Bug 24983

Summary: Firefox 60.7.2 and 67.0.4
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: High CC: andrewsfarm, fri, herman.viaene, jim, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: firefox, firefox-l10n CVE: CVE-2019-11708
Status comment:

Description Nicolas Salguero 2019-06-21 10:05:55 CEST 
Mozilla has released new Firefox versions yesterday (June 20):
https://www.mozilla.org/en-US/firefox/60.7.2/releasenotes/
https://www.mozilla.org/en-US/firefox/67.0.4/releasenotes/

It fixes a vulnerability that's being exploited in the wild:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
Nicolas Salguero 2019-06-21 10:06:43 CEST

Source RPM: (none) => firefox, firefox-l10n
CVE: (none) => CVE-2019-11708
Priority: Normal => High
Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Lewis Smith 2019-06-23 09:32:44 CEST 
Thierry: assigning to you for starters since you have comitted this before. If this is wrong, sorry; I suspect you will know where to push it.
Unsure whether this falls foul of M7 version freeze.

CC: (none) => lewyssmith
Assignee: bugsquad => thierry.vignaud

Comment 2 Thomas Backlund 2019-06-23 11:32:09 CEST 
Cauldron package moved to release before final iso builds started

Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 6
CC: (none) => tmb

Comment 3 Nicolas Salguero 2019-06-24 09:37:00 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability that's being exploited in the wild:

sandbox escape using Prompt:Open. (CVE-2019-11708)

References:
https://www.mozilla.org/en-US/firefox/60.7.2/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
========================

Updated packages in core/updates_testing:
========================
firefox-60.7.2-1.mga6
firefox-devel-60.7.2-1.mga6
firefox-af-60.7.2-1.mga6
firefox-an-60.7.2-1.mga6
firefox-ar-60.7.2-1.mga6
firefox-as-60.7.2-1.mga6
firefox-ast-60.7.2-1.mga6
firefox-az-60.7.2-1.mga6
firefox-bg-60.7.2-1.mga6
firefox-bn_IN-60.7.2-1.mga6
firefox-bn_BD-60.7.2-1.mga6
firefox-br-60.7.2-1.mga6
firefox-bs-60.7.2-1.mga6
firefox-ca-60.7.2-1.mga6
firefox-cs-60.7.2-1.mga6
firefox-cy-60.7.2-1.mga6
firefox-da-60.7.2-1.mga6
firefox-de-60.7.2-1.mga6
firefox-el-60.7.2-1.mga6
firefox-en_GB-60.7.2-1.mga6
firefox-en_US-60.7.2-1.mga6
firefox-en_ZA-60.7.2-1.mga6
firefox-eo-60.7.2-1.mga6
firefox-es_AR-60.7.2-1.mga6 
firefox-es_CL-60.7.2-1.mga6 
firefox-es_ES-60.7.2-1.mga6 
firefox-es_MX-60.7.2-1.mga6 
firefox-et-60.7.2-1.mga6 
firefox-eu-60.7.2-1.mga6 
firefox-fa-60.7.2-1.mga6 
firefox-ff-60.7.2-1.mga6 
firefox-fi-60.7.2-1.mga6 
firefox-fr-60.7.2-1.mga6 
firefox-fy_NL-60.7.2-1.mga6 
firefox-ga_IE-60.7.2-1.mga6 
firefox-gd-60.7.2-1.mga6 
firefox-gl-60.7.2-1.mga6 
firefox-gu_IN-60.7.2-1.mga6 
firefox-he-60.7.2-1.mga6 
firefox-hi_IN-60.7.2-1.mga6
firefox-hr-60.7.2-1.mga6 
firefox-hsb-60.7.2-1.mga6 
firefox-hu-60.7.2-1.mga6 
firefox-hy_AM-60.7.2-1.mga6 
firefox-id-60.7.2-1.mga6 
firefox-is-60.7.2-1.mga6 
firefox-it-60.7.2-1.mga6 
firefox-ja-60.7.2-1.mga6 
firefox-kk-60.7.2-1.mga6 
firefox-km-60.7.2-1.mga6 
firefox-kn-60.7.2-1.mga6 
firefox-ko-60.7.2-1.mga6 
firefox-lij-60.7.2-1.mga6 
firefox-lt-60.7.2-1.mga6 
firefox-lv-60.7.2-1.mga6 
firefox-mai-60.7.2-1.mga6 
firefox-mk-60.7.2-1.mga6 
firefox-ml-60.7.2-1.mga6 
firefox-mr-60.7.2-1.mga6 
firefox-ms-60.7.2-1.mga6 
firefox-nb_NO-60.7.2-1.mga6 
firefox-nl-60.7.2-1.mga6 
firefox-nn_NO-60.7.2-1.mga6 
firefox-or-60.7.2-1.mga6 
firefox-pa_IN-60.7.2-1.mga6 
firefox-pl-60.7.2-1.mga6 
firefox-pt_BR-60.7.2-1.mga6 
firefox-pt_PT-60.7.2-1.mga6 
firefox-ro-60.7.2-1.mga6 
firefox-ru-60.7.2-1.mga6 
firefox-si-60.7.2-1.mga6 
firefox-sk-60.7.2-1.mga6 
firefox-sl-60.7.2-1.mga6 
firefox-sq-60.7.2-1.mga6 
firefox-sr-60.7.2-1.mga6 
firefox-sv_SE-60.7.2-1.mga6 
firefox-ta-60.7.2-1.mga6 
firefox-te-60.7.2-1.mga6 
firefox-th-60.7.2-1.mga6 
firefox-tr-60.7.2-1.mga6 
firefox-uk-60.7.2-1.mga6 
firefox-uz-60.7.2-1.mga6 
firefox-vi-60.7.2-1.mga6 
firefox-xh-60.7.2-1.mga6 
firefox-zh_CN-60.7.2-1.mga6 
firefox-zh_TW-60.7.2-1.mga6

from SRPMS:
firefox-60.7.2-1.mga6.src.rpm
firefox-l10n-60.7.2-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs

Comment 4 Morgan Leijström 2019-06-25 20:22:48 CEST 
mga6 64 bit, Plasma, swedish.
Working OK a during a day use multiple sites, video, audio.

CC: (none) => fri

Comment 5 Herman Viaene 2019-06-26 11:57:09 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
Installed firefox-60.7.2 in Dutch. no issues
Newspaper site with text, pictures and video all OK.

CC: (none) => herman.viaene

Lewis Smith 2019-06-26 16:18:10 CEST

CC: lewyssmith => (none)

Comment 6 James Kerr 2019-06-28 10:45:45 CEST 
on mga6-64 plasma

packages installed cleanly:
- firefox-60.7.2-1.mga6.x86_64
- firefox-en_GB-60.7.2-1.mga6.noarch

no regressions observed 
looks OK for mga6-64 on this system:

Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.12.0
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530

Whiteboard: (none) => MGA6-64-OK
CC: (none) => jim

Comment 7 Thomas Andrews 2019-07-02 14:46:24 CEST 
Validating. Suggested advisory in Comment 3.

Since all the tests are for the Mga6 version, I'm wondering if the bug's title should be changed to remove the reference to the Mga7 version, but I leave that for others to decide.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-07-02 16:16:28 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-07-02 17:01:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0202.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED