| Summary: | Firefox 78.9, NSPR 4.30 and NSS 3.63 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, fri, guillaume.royer, mageia, ouaurelien, sysadmin-bugs, wrw105 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO mga8-64-ok mga8-32-ok mga7-32-ok | ||
| Source RPM: | firefox, firefox-l10n, nss, nspr | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 28642 | ||
|
Description
Nicolas Salguero
2021-03-25 09:12:07 CET
Nicolas Salguero
2021-03-25 09:12:36 CET
Source RPM:
(none) =>
firefox, firefox-l10n NSS 3.63 is also out: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes Source RPM:
firefox, firefox-l10n =>
firefox, firefox-l10n, nss
Nicolas Salguero
2021-03-25 09:30:49 CET
Blocks:
(none) =>
28642
Nicolas Salguero
2021-03-25 09:31:22 CET
Summary:
Firefox 78.9 =>
Firefox 78.9 and NSS 3.63 There is also a new release of NSPR (4.30) which is required by NSS 3.63: https://groups.google.com/g/mozilla.dev.tech.nspr/c/wwXfLFWZRlA Source RPM:
firefox, firefox-l10n, nss =>
firefox, firefox-l10n, nss, nspr
Nicolas Salguero
2021-03-25 09:37:31 CET
Summary:
Firefox 78.9 NSPR 4.30 and NSS 3.63 =>
Firefox 78.9, NSPR 4.30 and NSS 3.63 There is also rootcerts 20210308. Source RPM:
firefox, firefox-l10n, nss, nspr =>
firefox, firefox-l10n, nss, nspr, rootcerts Oops, finally rootcerts appears to be the same as current version. Source RPM:
firefox, firefox-l10n, nss, nspr, rootcerts =>
firefox, firefox-l10n, nss, nspr Assigning it to you, Nicolas, as you are already very involved! Assignee:
bugsquad =>
nicolas.salguero pushed in cauldron mga7/8 by Nicolas:
src:
- mageia 7:
- nss-3.63.0-1.mga7
- nspr-4.30-1.mga7
- firefox-78.9.0-1.mga7
- firefox-l10n-78.9.0-1.mga7
- mageia 8:
- nss-3.63.0-1.mga8
- nspr-4.30-1.mga8
- firefox-78.9.0-1.mga8
- firefox-l10n-78.9.0-1.mga8Version:
Cauldron =>
8 mga7-64 Plasma Nvidia-current quick test OK Picking up settings and previous open tabs Swedish locale Video playing on various sites Banking logins and other Viewing and printing pdf CC:
(none) =>
fri MGA8-64 Gnome nvidia (390) - phys hardware. The following 6 packages are going to be installed: - firefox-78.9.0-1.mga8.x86_64 - firefox-en_GB-78.9.0-1.mga8.noarch - firefox-en_US-78.9.0-1.mga8.noarch - lib64nspr4-4.30-1.mga8.x86_64 - lib64nss3-3.63.0-1.mga8.x86_64 - nss-3.63.0-1.mga8.x86_64 Used it for videos, etc. Working CC:
(none) =>
brtians1 Suggested advisory: ======================== The updated packages fix security vulnerabilities: Texture upload into an unbound backing buffer resulted in an out-of-bound read. (CVE-2021-23981) Angle graphics library out of date. (MOZ-2021-0002) Internal network hosts could have been probed by a malicious webpage. (CVE-2021-23982) Malicious extensions could have spoofed popup information. (CVE-2021-23984) Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9. (CVE-2021-23987) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23982 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23984 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23987 https://www.mozilla.org/en-US/firefox/78.9.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/ https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes https://groups.google.com/g/mozilla.dev.tech.nspr/c/wwXfLFWZRlA Status:
NEW =>
ASSIGNED T have been using this for a few hours now on mga8-64 Plasma. No issues noted. CC:
(none) =>
andrewsfarm MGA8 XFCE with core I3 4 Go RAM Nvidia driver 390 Update with QA repo and with: firefox-78.9.0-1.mga8 firefox-fr-78.9.0-1.mga8 Installation OK, Bank sit, Netflix, Mastodon ok Element Matrix NOK, Can't connect to server, it was the same problem on older versions CC:
(none) =>
guillaume.royer MGA7 GNOME with core I3 4 Go RAM Nvidia driver 390 Update with QA repo and with: nss-3.63.0-1.mga7 firefox-78.9.0-1.mga7 firefox-fr-78.9.0-1.mga7 lib64nspr4-4.30-1.mga7 Installation OK, Bank sit, Netflix, Mastodon ok Element Matrix NOK, Can't connect to server, it was the same problem on older versions Tested mga8-64 Jetstream, general browsing, video (Youtube), all OK. CC:
(none) =>
wrw105 MG8-64, Plasma Tested, seems to be working as expected. tested mga8-32 in virtualbox guest tested as above, all OK. Whiteboard:
MGA7TOO mga8-64-ok =>
MGA7TOO mga8-64-ok mga8-32-ok Tested mga7-32 in virtualbox, as above, all ok. Whiteboard:
MGA7TOO mga8-64-ok mga8-32-ok =>
MGA7TOO mga8-64-ok mga8-32-ok mga7-32-ok Validating. CC:
(none) =>
ouaurelien, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0163.html Status:
ASSIGNED =>
RESOLVED RedHat has issued an advisory for this on March 25: https://access.redhat.com/errata/RHSA-2021:0990 I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated. Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0163.html Mozilla Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/ Suggested change(s): MOZ-2021-0002 -> CVE-2021-4127 |