| Summary: | Firefox 91.3 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, fri, guillaume.royer, hdetavernier, herman.viaene, joselp, sysadmin-bugs, yvesbrungard |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK MGA8-32-OK | ||
| Source RPM: | nss, firefox | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 29625 | ||
|
Description
David Walser
2021-11-02 15:55:30 CET
RedHat has issued an advisory for this on November 3: https://access.redhat.com/errata/RHSA-2021:4123 Packages are uploading now and should be available in the next few hours. Advisory: ======================== Updated firefox packages fix security vulnerabilities: The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame (CVE-2021-38503). When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash (CVE-2021-38504). Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing (CVE-2021-38506). The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage (CVE-2021-38507). A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash (MOZ-2021-0008). By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission (CVE-2021-38508). Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing (CVE-2021-38509). Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (MOZ-2021-0007). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38503 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38504 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38506 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38507 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38509 https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_72.html Assignee:
luigiwalser =>
qa-bugs Hi! I have tried the new version. Works fine, banks, downloads, settings, language correct in spanish. Greetings! CC:
(none) =>
joselpddj Hi, tested on Mageia Gnome X64. I've tried several websites, legal streaming audio and videos websites, bank ... settings, installed extensions, french settings. All is ok and work. fine CC:
(none) =>
hdetavernier
David Walser
2021-11-05 16:48:43 CET
Blocks:
(none) =>
29625 MGA8-64 Plasma on Lenovo B50 No installation issues. Dutch settings, no issues seen on usual operations. CC:
(none) =>
herman.viaene OK mga8-64, Plasma, nvidia-current, Swedish Open tabs and settings retained. Banking apps, a bunch of sites I normally visit, video, ... CC:
(none) =>
fri MGA 64 XFCE with nvidia 520M driver 390. French version. No issues after update. Try with: - Bank - Element client matrix - Netflix I can't test it with visio like Jitisi or BBB CC:
(none) =>
guillaume.royer MGA8-64 Plasma, tested US English version. Tried several websites, Facebook, newspaper, Youtube, Mageia Bugzilla. No issues noted. CC:
(none) =>
andrewsfarm MGA8-32 Xfce on real 32-bit hardware, updating US, CA, and GB English. No installation issues. No problems using the existing profile. Tried some websites, including the GOES visible satellite loop for the Northeastern US. Lights of Toronto, Buffalo, Rochester, Syracuse, Albany, Pittsburgh, Cleveland, Washington DC, New York City, Boston, and others in the image. Pretty. No issues noted. Giving this an OK, and validating. Advisory in Comment 1. Whiteboard:
(none) =>
MGA8-64-OK MGA8-32-OK Tested 64bits version. No regression seen. CC:
(none) =>
yves.brungard_mageia
Dave Hodgins
2021-11-10 18:48:26 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0505.html Resolution:
(none) =>
FIXED I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated. Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0505.html Mozilla Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/ Suggested change(s): MOZ-2021-0008 -> CVE-2021-43535 MOZ-2021-0007 -> CVE-2021-43534 |