Bug 30367

Summary: Firefox 91.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, fri, joselp, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nss, firefox CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30374    

Description David Walser 2022-05-03 17:07:57 CEST 
Mozilla has released Firefox 91.9.0 today (May 3):
https://www.mozilla.org/en-US/firefox/91.9.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-17/

There is also an nss update:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/hQUjX_jwbEk
https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
nss-3.78.0-1.mga8
nss-doc-3.78.0-1.mga8
libnss3-3.78.0-1.mga8
libnss-devel-3.78.0-1.mga8
libnss-static-devel-3.78.0-1.mga8
firefox-91.9.0-1.mga8
firefox-ru-91.9.0-1.mga8
firefox-uk-91.9.0-1.mga8
firefox-be-91.9.0-1.mga8
firefox-el-91.9.0-1.mga8
firefox-kk-91.9.0-1.mga8
firefox-th-91.9.0-1.mga8
firefox-pa_IN-91.9.0-1.mga8
firefox-ka-91.9.0-1.mga8
firefox-ja-91.9.0-1.mga8
firefox-bg-91.9.0-1.mga8
firefox-sr-91.9.0-1.mga8
firefox-hy_AM-91.9.0-1.mga8
firefox-ko-91.9.0-1.mga8
firefox-zh_TW-91.9.0-1.mga8
firefox-vi-91.9.0-1.mga8
firefox-zh_CN-91.9.0-1.mga8
firefox-hu-91.9.0-1.mga8
firefox-bn-91.9.0-1.mga8
firefox-hi_IN-91.9.0-1.mga8
firefox-ar-91.9.0-1.mga8
firefox-sk-91.9.0-1.mga8
firefox-cs-91.9.0-1.mga8
firefox-ur-91.9.0-1.mga8
firefox-hsb-91.9.0-1.mga8
firefox-lt-91.9.0-1.mga8
firefox-te-91.9.0-1.mga8
firefox-fr-91.9.0-1.mga8
firefox-he-91.9.0-1.mga8
firefox-pl-91.9.0-1.mga8
firefox-sq-91.9.0-1.mga8
firefox-fa-91.9.0-1.mga8
firefox-de-91.9.0-1.mga8
firefox-oc-91.9.0-1.mga8
firefox-tr-91.9.0-1.mga8
firefox-kab-91.9.0-1.mga8
firefox-es_MX-91.9.0-1.mga8
firefox-es_AR-91.9.0-1.mga8
firefox-es_CL-91.9.0-1.mga8
firefox-pt_PT-91.9.0-1.mga8
firefox-fy_NL-91.9.0-1.mga8
firefox-pt_BR-91.9.0-1.mga8
firefox-gl-91.9.0-1.mga8
firefox-cy-91.9.0-1.mga8
firefox-sv_SE-91.9.0-1.mga8
firefox-gd-91.9.0-1.mga8
firefox-km-91.9.0-1.mga8
firefox-ro-91.9.0-1.mga8
firefox-mr-91.9.0-1.mga8
firefox-gu_IN-91.9.0-1.mga8
firefox-hr-91.9.0-1.mga8
firefox-sl-91.9.0-1.mga8
firefox-nl-91.9.0-1.mga8
firefox-es_ES-91.9.0-1.mga8
firefox-eo-91.9.0-1.mga8
firefox-ca-91.9.0-1.mga8
firefox-da-91.9.0-1.mga8
firefox-fi-91.9.0-1.mga8
firefox-eu-91.9.0-1.mga8
firefox-ia-91.9.0-1.mga8
firefox-nn_NO-91.9.0-1.mga8
firefox-nb_NO-91.9.0-1.mga8
firefox-br-91.9.0-1.mga8
firefox-id-91.9.0-1.mga8
firefox-tl-91.9.0-1.mga8
firefox-my-91.9.0-1.mga8
firefox-ta-91.9.0-1.mga8
firefox-en_GB-91.9.0-1.mga8
firefox-szl-91.9.0-1.mga8
firefox-en_CA-91.9.0-1.mga8
firefox-an-91.9.0-1.mga8
firefox-ast-91.9.0-1.mga8
firefox-kn-91.9.0-1.mga8
firefox-az-91.9.0-1.mga8
firefox-si-91.9.0-1.mga8
firefox-en_US-91.9.0-1.mga8
firefox-et-91.9.0-1.mga8
firefox-ff-91.9.0-1.mga8
firefox-lij-91.9.0-1.mga8
firefox-uz-91.9.0-1.mga8
firefox-is-91.9.0-1.mga8
firefox-mk-91.9.0-1.mga8
firefox-lv-91.9.0-1.mga8
firefox-bs-91.9.0-1.mga8
firefox-ga_IE-91.9.0-1.mga8
firefox-it-91.9.0-1.mga8
firefox-ms-91.9.0-1.mga8
firefox-xh-91.9.0-1.mga8
firefox-af-91.9.0-1.mga8

from SRPMS:
nss-3.78.0-1.mga8.src.rpm
firefox-91.9.0-1.mga8.src.rpm
firefox-l10n-91.9.0-1.mga8.src.rpm
Comment 1 David Walser 2022-05-03 17:12:04 CEST 
Packages are in the process of being submitted to the build system and should be available later today.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Documents in deeply-nested cross-origin browsing contexts could have obtained
permissions granted to the top-level origin, bypassing the existing prompt and
wrongfully inheriting the top-level permissions (CVE-2022-29909).

Firefox did not properly protect against top-level navigations for an iframe
sandbox with a policy relaxed through a keyword like
allow-top-navigation-by-user-activation (CVE-2022-29911).

Requests initiated through reader mode did not properly omit cookies with a
SameSite attribute (CVE-2022-29912).

When reusing existing popups Firefox would have allowed them to cover the
fullscreen notification UI, which could have enabled browser spoofing attacks
(CVE-2022-29914).

Firefox behaved slightly differently for already known resources when loading
CSS resources involving CSS variables. This could have been used to probe the
browser history (CVE-2022-29916).

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the
Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 91.8.
Some of these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run arbitrary
code (CVE-2022-29917).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29912
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29914
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29916
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29917
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html
https://www.mozilla.org/en-US/security/advisories/mfsa2022-17/
Comment 2 David Walser 2022-05-03 19:35:18 CEST 
Packages have been submitted to the build system and will be available eventually.

Assignee: luigiwalser => qa-bugs

Comment 3 Morgan Leijström 2022-05-04 10:16:14 CEST 
OK mga8-64, Plasma, nvidia-current, Swedish locale
Some banking sites, webshops, video sites, printing.

CC: (none) => fri

Comment 4 Len Lawrence 2022-05-04 12:13:34 CEST 
mga8, x64
Updated and restarted firefox.  Restored previous session.
Working fine - local file browser, command-line invocation of Youtube video, interactive word puzzle, Google Maps....

CC: (none) => tarazed25

Comment 5 Brian Rockwell 2022-05-04 16:11:39 CEST 
MGA8-64, Gnome, Asus Laptop

AMD A6-9225 RADEON R4
RTL8723BE 
Bluetooth

The following 5 packages are going to be installed:

- firefox-91.9.0-1.mga8.x86_64
- firefox-en_CA-91.9.0-1.mga8.noarch
- firefox-en_GB-91.9.0-1.mga8.noarch
- firefox-en_US-91.9.0-1.mga8.noarch
- lib64nss3-3.78.0-1.mga8.x86_64

945B of disk space will be freed.

---- restarted system

I've used it on my favorite websites (video/audio/text) - no issues

CC: (none) => brtians1

Comment 6 David Walser 2022-05-04 18:28:43 CEST 
RedHat has issued an advisory for this today (May 4):
https://access.redhat.com/errata/RHSA-2022:1705
David Walser 2022-05-04 18:37:06 CEST

Blocks: (none) => 30374

Comment 7 Jose Manuel López 2022-05-05 08:53:50 CEST 
Hi,

Updated from 91.8 in Mageia 8 Plasma x86_64. Writing from new version now. No issues for the moment.

Banks, sync, addons, spanish locale, youtube ok.

Greetings!

CC: (none) => joselp

Comment 8 Thomas Andrews 2022-05-06 14:57:58 CEST 
Updated the mga8-64 US English Firefox and Thunderbird in one operation. No issues to report with either.

CC: (none) => andrewsfarm

Comment 9 Dave Hodgins 2022-05-06 21:23:08 CEST 
Validating the update. Advisory committed to svn.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2022-05-06 22:18:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0162.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED