Bug 27589

Summary: Firefox 78.4.1 and Thunderbird 78.4.2 new security issue CVE-2020-26950
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK MGA7-32-OK
Source RPM: firefox, firefox-l10n, thunderbird, thunderbird-l10n CVE: CVE-2020-26950
Status comment:

Description Nicolas Salguero 2020-11-10 08:57:36 CET 
Mozilla has released Firefox 78.4.1 on November 10:
https://www.mozilla.org/en-US/firefox/78.4.1/releasenotes/
and Thunderbird 78.4.2 on November 9:
https://www.thunderbird.net/en-US/thunderbird/78.4.2/releasenotes/

Security issue fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/
Nicolas Salguero 2020-11-10 08:58:26 CET

Whiteboard: (none) => MGA7TOO
CVE: (none) => CVE-2020-26950
Source RPM: (none) => firefox, firefox-l10n, thunderbird, thunderbird-l10n
Assignee: bugsquad => nicolas.salguero

Comment 1 Aurelien Oudelet 2020-11-10 09:59:09 CET 
Hi, thanks for reporting this.
Already self-assigned to maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => ouaurelien

Comment 2 Nicolas Salguero 2020-11-10 11:08:53 CET 
Thunderbird 78.4.1 also fixed some other issues:
https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2020-11-10 13:34:22 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Write side effects in MCallGetProperty opcode not accounted for. (CVE-2020-26950)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26950
https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/
https://www.mozilla.org/en-US/firefox/78.4.1/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/78.4.1/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/78.4.2/releasenotes/
========================

Updated packages in core/updates_testing:
========================
firefox-78.4.1-1.mga7
firefox-devel-78.4.1-1.mga7
firefox-af-78.4.1-1.mga7
firefox-an-78.4.1-1.mga7
firefox-ar-78.4.1-1.mga7
firefox-ast-78.4.1-1.mga7
firefox-az-78.4.1-1.mga7
firefox-be-78.4.1-1.mga7
firefox-bg-78.4.1-1.mga7
firefox-bn-78.4.1-1.mga7
firefox-br-78.4.1-1.mga7
firefox-bs-78.4.1-1.mga7
firefox-ca-78.4.1-1.mga7
firefox-cs-78.4.1-1.mga7
firefox-cy-78.4.1-1.mga7
firefox-da-78.4.1-1.mga7
firefox-de-78.4.1-1.mga7
firefox-el-78.4.1-1.mga7
firefox-en_CA-78.4.1-1.mga7
firefox-en_GB-78.4.1-1.mga7
firefox-en_US-78.4.1-1.mga7
firefox-eo-78.4.1-1.mga7
firefox-es_AR-78.4.1-1.mga7
firefox-es_CL-78.4.1-1.mga7
firefox-es_ES-78.4.1-1.mga7
firefox-es_MX-78.4.1-1.mga7
firefox-et-78.4.1-1.mga7
firefox-eu-78.4.1-1.mga7
firefox-fa-78.4.1-1.mga7
firefox-ff-78.4.1-1.mga7
firefox-fi-78.4.1-1.mga7
firefox-fr-78.4.1-1.mga7
firefox-fy_NL-78.4.1-1.mga7
firefox-ga_IE-78.4.1-1.mga7
firefox-gd-78.4.1-1.mga7
firefox-gl-78.4.1-1.mga7
firefox-gu_IN-78.4.1-1.mga7
firefox-he-78.4.1-1.mga7
firefox-hi_IN-78.4.1-1.mga7
firefox-hr-78.4.1-1.mga7
firefox-hsb-78.4.1-1.mga7
firefox-hu-78.4.1-1.mga7
firefox-hy_AM-78.4.1-1.mga7
firefox-ia-78.4.1-1.mga7
firefox-id-78.4.1-1.mga7
firefox-is-78.4.1-1.mga7
firefox-it-78.4.1-1.mga7
firefox-ja-78.4.1-1.mga7
firefox-ka-78.4.1-1.mga7
firefox-kab-78.4.1-1.mga7
firefox-kk-78.4.1-1.mga7
firefox-km-78.4.1-1.mga7
firefox-kn-78.4.1-1.mga7
firefox-ko-78.4.1-1.mga7
firefox-lij-78.4.1-1.mga7
firefox-lt-78.4.1-1.mga7
firefox-lv-78.4.1-1.mga7
firefox-mk-78.4.1-1.mga7
firefox-mr-78.4.1-1.mga7
firefox-ms-78.4.1-1.mga7
firefox-my-78.4.1-1.mga7
firefox-nb_NO-78.4.1-1.mga7
firefox-nl-78.4.1-1.mga7
firefox-nn_NO-78.4.1-1.mga7
firefox-oc-78.4.1-1.mga7
firefox-pa_IN-78.4.1-1.mga7
firefox-pl-78.4.1-1.mga7
firefox-pt_BR-78.4.1-1.mga7
firefox-pt_PT-78.4.1-1.mga7
firefox-ro-78.4.1-1.mga7
firefox-ru-78.4.1-1.mga7
firefox-si-78.4.1-1.mga7
firefox-sk-78.4.1-1.mga7
firefox-sl-78.4.1-1.mga7
firefox-sq-78.4.1-1.mga7
firefox-sr-78.4.1-1.mga7
firefox-sv_SE-78.4.1-1.mga7
firefox-ta-78.4.1-1.mga7
firefox-te-78.4.1-1.mga7
firefox-th-78.4.1-1.mga7
firefox-tl-78.4.1-1.mga7
firefox-tr-78.4.1-1.mga7
firefox-uk-78.4.1-1.mga7
firefox-ur-78.4.1-1.mga7
firefox-uz-78.4.1-1.mga7
firefox-vi-78.4.1-1.mga7
firefox-xh-78.4.1-1.mga7
firefox-zh_CN-78.4.1-1.mga7
firefox-zh_TW-78.4.1-1.mga7
thunderbird-78.4.2-1.mga7
thunderbird-enigmail-78.4.2-1.mga7
thunderbird-ar-78.4.2-1.mga7
thunderbird-ast-78.4.2-1.mga7
thunderbird-be-78.4.2-1.mga7
thunderbird-bg-78.4.2-1.mga7
thunderbird-br-78.4.2-1.mga7
thunderbird-ca-78.4.2-1.mga7
thunderbird-cs-78.4.2-1.mga7
thunderbird-cy-78.4.2-1.mga7
thunderbird-da-78.4.2-1.mga7
thunderbird-de-78.4.2-1.mga7
thunderbird-el-78.4.2-1.mga7
thunderbird-en_GB-78.4.2-1.mga7
thunderbird-en_US-78.4.2-1.mga7
thunderbird-es_AR-78.4.2-1.mga7
thunderbird-es_ES-78.4.2-1.mga7
thunderbird-et-78.4.2-1.mga7
thunderbird-eu-78.4.2-1.mga7
thunderbird-fi-78.4.2-1.mga7
thunderbird-fr-78.4.2-1.mga7
thunderbird-fy_NL-78.4.2-1.mga7
thunderbird-ga_IE-78.4.2-1.mga7
thunderbird-gd-78.4.2-1.mga7
thunderbird-gl-78.4.2-1.mga7
thunderbird-he-78.4.2-1.mga7
thunderbird-hr-78.4.2-1.mga7
thunderbird-hsb-78.4.2-1.mga7
thunderbird-hu-78.4.2-1.mga7
thunderbird-hy_AM-78.4.2-1.mga7
thunderbird-id-78.4.2-1.mga7
thunderbird-is-78.4.2-1.mga7
thunderbird-it-78.4.2-1.mga7
thunderbird-ja-78.4.2-1.mga7
thunderbird-ka-78.4.2-1.mga7
thunderbird-kab-78.4.2-1.mga7
thunderbird-kk-78.4.2-1.mga7
thunderbird-ko-78.4.2-1.mga7
thunderbird-lt-78.4.2-1.mga7
thunderbird-ms-78.4.2-1.mga7
thunderbird-nb_NO-78.4.2-1.mga7
thunderbird-nl-78.4.2-1.mga7
thunderbird-nn_NO-78.4.2-1.mga7
thunderbird-pl-78.4.2-1.mga7
thunderbird-pt_BR-78.4.2-1.mga7
thunderbird-pt_PT-78.4.2-1.mga7
thunderbird-ro-78.4.2-1.mga7
thunderbird-ru-78.4.2-1.mga7
thunderbird-si-78.4.2-1.mga7
thunderbird-sk-78.4.2-1.mga7
thunderbird-sl-78.4.2-1.mga7
thunderbird-sq-78.4.2-1.mga7
thunderbird-sv_SE-78.4.2-1.mga7
thunderbird-tr-78.4.2-1.mga7
thunderbird-uk-78.4.2-1.mga7
thunderbird-uz-78.4.2-1.mga7
thunderbird-vi-78.4.2-1.mga7
thunderbird-zh_CN-78.4.2-1.mga7
thunderbird-zh_TW-78.4.2-1.mga7

from SRPMS:
firefox-78.4.1-1.mga7.src.rpm
firefox-l10n-78.4.1-1.mga7.src.rpm
thunderbird-78.4.2-1.mga7.src.rpm
thunderbird-l10n-78.4.2-1.mga7.src.rpm
Nicolas Salguero 2020-11-10 15:14:24 CET

Assignee: nicolas.salguero => qa-bugs
Keywords: Triaged => (none)
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Aurelien Oudelet 2020-11-10 20:37:50 CET 
Mageia 7 x86_64 Plasma and Mageia 7 i586 GNOME.
Firefox updated to 78.4.1-1.mga7
Lang FR is OK.
HTTPS sites are OK.
Bank account OK.
Netflix and myCANAL well played (DRM) OK

Thunderbird updated to 78.4.2-1.mga7
Lang is OK
Send and receive Email via SMTP/POP3 SSL/POP3 IMAP and SSL IMAP is OK.
Calendar OK
Enigmail upgrade is OK.

Leaving this to be tested by other one QA peer.
Comment 5 Dave Hodgins 2020-11-10 20:44:48 CET 
Confirming both firefox and thunderbird are working without any regression.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Aurelien Oudelet 2020-11-10 20:54:21 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK

Comment 7 Thomas Andrews 2020-11-11 15:02:24 CET 
Just another confirmation that they seem to be working.

CC: (none) => andrewsfarm

Comment 8 David Walser 2020-11-12 18:51:33 CET 
RedHat has issued an advisory for Firefox today (November 12):
https://access.redhat.com/errata/RHSA-2020:5100
Comment 9 Mageia Robot 2020-11-13 22:22:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0421.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 10 David Walser 2020-11-19 14:22:49 CET 
RedHat has issued an advisory for Thunderbird on November 18:
https://access.redhat.com/errata/RHSA-2020:5146