| Summary: | Firefox 78.10 ESR Update | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Jose Manuel López <joselp> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | High | CC: | andrewsfarm, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs, wrw105 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok mga8-64-ok | ||
| Source RPM: | Firefox | CVE: | CVE-2021-23961, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 28788, 28829 | ||
|
Description
Jose Manuel López
2021-04-21 11:54:27 CEST
Upstream Mozilla has released Firefox ESR 78.10. It has various stability, functionality, and security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2021-15/ Also, NSS 3.63.1 is out. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63.1_release_notes It fixes Bug https://bugs.mageia.org/show_bug.cgi?id=28359 Assigning globally, adding CC'd. Summary:
Update request to Firefox 78.10 ESR =>
Firefox 78.10 ESR Update
Aurelien Oudelet
2021-04-22 21:08:46 CEST
Assignee:
bugsquad =>
pkg-bugs
Aurelien Oudelet
2021-04-22 21:15:27 CEST
Blocks:
(none) =>
28829 Current NSS version is actually 3.64: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.64_release_notes No rootcerts or nspr updates at this time. build in progress for mga7/8/9 CC:
(none) =>
mageia src:
- mga7:
- nss-3.64.0-1.mga7
- firefox-78.10.0-1.mga7
- firefox-l10n-78.10.0-1.mga7
- mga8:
- nss-3.64.0-1.mga8
- firefox-78.10.0-1.mga8
- firefox-l10n-78.10.0-1.mga8Whiteboard:
MGA7TOO MGA8TOO =>
MGA7TOO Hm... As nss was not allowed to be built before sumitting firefox, they might need a second rebuild in case there is something important we want a "hard dep" on... Hi, I have updated Firefox to 78.10, I still cannot enter the login of the Bankinter Empresas website, this is related to our compilation, as I already indicated in the Bug 28359. In the official version I haven't this issue. This screenshot show the bug: https://bugs.mageia.org/attachment.cgi?id=12341 Greetings! (In reply to Thomas Backlund from comment #5) > Hm... > > As nss was not allowed to be built before sumitting firefox, they might need > a second rebuild in case there is something important we want a "hard dep" > on... yes you are right, i just sent a new rebuild of FF for mageia 7 and 8 (In reply to Jose Manuel López from comment #6) > Hi, > > I have updated Firefox to 78.10, I still cannot enter the login of the > Bankinter Empresas website, this is related to our compilation, as I already > indicated in the Bug 28359. > > In the official version I haven't this issue. > > This screenshot show the bug: https://bugs.mageia.org/attachment.cgi?id=12341 > > Greetings! i tried to understand this but this is really strange. I think i should rebuild a FF locally with nothing from system and try to enable one by one to see which one is failing. Nicolas, Should we hold this until you have a chance to do the testing or work to push this out now and do the correction as a separate update? CC:
(none) =>
wrw105 MGA8-64 Plasma, nvidia-current, kernel 5.10.30-desktop-1.mga8 Installed - firefox-0:78.10.0-1.1.mga8.x86_64 - firefox-sv_SE-78.10.0-1.mga8.noarch - nss-2:3.64.0-1.mga8.x86_64 Already installed as dep when I tested Thunderbird just now: - lib64nss3-3.64.0-1.mga8.x86_64 OK: Localisation, settings reopened tabs, plays various video sites, log in to bankings... Bill, test what we've got for now. I don't expect other issues to be fixed quickly or easily. (In reply to David Walser from comment #11) > Bill, test what we've got for now. I don't expect other issues to be fixed > quickly or easily. Yes, fixing this will be a separate issue, as it can take time to understand/fix. tested mga8-32 Jetstream, general browsing, video all OK Whiteboard:
MGA7TOO =>
MGA7TOO mga8-32-ok Tested mga7-32 as above, all OK. Whiteboard:
MGA7TOO mga8-32-ok =>
MGA7TOO mga8-32-ok mga7-32-ok Tested mga7-64 as above, all ok Whiteboard:
MGA7TOO mga8-32-ok mga7-32-ok =>
MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok Tested on mga8-64. Most looks OK. After reading the above comments, I didn't expect a change, but I tried to log onto Keybank online banking anyway, without success. Their message has been reworded slightly. Instead of saying that I need something other than Firefox, they now say ours is too old and I need the "latest" version. I have not tried to use Mozilla's ESR with that site yet, so I can't be sure that it's just our ESR that's the problem. I hesitate to try much, lest they flag me as someone trying to break in where I shouldn't be, and lock my IP out of my account altogether. CC:
(none) =>
andrewsfarm RedHat has issued an advisory for this on April 26: https://access.redhat.com/errata/RHSA-2021:1360 tested mga8-64 as above, all OK. Looks like it's ready for validation when the advisory is uploaded to svn. Whiteboard:
MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok =>
MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok mga8-64-ok
Bill Wilkinson
2021-04-27 20:14:12 CEST
CC:
(none) =>
sysadmin-bugs Advisory: ======================== The updated packages fix security vulnerabilities: More internal network hosts could have been probed by a malicious webpage: Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine (CVE-2021-23961). Out of bound write due to lazy initialization: A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write (CVE-2021-23994). Use-after-free in Responsive Design Mode: When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code (CVE-2021-23995). Secure Lock icon could have been spoofed: Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page (CVE-2021-23998). Blob URLs may have been granted additional privileges: If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content (CVE-2021-23999). Arbitrary FTP command execution on FTP servers using an encoded URL: When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server (CVE-2021-24002). Incorrect size computation in WebAssembly JIT could lead to null-reads: The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. Note: This issue only affected x86-32 platforms. Other platforms are unaffected. (CVE-2021-29945). Port blocking could be bypassed: Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header (CVE-2021-29946). references: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23961 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23995 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23998 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23999 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29946 https://www.mozilla.org/en-US/security/advisories/mfsa2021-15/ https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.64_release_notes https://access.redhat.com/errata/RHSA-2021:1360 ======================== Updated packages in core/updates_testing: ======================== firefox-af-78.10.0-1.mga{7;8} firefox-an-78.10.0-1.mga{7;8} firefox-ar-78.10.0-1.mga{7;8} firefox-ast-78.10.0-1.mga{7;8} firefox-az-78.10.0-1.mga{7;8} firefox-be-78.10.0-1.mga{7;8} firefox-bg-78.10.0-1.mga{7;8} firefox-bn-78.10.0-1.mga{7;8} firefox-br-78.10.0-1.mga{7;8} firefox-bs-78.10.0-1.mga{7;8} firefox-ca-78.10.0-1.mga{7;8} firefox-cs-78.10.0-1.mga{7;8} firefox-cy-78.10.0-1.mga{7;8} firefox-da-78.10.0-1.mga{7;8} firefox-de-78.10.0-1.mga{7;8} firefox-el-78.10.0-1.mga{7;8} firefox-en_CA-78.10.0-1.mga{7;8} firefox-en_GB-78.10.0-1.mga{7;8} firefox-en_US-78.10.0-1.mga{7;8} firefox-eo-78.10.0-1.mga{7;8} firefox-es_AR-78.10.0-1.mga{7;8} firefox-es_CL-78.10.0-1.mga{7;8} firefox-es_ES-78.10.0-1.mga{7;8} firefox-es_MX-78.10.0-1.mga{7;8} firefox-et-78.10.0-1.mga{7;8} firefox-eu-78.10.0-1.mga{7;8} firefox-fa-78.10.0-1.mga{7;8} firefox-ff-78.10.0-1.mga{7;8} firefox-fi-78.10.0-1.mga{7;8} firefox-fr-78.10.0-1.mga{7;8} firefox-fy_NL-78.10.0-1.mga{7;8} firefox-ga_IE-78.10.0-1.mga{7;8} firefox-gd-78.10.0-1.mga{7;8} firefox-gl-78.10.0-1.mga{7;8} firefox-gu_IN-78.10.0-1.mga{7;8} firefox-he-78.10.0-1.mga{7;8} firefox-hi_IN-78.10.0-1.mga{7;8} firefox-hr-78.10.0-1.mga{7;8} firefox-hsb-78.10.0-1.mga{7;8} firefox-hu-78.10.0-1.mga{7;8} firefox-hy_AM-78.10.0-1.mga{7;8} firefox-ia-78.10.0-1.mga{7;8} firefox-id-78.10.0-1.mga{7;8} firefox-is-78.10.0-1.mga{7;8} firefox-it-78.10.0-1.mga{7;8} firefox-ja-78.10.0-1.mga{7;8} firefox-ka-78.10.0-1.mga{7;8} firefox-kab-78.10.0-1.mga{7;8} firefox-kk-78.10.0-1.mga{7;8} firefox-km-78.10.0-1.mga{7;8} firefox-kn-78.10.0-1.mga{7;8} firefox-ko-78.10.0-1.mga{7;8} firefox-lij-78.10.0-1.mga{7;8} firefox-lt-78.10.0-1.mga{7;8} firefox-lv-78.10.0-1.mga{7;8} firefox-mk-78.10.0-1.mga{7;8} firefox-mr-78.10.0-1.mga{7;8} firefox-ms-78.10.0-1.mga{7;8} firefox-my-78.10.0-1.mga{7;8} firefox-nb_NO-78.10.0-1.mga{7;8} firefox-nl-78.10.0-1.mga{7;8} firefox-nn_NO-78.10.0-1.mga{7;8} firefox-oc-78.10.0-1.mga{7;8} firefox-pa_IN-78.10.0-1.mga{7;8} firefox-pl-78.10.0-1.mga{7;8} firefox-pt_BR-78.10.0-1.mga{7;8} firefox-pt_PT-78.10.0-1.mga{7;8} firefox-ro-78.10.0-1.mga{7;8} firefox-ru-78.10.0-1.mga{7;8} firefox-si-78.10.0-1.mga{7;8} firefox-sk-78.10.0-1.mga{7;8} firefox-sl-78.10.0-1.mga{7;8} firefox-sq-78.10.0-1.mga{7;8} firefox-sr-78.10.0-1.mga{7;8} firefox-sv_SE-78.10.0-1.mga{7;8} firefox-ta-78.10.0-1.mga{7;8} firefox-te-78.10.0-1.mga{7;8} firefox-th-78.10.0-1.mga{7;8} firefox-tl-78.10.0-1.mga{7;8} firefox-tr-78.10.0-1.mga{7;8} firefox-uk-78.10.0-1.mga{7;8} firefox-ur-78.10.0-1.mga{7;8} firefox-uz-78.10.0-1.mga{7;8} firefox-vi-78.10.0-1.mga{7;8} firefox-xh-78.10.0-1.mga{7;8} firefox-zh_CN-78.10.0-1.mga{7;8} firefox-zh_TW-78.10.0-1.mga{7;8} lib(64)nss-devel-3.64.0-1.mga{7;8} lib(64)nss-static-devel-3.64.0-1.mga{7;8} lib(64)nss3-3.64.0-1.mga{7;8} nss-3.64.0-1.mga{7;8} nss-doc-3.64.0-1.mga{7;8} firefox-78.10.0-1.1.mga{7;8} firefox-devel-78.10.0-1.1.mga{7;8} from SRPMS: ======================== firefox-l10n-78.10.0-1.mga{7;8}.src.rpm nss-3.64.0-1.mga{7;8}.src.rpm firefox-78.10.0-1.1.mga{7;8}.src.rpm Keywords:
(none) =>
advisory MGA8 Plasma x86_64 OK. Basic usage. Widevine OK SSL sites OK. Bank site OK. Still reported issues (webrtc, zoom, bigbluebutton,...) non functioning. See Firefox Tracker Bug 28788. Hi, works ok, but still it doesn't work with the Bankinter web. Appears the same issue. Greetings!! An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0199.html Resolution:
(none) =>
FIXED |