Bug 28432

Added Commiters in CC.

Whiteboard: (none) => MGA7TOO MGA8TOO
CC: (none) => nicolas.salguero

Mozilla has released Firefox 78.8.0 on February 23:
https://www.mozilla.org/en-US/firefox/78.8.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/

NSS 3.62 is also out (February 19):
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_62_RTM/src/

(release notes not available yet)

certdata.txt and nssckbi.h for rootcerts need to be updated as of February 23.

crypto-policies can be updated in Cauldron, but doesn't need to be for stable.

CC: (none) => luigiwalser
Summary: Firefox 78.8 fixes security issues => Firefox 78.8
Whiteboard: MGA7TOO MGA8TOO => MGA8TOO, MGA7TOO
Severity: normal => critical

RedHat has issued an advisory for this on February 24:
https://access.redhat.com/errata/RHSA-2021:0655

rootcerts and nss builds submitted to the build system.  firefox and firefox-l10n updates checked into SVN.

Build failed on aarch64, looks like rust compiler died.

32:12.97 error: could not compile `style`
32:12.97 Caused by:
32:12.97   process didn't exit successfully: `/usr/bin/rustc [ snip ... ]
53:17.53 error: build failed
53:17.59 gmake[4]: *** [/home/iurt/rpmbuild/BUILD/firefox-78.8.0/config/makefiles/rust.mk:299: force-cargo-library-build] Error 101

I think it's just warnings, but there's a lot of messages like the following that make me thing we need to change the -std used by the compiler to C++14 or 17:
note: parameter passing for argument of type 'mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>' when C++17 is enabled changed to match C++14 in GCC 10.1

CC: (none) => rverschelde

Package list so far:
rootcerts-20210223.00-1.mga7
rootcerts-java-20210223.00-1.mga7
nss-3.62.0-1.mga7
nss-doc-3.62.0-1.mga7
libnss3-3.62.0-1.mga7
libnss-devel-3.62.0-1.mga7
libnss-static-devel-3.62.0-1.mga7
rootcerts-20210223.00-1.mga8
rootcerts-java-20210223.00-1.mga8
nss-3.62.0-1.mga8
libnss-static-devel-3.62.0-1.mga8
libnss3-3.62.0-1.mga8
libnss-devel-3.62.0-1.mga8
nss-doc-3.62.0-1.mga8

uploaded firefox for mga7/8

src:


   mageia 7:
      firefox-78.8.0-1.mga7
      firefox-l10n-78.8.0-1.mga7

   mageia 7:
      firefox-78.8.0-1.mga8
      firefox-l10n-78.8.0-1.mga8

Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia

Are we ever going to fix Cauldron?

looking to it now

(In reply to David Walser from comment #6)
> Package list so far:
> rootcerts-20210223.00-1.mga7
> rootcerts-java-20210223.00-1.mga7
> nss-3.62.0-1.mga7
> nss-doc-3.62.0-1.mga7
> libnss3-3.62.0-1.mga7
> libnss-devel-3.62.0-1.mga7
> libnss-static-devel-3.62.0-1.mga7
> rootcerts-20210223.00-1.mga8
> rootcerts-java-20210223.00-1.mga8
> nss-3.62.0-1.mga8
> libnss-static-devel-3.62.0-1.mga8
> libnss3-3.62.0-1.mga8
> libnss-devel-3.62.0-1.mga8
> nss-doc-3.62.0-1.mga8

Mageia 7 packages for Firefox below (Mageia 8 are same but mga8):
firefox-78.8.0-1.mga7
firefox-devel-78.8.0-1.mga7
firefox-af-78.8.0-1.mga7
firefox-an-78.8.0-1.mga7
firefox-ar-78.8.0-1.mga7
firefox-ast-78.8.0-1.mga7
firefox-az-78.8.0-1.mga7
firefox-be-78.8.0-1.mga7
firefox-bg-78.8.0-1.mga7
firefox-bn-78.8.0-1.mga7
firefox-br-78.8.0-1.mga7
firefox-bs-78.8.0-1.mga7
firefox-ca-78.8.0-1.mga7
firefox-cs-78.8.0-1.mga7
firefox-cy-78.8.0-1.mga7
firefox-da-78.8.0-1.mga7
firefox-de-78.8.0-1.mga7
firefox-el-78.8.0-1.mga7
firefox-en_CA-78.8.0-1.mga7
firefox-en_GB-78.8.0-1.mga7
firefox-en_US-78.8.0-1.mga7
firefox-eo-78.8.0-1.mga7
firefox-es_AR-78.8.0-1.mga7
firefox-es_CL-78.8.0-1.mga7
firefox-es_ES-78.8.0-1.mga7
firefox-es_MX-78.8.0-1.mga7
firefox-et-78.8.0-1.mga7
firefox-eu-78.8.0-1.mga7
firefox-fa-78.8.0-1.mga7
firefox-ff-78.8.0-1.mga7
firefox-fi-78.8.0-1.mga7
firefox-fr-78.8.0-1.mga7
firefox-fy_NL-78.8.0-1.mga7
firefox-ga_IE-78.8.0-1.mga7
firefox-gd-78.8.0-1.mga7
firefox-gl-78.8.0-1.mga7
firefox-gu_IN-78.8.0-1.mga7
firefox-he-78.8.0-1.mga7
firefox-hi_IN-78.8.0-1.mga7
firefox-hr-78.8.0-1.mga7
firefox-hsb-78.8.0-1.mga7
firefox-hu-78.8.0-1.mga7
firefox-hy_AM-78.8.0-1.mga7
firefox-ia-78.8.0-1.mga7
firefox-id-78.8.0-1.mga7
firefox-is-78.8.0-1.mga7
firefox-it-78.8.0-1.mga7
firefox-ja-78.8.0-1.mga7
firefox-ka-78.8.0-1.mga7
firefox-kab-78.8.0-1.mga7
firefox-kk-78.8.0-1.mga7
firefox-km-78.8.0-1.mga7
firefox-kn-78.8.0-1.mga7
firefox-ko-78.8.0-1.mga7
firefox-lij-78.8.0-1.mga7
firefox-lt-78.8.0-1.mga7
firefox-lv-78.8.0-1.mga7
firefox-mk-78.8.0-1.mga7
firefox-mr-78.8.0-1.mga7
firefox-ms-78.8.0-1.mga7
firefox-my-78.8.0-1.mga7
firefox-nb_NO-78.8.0-1.mga7
firefox-nl-78.8.0-1.mga7
firefox-nn_NO-78.8.0-1.mga7
firefox-oc-78.8.0-1.mga7
firefox-pa_IN-78.8.0-1.mga7
firefox-pl-78.8.0-1.mga7
firefox-pt_BR-78.8.0-1.mga7
firefox-pt_PT-78.8.0-1.mga7
firefox-ro-78.8.0-1.mga7
firefox-ru-78.8.0-1.mga7
firefox-si-78.8.0-1.mga7
firefox-sk-78.8.0-1.mga7
firefox-sl-78.8.0-1.mga7
firefox-sq-78.8.0-1.mga7
firefox-sr-78.8.0-1.mga7
firefox-sv_SE-78.8.0-1.mga7
firefox-ta-78.8.0-1.mga7
firefox-te-78.8.0-1.mga7
firefox-th-78.8.0-1.mga7
firefox-tl-78.8.0-1.mga7
firefox-tr-78.8.0-1.mga7
firefox-uk-78.8.0-1.mga7
firefox-ur-78.8.0-1.mga7
firefox-uz-78.8.0-1.mga7
firefox-vi-78.8.0-1.mga7
firefox-xh-78.8.0-1.mga7
firefox-zh_CN-78.8.0-1.mga7
firefox-zh_TW-78.8.0-1.mga7

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

If Content Security Policy blocked frame navigation, the full destination of a
redirect served in the frame was reported in the violation report; as opposed
to the original frame URI. This could be used to leak sensitive information
contained in such URIs (CVE-2021-23968).

As specified in the W3C Content Security Policy draft, when creating a
violation report, "User agents need to ensure that the source file is the URL
requested by the page, pre-redirects. If that’s not possible, user agents need
to strip the URL down to an origin to avoid unintentional leakage." Under
certain types of redirects, Firefox incorrectly set the source file to be the
destination of the redirects. This was fixed to be the redirect destination's
origin (CVE-2021-23969).

When trying to load a cross-origin resource in an audio/video context a
decoding error may have resulted, and the content of that MediaError message
may have revealed information about the resource (CVE-2021-23973).

Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats
Palmgren reported memory safety bugs present in Firefox ESR 78.7. Some of
these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
(CVE-2021-23978).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23978
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/


SRPMS:
rootcerts-20210223.00-1.mga7.src.rpm
nss-3.62.0-1.mga7.src.rpm
firefox-78.8.0-1.mga7.src.rpm
firefox-l10n-78.8.0-1.mga7.src.rpm
rootcerts-20210223.00-1.mga8.src.rpm
nss-3.62.0-1.mga8.src.rpm
firefox-78.8.0-1.mga8.src.rpm
firefox-l10n-78.8.0-1.mga8.src.rpm

tested mga8-64
Jetstream, general browsing, video (YouTube) all OK

Whiteboard: MGA7TOO => MGA7TOO mga8-64-ok
CC: (none) => wrw105

mga7, x64 en_GB, en_US

Restored previous session OK.  Tried xkcd, youtube scifi videos, searches, goto links from external application, Jetstream2.  That returned a score of 60, but is that good or bad?  Looks fine.

CC: (none) => tarazed25

mga7-32 tested as above, ok.

Whiteboard: MGA7TOO mga8-64-ok => MGA7TOO mga8-64-ok mga7-32-ok

mga7-64 OK, Plasma, Nvidia-current, Intel i7, Swedish
General browsing, video, various logins on banking, shops...
All updates from testing installed.

CC: (none) => fri

MGA7-64 Plasma
Using QA repo:
firefox-fr-78.8.0-1.mga7
firefox-78.8.0-1.mga7
rootcerts-20210223.00-1.mga7
rootcerts-java-20210223.00-1.mga7
nss-3.62.0-1.mga7
nss-doc-3.62.0-1.mga7
libnss3-3.62.0-1.mga7

OK

MGA8-64 Plasma
Idem with .mga8

OK

SSL site, Widevine DRM enabled contents OK
All usages OK, both systems.

Validating,
Advisory pushed to SVN.

Whiteboard: MGA7TOO mga8-64-ok mga7-32-ok => MGA7TOO MGA7-32-OK MGA7-64-OK MGA8-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0097.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED