Bug 28034

Summary: Firefox 78.6.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, ouaurelien, sysadmin-bugs, wrw105
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga7-64-ok mga7-32-ok
Source RPM: nss, firefox CVE:
Status comment:

Description David Walser 2021-01-07 00:23:22 CET 
Mozilla has released Firefox 78.6.1 today (January 6):
https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/

NSS 3.60.1 is also out (release notes not available yet):
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60.1_release_notes

Update in progress (waiting on Cauldron pushes).  Package list will be as follows.

nss-3.60.1-1.mga7
nss-doc-3.60.1-1.mga7
libnss3-3.60.1-1.mga7
libnss-devel-3.60.1-1.mga7
libnss-static-devel-3.60.1-1.mga7
firefox-78.6.1-1.mga7
firefox-devel-78.6.1-1.mga7
firefox-af-78.6.1-1.mga7
firefox-an-78.6.1-1.mga7
firefox-ar-78.6.1-1.mga7
firefox-ast-78.6.1-1.mga7
firefox-az-78.6.1-1.mga7
firefox-be-78.6.1-1.mga7
firefox-bg-78.6.1-1.mga7
firefox-bn-78.6.1-1.mga7
firefox-br-78.6.1-1.mga7
firefox-bs-78.6.1-1.mga7
firefox-ca-78.6.1-1.mga7
firefox-cs-78.6.1-1.mga7
firefox-cy-78.6.1-1.mga7
firefox-da-78.6.1-1.mga7
firefox-de-78.6.1-1.mga7
firefox-el-78.6.1-1.mga7
firefox-en_CA-78.6.1-1.mga7
firefox-en_GB-78.6.1-1.mga7
firefox-en_US-78.6.1-1.mga7
firefox-eo-78.6.1-1.mga7
firefox-es_AR-78.6.1-1.mga7
firefox-es_CL-78.6.1-1.mga7
firefox-es_ES-78.6.1-1.mga7
firefox-es_MX-78.6.1-1.mga7
firefox-et-78.6.1-1.mga7
firefox-eu-78.6.1-1.mga7
firefox-fa-78.6.1-1.mga7
firefox-ff-78.6.1-1.mga7
firefox-fi-78.6.1-1.mga7
firefox-fr-78.6.1-1.mga7
firefox-fy_NL-78.6.1-1.mga7
firefox-ga_IE-78.6.1-1.mga7
firefox-gd-78.6.1-1.mga7
firefox-gl-78.6.1-1.mga7
firefox-gu_IN-78.6.1-1.mga7
firefox-he-78.6.1-1.mga7
firefox-hi_IN-78.6.1-1.mga7
firefox-hr-78.6.1-1.mga7
firefox-hsb-78.6.1-1.mga7
firefox-hu-78.6.1-1.mga7
firefox-hy_AM-78.6.1-1.mga7
firefox-ia-78.6.1-1.mga7
firefox-id-78.6.1-1.mga7
firefox-is-78.6.1-1.mga7
firefox-it-78.6.1-1.mga7
firefox-ja-78.6.1-1.mga7
firefox-ka-78.6.1-1.mga7
firefox-kab-78.6.1-1.mga7
firefox-kk-78.6.1-1.mga7
firefox-km-78.6.1-1.mga7
firefox-kn-78.6.1-1.mga7
firefox-ko-78.6.1-1.mga7
firefox-lij-78.6.1-1.mga7
firefox-lt-78.6.1-1.mga7
firefox-lv-78.6.1-1.mga7
firefox-mk-78.6.1-1.mga7
firefox-mr-78.6.1-1.mga7
firefox-ms-78.6.1-1.mga7
firefox-my-78.6.1-1.mga7
firefox-nb_NO-78.6.1-1.mga7
firefox-nl-78.6.1-1.mga7
firefox-nn_NO-78.6.1-1.mga7
firefox-oc-78.6.1-1.mga7
firefox-pa_IN-78.6.1-1.mga7
firefox-pl-78.6.1-1.mga7
firefox-pt_BR-78.6.1-1.mga7
firefox-pt_PT-78.6.1-1.mga7
firefox-ro-78.6.1-1.mga7
firefox-ru-78.6.1-1.mga7
firefox-si-78.6.1-1.mga7
firefox-sk-78.6.1-1.mga7
firefox-sl-78.6.1-1.mga7
firefox-sq-78.6.1-1.mga7
firefox-sr-78.6.1-1.mga7
firefox-sv_SE-78.6.1-1.mga7
firefox-ta-78.6.1-1.mga7
firefox-te-78.6.1-1.mga7
firefox-th-78.6.1-1.mga7
firefox-tl-78.6.1-1.mga7
firefox-tr-78.6.1-1.mga7
firefox-uk-78.6.1-1.mga7
firefox-ur-78.6.1-1.mga7
firefox-uz-78.6.1-1.mga7
firefox-vi-78.6.1-1.mga7
firefox-xh-78.6.1-1.mga7
firefox-zh_CN-78.6.1-1.mga7
firefox-zh_TW-78.6.1-1.mga7

from SRPMS:
nss-3.60.1-1.mga7.src.rpm
firefox-78.6.1-1.mga7.src.rpm
firefox-l10n-78.6.1-1.mga7.src.rpm
Comment 1 David Walser 2021-01-07 00:25:19 CET 
Advisory will be as follows.

Advisory:
========================

Updated firefox packages fix security vulnerability:

A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a
way that potentially resulted in a use-after-free. We presume that with enough
effort it could have been exploited to run arbitrary code (CVE-2020-16044).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16044
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60.1_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/
Comment 2 David Walser 2021-01-07 04:18:48 CET 
Advisory in Comment 1.  Package list in Comment 0.

Assignee: bugsquad => qa-bugs

Comment 3 Bill Wilkinson 2021-01-07 17:51:28 CET 
tested mga7-64

General browsing, video, Jetstream all OK

Whiteboard: (none) => mga7-64-ok
CC: (none) => wrw105

Comment 4 Bill Wilkinson 2021-01-07 19:43:59 CET 
Tested MGA7-32 as above, apart from Jetstream, due to rootcerts issue.

all OK.

Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok

Comment 5 Thomas Andrews 2021-01-07 22:29:12 CET 
Firefox use is so widespread that I thought a few more tests on differing hardware, arches, and DEs would be in order before validating.

To that end, I have checked this on 2 64-bit Plasma systems, one with Intel graphics and a wired Internet connection, and another with AMD processor and graphics, with Atheros-based wifi. I also checked on a 32-bit Xfce system with Intel processor, graphics, and wifi.

All tests were OK. No issues noted. That should be enough. Validating. Advisory in Comment 1, package list in Comment 0.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-01-08 14:36:00 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-08 16:36:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0012.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 David Walser 2021-01-11 13:46:26 CET 
RedHat has issued an advisory for this today (January 11):
https://access.redhat.com/errata/RHSA-2021:0052