| Summary: | Firefox 91.2 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, fri, herman.viaene, joselp, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | rootcerts, nss, firefox | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 29535 | ||
|
Description
David Walser
2021-10-04 17:39:08 CEST
Everything submitted to the build system; should be uploaded by end of the day. Assignee:
bugsquad =>
qa-bugs mga8-64, Plasma, nvidia-current, swedish, 4K screen Clean update of rootcerts, nss, firefox Took over settings and tabs. Browsing bank sites, stores, video sites. No problems observed. CC:
(none) =>
fri Hi, I have updated today, all ok, language, banks, certificates. I have can login netflix, and bank sites. No problems for the moment. Greetings! CC:
(none) =>
joselpddj MGA8-64 Plasma on Lenovo B50, Dutch installation No installation issues, but please David, can you order - as you usually do, I hope - at least the language packs alphabetically, saves a lot of eye strain. After update firefox performms well, no problems encountered. CC:
(none) =>
herman.viaene That comes from a build log, which are out of order due to a bug in rpm. Hopefully I'll remember to sort it. I could swear I filed a bug report for this and I can't find it. Updated the 64-bit US English version, tried my bank site, watched Youtube videos, checked Facebook (it's working today), searched with DuckDuckGo. No issues noted. CC:
(none) =>
andrewsfarm MGA8-xfce,English Installed this yesterday and lived with it for the day on laptop. No issues to report. CC:
(none) =>
brtians1 Advisory: ======================== Updated firefox packages fix security vulnerabilities: Due to a data race in the crossbeam-deque in the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak (CVE-2021-32810). During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash due to a use-after-free in MessageTask (CVE-2021-38496). Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks (CVE-2021-38497). During process shutdown, a document could have caused a use-after-free of a languages service object (nsLanguageAtomService), leading to memory corruption and a potentially exploitable crash (CVE-2021-38498). Mozilla developers and community members Andreas Pehrson, Christian Holler, Kevin Brosnan, and Mihai Alexandru Michis reported memory safety bugs present in Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2021-38500, CVE-2021-38501). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32810 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38496 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38498 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38501 https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/ https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/eLTKcnMNzPg https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_71.html ======================== Updated packages in core/updates_testing: ======================== rootcerts-20210907.00-1.mga8 rootcerts-java-20210907.00-1.mga8 nss-3.71.0-1.mga8 nss-doc-3.71.0-1.mga8 libnss3-3.71.0-1.mga8 libnss-devel-3.71.0-1.mga8 libnss-static-devel-3.71.0-1.mga8 firefox-91.2.0-1.mga8 firefox-af-91.2.0-1.mga8 firefox-an-91.2.0-1.mga8 firefox-ar-91.2.0-1.mga8 firefox-ast-91.2.0-1.mga8 firefox-az-91.2.0-1.mga8 firefox-be-91.2.0-1.mga8 firefox-bg-91.2.0-1.mga8 firefox-bn-91.2.0-1.mga8 firefox-br-91.2.0-1.mga8 firefox-bs-91.2.0-1.mga8 firefox-ca-91.2.0-1.mga8 firefox-cs-91.2.0-1.mga8 firefox-cy-91.2.0-1.mga8 firefox-da-91.2.0-1.mga8 firefox-de-91.2.0-1.mga8 firefox-el-91.2.0-1.mga8 firefox-en_CA-91.2.0-1.mga8 firefox-en_GB-91.2.0-1.mga8 firefox-en_US-91.2.0-1.mga8 firefox-eo-91.2.0-1.mga8 firefox-es_AR-91.2.0-1.mga8 firefox-es_CL-91.2.0-1.mga8 firefox-es_ES-91.2.0-1.mga8 firefox-es_MX-91.2.0-1.mga8 firefox-et-91.2.0-1.mga8 firefox-eu-91.2.0-1.mga8 firefox-fa-91.2.0-1.mga8 firefox-ff-91.2.0-1.mga8 firefox-fi-91.2.0-1.mga8 firefox-fr-91.2.0-1.mga8 firefox-fy_NL-91.2.0-1.mga8 firefox-ga_IE-91.2.0-1.mga8 firefox-gd-91.2.0-1.mga8 firefox-gl-91.2.0-1.mga8 firefox-gu_IN-91.2.0-1.mga8 firefox-he-91.2.0-1.mga8 firefox-hi_IN-91.2.0-1.mga8 firefox-hr-91.2.0-1.mga8 firefox-hsb-91.2.0-1.mga8 firefox-hu-91.2.0-1.mga8 firefox-hy_AM-91.2.0-1.mga8 firefox-ia-91.2.0-1.mga8 firefox-id-91.2.0-1.mga8 firefox-is-91.2.0-1.mga8 firefox-it-91.2.0-1.mga8 firefox-ja-91.2.0-1.mga8 firefox-ka-91.2.0-1.mga8 firefox-kab-91.2.0-1.mga8 firefox-kk-91.2.0-1.mga8 firefox-km-91.2.0-1.mga8 firefox-kn-91.2.0-1.mga8 firefox-ko-91.2.0-1.mga8 firefox-lij-91.2.0-1.mga8 firefox-lt-91.2.0-1.mga8 firefox-lv-91.2.0-1.mga8 firefox-mk-91.2.0-1.mga8 firefox-mr-91.2.0-1.mga8 firefox-ms-91.2.0-1.mga8 firefox-my-91.2.0-1.mga8 firefox-nb_NO-91.2.0-1.mga8 firefox-nl-91.2.0-1.mga8 firefox-nn_NO-91.2.0-1.mga8 firefox-oc-91.2.0-1.mga8 firefox-pa_IN-91.2.0-1.mga8 firefox-pl-91.2.0-1.mga8 firefox-pt_BR-91.2.0-1.mga8 firefox-pt_PT-91.2.0-1.mga8 firefox-ro-91.2.0-1.mga8 firefox-ru-91.2.0-1.mga8 firefox-si-91.2.0-1.mga8 firefox-sk-91.2.0-1.mga8 firefox-sl-91.2.0-1.mga8 firefox-sq-91.2.0-1.mga8 firefox-sr-91.2.0-1.mga8 firefox-sv_SE-91.2.0-1.mga8 firefox-szl-91.2.0-1.mga8 firefox-ta-91.2.0-1.mga8 firefox-te-91.2.0-1.mga8 firefox-th-91.2.0-1.mga8 firefox-tl-91.2.0-1.mga8 firefox-tr-91.2.0-1.mga8 firefox-uk-91.2.0-1.mga8 firefox-ur-91.2.0-1.mga8 firefox-uz-91.2.0-1.mga8 firefox-vi-91.2.0-1.mga8 firefox-xh-91.2.0-1.mga8 firefox-zh_CN-91.2.0-1.mga8 firefox-zh_TW-91.2.0-1.mga8 from SRPMS: rootcerts-20210907.00-1.mga8.src.rpm nss-3.71.0-1.mga8.src.rpm firefox-91.2.0-1.mga8.src.rpm firefox-l10n-91.2.0-1.mga8.src.rpm
David Walser
2021-10-07 16:00:24 CEST
Blocks:
(none) =>
29500 MGA8-64, Cinnamon, Nvidia 390 $ uname -a Linux localhost 5.14.9-desktop-1.mga8 #1 SMP Thu Sep 30 14:15:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 8 packages are going to be installed: - firefox-91.2.0-1.mga8.x86_64 - firefox-en_CA-91.2.0-1.mga8.noarch - firefox-en_GB-91.2.0-1.mga8.noarch - firefox-en_US-91.2.0-1.mga8.noarch - lib64nss3-3.71.0-1.mga8.x86_64 - nss-3.71.0-1.mga8.x86_64 - rootcerts-20210907.00-1.mga8.noarch - rootcerts-java-20210907.00-1.mga8.noarch ---rebooted Browser appears to be working as designed
David Walser
2021-10-07 21:14:21 CEST
Blocks:
(none) =>
29535
David Walser
2021-10-07 21:17:34 CEST
Blocks:
29500 =>
(none) I've been using this for a few days now on two machines, with no problems, so I'm going to validate it. Advisory in Comment 8. Whiteboard:
(none) =>
MGA8-64-OK
Dave Hodgins
2021-10-07 23:23:38 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0469.html Status:
NEW =>
RESOLVED RedHat has issued an advisory for this today (October 12): https://access.redhat.com/errata/RHSA-2021:3791 |