Bug 30124

Summary: Firefox 91.6.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: brtians1, davidwhodgins, fri, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: rootcerts, nss, firefox CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30129    

Description David Walser 2022-03-05 22:37:11 CET 
Mozilla has released Firefox 91.6.1 today (March 5):
https://www.mozilla.org/en-US/firefox/91.6.1/releasenotes/

It fixes two security issues, being actively exploited in the wild:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/

There are also rootcerts and nss updates:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/W13LB93wep4
https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
rootcerts-20220208.00-1.mga8
rootcerts-java-20220208.00-1.mga8
nss-3.76.0-1.mga8
nss-doc-3.76.0-1.mga8
libnss3-3.76.0-1.mga8
libnss-devel-3.76.0-1.mga8
libnss-static-devel-3.76.0-1.mga8
firefox-91.6.1-1.mga8
firefox-ru-91.6.1-1.mga8
firefox-uk-91.6.1-1.mga8
firefox-be-91.6.1-1.mga8
firefox-el-91.6.1-1.mga8
firefox-kk-91.6.1-1.mga8
firefox-th-91.6.1-1.mga8
firefox-pa_IN-91.6.1-1.mga8
firefox-ka-91.6.1-1.mga8
firefox-ja-91.6.1-1.mga8
firefox-bg-91.6.1-1.mga8
firefox-sr-91.6.1-1.mga8
firefox-hy_AM-91.6.1-1.mga8
firefox-ko-91.6.1-1.mga8
firefox-zh_TW-91.6.1-1.mga8
firefox-vi-91.6.1-1.mga8
firefox-zh_CN-91.6.1-1.mga8
firefox-hu-91.6.1-1.mga8
firefox-bn-91.6.1-1.mga8
firefox-hi_IN-91.6.1-1.mga8
firefox-ar-91.6.1-1.mga8
firefox-sk-91.6.1-1.mga8
firefox-cs-91.6.1-1.mga8
firefox-ur-91.6.1-1.mga8
firefox-hsb-91.6.1-1.mga8
firefox-lt-91.6.1-1.mga8
firefox-te-91.6.1-1.mga8
firefox-fr-91.6.1-1.mga8
firefox-he-91.6.1-1.mga8
firefox-pl-91.6.1-1.mga8
firefox-sq-91.6.1-1.mga8
firefox-fa-91.6.1-1.mga8
firefox-de-91.6.1-1.mga8
firefox-oc-91.6.1-1.mga8
firefox-tr-91.6.1-1.mga8
firefox-kab-91.6.1-1.mga8
firefox-es_MX-91.6.1-1.mga8
firefox-es_AR-91.6.1-1.mga8
firefox-es_CL-91.6.1-1.mga8
firefox-pt_PT-91.6.1-1.mga8
firefox-fy_NL-91.6.1-1.mga8
firefox-pt_BR-91.6.1-1.mga8
firefox-gl-91.6.1-1.mga8
firefox-cy-91.6.1-1.mga8
firefox-sv_SE-91.6.1-1.mga8
firefox-gd-91.6.1-1.mga8
firefox-km-91.6.1-1.mga8
firefox-ro-91.6.1-1.mga8
firefox-mr-91.6.1-1.mga8
firefox-gu_IN-91.6.1-1.mga8
firefox-hr-91.6.1-1.mga8
firefox-sl-91.6.1-1.mga8
firefox-nl-91.6.1-1.mga8
firefox-es_ES-91.6.1-1.mga8
firefox-eo-91.6.1-1.mga8
firefox-ca-91.6.1-1.mga8
firefox-da-91.6.1-1.mga8
firefox-fi-91.6.1-1.mga8
firefox-eu-91.6.1-1.mga8
firefox-ia-91.6.1-1.mga8
firefox-nn_NO-91.6.1-1.mga8
firefox-nb_NO-91.6.1-1.mga8
firefox-br-91.6.1-1.mga8
firefox-id-91.6.1-1.mga8
firefox-tl-91.6.1-1.mga8
firefox-my-91.6.1-1.mga8
firefox-ta-91.6.1-1.mga8
firefox-en_GB-91.6.1-1.mga8
firefox-szl-91.6.1-1.mga8
firefox-en_CA-91.6.1-1.mga8
firefox-an-91.6.1-1.mga8
firefox-ast-91.6.1-1.mga8
firefox-kn-91.6.1-1.mga8
firefox-az-91.6.1-1.mga8
firefox-si-91.6.1-1.mga8
firefox-en_US-91.6.1-1.mga8
firefox-et-91.6.1-1.mga8
firefox-ff-91.6.1-1.mga8
firefox-lij-91.6.1-1.mga8
firefox-uz-91.6.1-1.mga8
firefox-is-91.6.1-1.mga8
firefox-mk-91.6.1-1.mga8
firefox-lv-91.6.1-1.mga8
firefox-bs-91.6.1-1.mga8
firefox-ga_IE-91.6.1-1.mga8
firefox-it-91.6.1-1.mga8
firefox-ms-91.6.1-1.mga8
firefox-xh-91.6.1-1.mga8
firefox-af-91.6.1-1.mga8

from SRPMS:
rootcerts-20220208.00-1.mga8.src.rpm
nss-3.76.0-1.mga8.src.rpm
firefox-91.6.1-1.mga8.src.rpm
firefox-l10n-91.6.1-1.mga8.src.rpm
Dave Hodgins 2022-03-06 02:26:21 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 1 David Walser 2022-03-06 03:15:52 CET 
Packages submitted to the build system and should be available in a few hours.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Removing an XSLT parameter during processing could have lead to an exploitable
use-after-free (CVE-2022-26485).

An unexpected message in the WebGPU IPC framework could lead to a
use-after-free and exploitable sandbox escape (CVE-2022-26486).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26486
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_76.html
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/

Assignee: bugsquad => qa-bugs
Keywords: advisory => (none)

Comment 2 David Walser 2022-03-06 03:19:03 CET 
SVN advisory fixed.

Keywords: (none) => advisory

Comment 3 Dave Hodgins 2022-03-06 04:11:02 CET 
Tested on Mageia x86_64, both Canadian English and French.
Validating the update.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Dave Hodgins 2022-03-06 04:26:57 CET 
Tested on aarch64 too (rpi 4b).
Comment 5 Brian Rockwell 2022-03-06 05:01:58 CET 
The following 8 packages are going to be installed:

- firefox-91.6.1-1.mga8.x86_64
- firefox-en_CA-91.6.1-1.mga8.noarch
- firefox-en_GB-91.6.1-1.mga8.noarch
- firefox-en_US-91.6.1-1.mga8.noarch
- lib64nss3-3.76.0-1.mga8.x86_64
- nss-3.76.0-1.mga8.x86_64
- rootcerts-20220208.00-1.mga8.noarch
- rootcerts-java-20220208.00-1.mga8.noarch


-- rebooted

youtube sound works
typical sites work

no issues I can identify

CC: (none) => brtians1

Comment 6 Mageia Robot 2022-03-06 11:41:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0089.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 Morgan Leijström 2022-03-06 11:57:15 CET 
OK mga8-64 swedish plasma
localisation, settings, tabs restored.
Some typical browsing incl video & banking

CC: (none) => fri

David Walser 2022-03-07 17:32:28 CET

Blocks: (none) => 30129

Comment 8 David Walser 2022-03-10 16:51:18 CET 
RedHat has issued an advisory for this today (March 10):
https://access.redhat.com/errata/RHSA-2022:0818