Bug 25595

Summary: Firefox 68.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, bjarne.thomsen, herman.viaene, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: rootcerts, nspr, nss, firefox, firefox-l10n CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 25597    

Description David Walser 2019-10-22 14:44:38 CEST 
Mozilla has released Firefox 68.2.0 today (October 22):
https://www.mozilla.org/en-US/firefox/68.2.0/releasenotes/

As well as updated rootcerts, nspr (4.23), and NSS 3.47 on October 18:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes

rootcerts, nspr, and nss updates checked into Mageia 7 and Cauldron SVN.

nss still needs to be pushed in Cauldron.

firefox and firefox-l10n still need to be updated in SVN in Mageia 7.

All five packages (in order) still need to be pushed in Mageia 7.
Comment 1 David Walser 2019-10-22 19:24:13 CEST 
Nicolas pushed nss to Cauldron and rootcerts and nspr to Mageia 7 (still needs nss).  Hopefully he'll beat me to the firefox update too since I can't do it from work.

CC: (none) => nicolas.salguero

Nicolas Salguero 2019-10-23 09:14:42 CEST

Blocks: (none) => 25597

Comment 2 Lewis Smith 2019-10-23 12:15:05 CEST 
Firefox has no dedicated maintainer, so rather than assigning this bug globally,
could one of you possibly assign the bug to yourself pending the new packages in core/updates_testing? TIA
Nicolas Salguero 2019-10-23 12:51:21 CEST

Assignee: bugsquad => nicolas.salguero

Comment 3 David Walser 2019-10-23 17:55:14 CEST 
RedHat has issued an advisory for this today (October 23):
https://access.redhat.com/errata/RHSA-2019:3193
Comment 4 Bjarne Thomsen 2019-10-30 15:59:10 CET 
What are we waiting for, exactly?

CC: (none) => bjarne.thomsen

Comment 5 Nicolas Salguero 2019-11-05 08:54:38 CET 
Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Heap overflow in expat library in XML_GetCurrentLineNumber. (CVE-2019-15903)

Use-after-free when creating index updates in IndexedDB. (CVE-2019-11757)

Potentially exploitable crash due to 360 Total Security. (CVE-2019-11758)

Stack buffer overflow in HKDF output. (CVE-2019-11759)

Stack buffer overflow in WebRTC networking. (CVE-2019-11760)

Unintended access to a privileged JSONView object. (CVE-2019-11761)

document.domain-based origin isolation has same-origin-property violation. (CVE-2019-11762)

Incorrect HTML parsing results in XSS bypass technique. (CVE-2019-11763)

Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2. (CVE-2019-11764)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11757
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11758
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11759
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11764
https://www.mozilla.org/en-US/firefox/68.2.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-33/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes
https://access.redhat.com/errata/RHSA-2019:3193
========================

Updated packages in core/updates_testing:
========================
firefox-68.2.0-1.mga7
firefox-devel-68.2.0-1.mga7
firefox-af-68.2.0-1.mga7
firefox-an-68.2.0-1.mga7
firefox-ar-68.2.0-1.mga7
firefox-ast-68.2.0-1.mga7
firefox-az-68.2.0-1.mga7
firefox-bg-68.2.0-1.mga7
firefox-bn-68.2.0-1.mga7
firefox-br-68.2.0-1.mga7
firefox-bs-68.2.0-1.mga7
firefox-ca-68.2.0-1.mga7
firefox-cs-68.2.0-1.mga7
firefox-cy-68.2.0-1.mga7
firefox-da-68.2.0-1.mga7
firefox-de-68.2.0-1.mga7
firefox-el-68.2.0-1.mga7
firefox-en_GB-68.2.0-1.mga7
firefox-en_US-68.2.0-1.mga7
firefox-eo-68.2.0-1.mga7
firefox-es_AR-68.2.0-1.mga7
firefox-es_CL-68.2.0-1.mga7
firefox-es_ES-68.2.0-1.mga7
firefox-es_MX-68.2.0-1.mga7
firefox-et-68.2.0-1.mga7
firefox-eu-68.2.0-1.mga7
firefox-fa-68.2.0-1.mga7
firefox-ff-68.2.0-1.mga7
firefox-fi-68.2.0-1.mga7
firefox-fr-68.2.0-1.mga7
firefox-fy_NL-68.2.0-1.mga7
firefox-ga_IE-68.2.0-1.mga7
firefox-gd-68.2.0-1.mga7
firefox-gl-68.2.0-1.mga7
firefox-gu_IN-68.2.0-1.mga7
firefox-he-68.2.0-1.mga7
firefox-hi_IN-68.2.0-1.mga7
firefox-hr-68.2.0-1.mga7
firefox-hsb-68.2.0-1.mga7
firefox-hu-68.2.0-1.mga7
firefox-hy_AM-68.2.0-1.mga7
firefox-id-68.2.0-1.mga7
firefox-is-68.2.0-1.mga7
firefox-it-68.2.0-1.mga7
firefox-ja-68.2.0-1.mga7
firefox-kk-68.2.0-1.mga7
firefox-km-68.2.0-1.mga7
firefox-kn-68.2.0-1.mga7
firefox-ko-68.2.0-1.mga7
firefox-lij-68.2.0-1.mga7
firefox-lt-68.2.0-1.mga7
firefox-lv-68.2.0-1.mga7
firefox-mk-68.2.0-1.mga7
firefox-mr-68.2.0-1.mga7
firefox-ms-68.2.0-1.mga7
firefox-nb_NO-68.2.0-1.mga7
firefox-nl-68.2.0-1.mga7
firefox-nn_NO-68.2.0-1.mga7
firefox-pa_IN-68.2.0-1.mga7
firefox-pl-68.2.0-1.mga7
firefox-pt_BR-68.2.0-1.mga7
firefox-pt_PT-68.2.0-1.mga7
firefox-ro-68.2.0-1.mga7
firefox-ru-68.2.0-1.mga7
firefox-si-68.2.0-1.mga7
firefox-sk-68.2.0-1.mga7
firefox-sl-68.2.0-1.mga7
firefox-sq-68.2.0-1.mga7
firefox-sr-68.2.0-1.mga7
firefox-sv_SE-68.2.0-1.mga7
firefox-ta-68.2.0-1.mga7
firefox-te-68.2.0-1.mga7
firefox-th-68.2.0-1.mga7
firefox-tr-68.2.0-1.mga7
firefox-uk-68.2.0-1.mga7
firefox-uz-68.2.0-1.mga7
firefox-vi-68.2.0-1.mga7
firefox-xh-68.2.0-1.mga7
firefox-zh_CN-68.2.0-1.mga7
firefox-zh_TW-68.2.0-1.mga7
rootcerts-20191011.00-1.mga7
rootcerts-java-20191011.00-1.mga7
libnspr4-4.23-1.mga7
libnspr-devel-4.23-1.mga7
nss-3.47.0-1.mga7
nss-doc-3.47.0-1.mga7
libnss3-3.47.0-1.mga7
libnss-devel-3.47.0-1.mga7
libnss-static-devel-3.47.0-1.mga7

from SRPMS:
firefox-68.2.0-1.mga7.src.rpm
firefox-l10n-68.2.0-1.mga7.src.rpm
rootcerts-20191011.00-1.mga7.src.rpm
nspr-4.23-1.mga7.src.rpm
nss-3.47.0-1.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 6 Herman Viaene 2019-11-06 10:17:37 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Tested with newspaper site (text, video, pictures) all OK. Tested also access using my eid card for authentication to governement site: OK
Good enough for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-11-07 20:58:35 CET 
Confirming the OK, as it seemed to me that just one test was insufficient fopr this application.

MGA7-64 Plasma. i5, Intel graphics.

Updated packages using the qarepo tool. No installation issues. Checked various sites, including this one, no problems.

Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-07 22:15:54 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Bjarne Thomsen 2019-11-07 23:37:57 CET 
It works for me on several boxes
Comment 9 Mageia Robot 2019-11-08 00:38:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0315.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 10 David Walser 2020-08-03 17:37:38 CEST 
The nss 3.47 update in this bug also fixed CVE-2019-11756:
https://access.redhat.com/errata/RHSA-2020:3280