.1-1.mga6 
firefox-eu-60.6.1-1.mga6 
firefox-fa-60.6.1-1.mga6 
firefox-ff-60.6.1-1.mga6 
firefox-fi-60.6.1-1.mga6 
firefox-fr-60.6.1-1.mga6 
firefox-fy_NL-60.6.1-1.mga6 
firefox-ga_IE-60.6.1-1.mga6 
firefox-gd-60.6.1-1.mga6 
firefox-gl-60.6.1-1.mga6 
firefox-gu_IN-60.6.1-1.mga6 
firefox-he-60.6.1-1.mga6 
firefox-hi_IN-60.6.1-1.mga6
firefox-hr-60.6.1-1.mga6 
firefox-hsb-60.6.1-1.mga6 
firefox-hu-60.6.1-1.mga6 
firefox-hy_AM-60.6.1-1.mga6 
firefox-id-60.6.1-1.mga6 
firefox-is-60.6.1-1.mga6 
firefox-it-60.6.1-1.mga6 
firefox-ja-60.6.1-1.mga6 
firefox-kk-60.6.1-1.mga6 
firefox-km-60.6.1-1.mga6 
firefox-kn-60.6.1-1.mga6 
firefox-ko-60.6.1-1.mga6 
firefox-lij-60.6.1-1.mga6 
firefox-lt-60.6.1-1.mga6 
firefox-lv-60.6.1-1.mga6 
firefox-mai-60.6.1-1.mga6 
firefox-mk-60.6.1-1.mga6 
firefox-ml-60.6.1-1.mga6 
firefox-mr-60.6.1-1.mga6 
firefox-ms-60.6.1-1.mga6 
firefox-nb_NO-60.6.1-1.mga6 
firefox-nl-60.6.1-1.mga6 
firefox-nn_NO-60.6.1-1.mga6 
firefox-or-60.6.1-1.mga6 
firefox-pa_IN-60.6.1-1.mga6 
firefox-pl-60.6.1-1.mga6 
firefox-pt_BR-60.6.1-1.mga6 
firefox-pt_PT-60.6.1-1.mga6 
firefox-ro-60.6.1-1.mga6 
firefox-ru-60.6.1-1.mga6 
firefox-si-60.6.1-1.mga6 
firefox-sk-60.6.1-1.mga6 
firefox-sl-60.6.1-1.mga6 
firefox-sq-60.6.1-1.mga6 
firefox-sr-60.6.1-1.mga6 
firefox-sv_SE-60.6.1-1.mga6 
firefox-ta-60.6.1-1.mga6 
firefox-te-60.6.1-1.mga6 
firefox-th-60.6.1-1.mga6 
firefox-tr-60.6.1-1.mga6 
firefox-uk-60.6.1-1.mga6 
firefox-uz-60.6.1-1.mga6 
firefox-vi-60.6.1-1.mga6 
firefox-xh-60.6.1-1.mga6 
firefox-zh_CN-60.6.1-1.mga6 
firefox-zh_TW-60.6.1-1.mga6

from SRPMS:
firefox-60.6.1-2.mga6.src.rpm
firefox-l10n-60.6.0-1.mga6.src.rpm
Comment 5 Len Lawrence 2019-03-24 19:28:13 CET 
mga6, x86_64

Installed and relaunched firefox (English language packs)
Existing tabs preserved and all bookmarks.  Played videos on Vevo and Youtube.
General browsing and searching OK.
localhost port addressing works fine.
localhost:631 for CUPS printing
Started a php server on port 8080 and ran a couple of simple php scripts in the browser.
Two of the acid tests failed.  They always do.

CC: (none) => tarazed25

Comment 6 Herman Viaene 2019-03-25 11:46:40 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues (dutch pack)
Nothing obvious wrong with usual newspaper site and this Mageia updates pages and webmin: OK for me.
Comment 7 Len Lawrence 2019-03-26 21:56:24 CET 
Leaving the OKs for other testers - i.e. other lang-packs.
Comment 8 David Walser 2019-03-27 15:41:44 CET 
RedHat has issued an advisory for this today (March 27):
https://access.redhat.com/errata/RHSA-2019:0671
Comment 9 José Jorge 2019-03-30 07:31:21 CET 
Tested in portuguese, 32 bit laptop, ublock extension. No problem.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => lists.jjorge

Comment 10 Thomas Andrews 2019-04-02 20:49:48 CEST 
Tested in English, 64-bit. Tried several websites, including one known to *still* use Flash. Everything looks OK.

I think we can move this one along.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-04-04 14:14:20 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Morgan Leijström 2019-04-05 10:20:56 CEST 
OK: swedish, plasma, 64 bit.
Been running it with no problem since it appeared in repo.
- Seems i forgot to report...

CC: (none) => fri

Comment 12 Mageia Robot 2019-04-05 20:14:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0131.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED