Bug 30463

Summary: Firefox and Thunderbird 91.9.1 new security issues
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, fri, guillaume.royer, joselp, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: firefox, firefox-l10n, thunderbird, thunderbird-l10n CVE:
Status comment:

Description Nicolas Salguero 2022-05-22 09:24:52 CEST 
Hi,

Upstream has released Firefox and Thunderbird 91.9.1 on May 22:
https://www.mozilla.org/en-US/firefox/91.9.1/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/91.9.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/

Best regards,

Nico
Nicolas Salguero 2022-05-22 09:25:54 CEST

Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Source RPM: (none) => firefox, firefox-l10n, thunderbird, thunderbird-l10n

Comment 1 David Walser 2022-05-22 11:26:02 CEST 
No rootcerts, nspr, or nss updates at this time.  It looks like Christian has started working on the Firefox update.

CC: (none) => chb0

Comment 2 Lewis Smith 2022-05-22 21:02:24 CEST 
In which case, I hope I have the right Christian as assignee for Firefox. (squidf is new to me).
For Thunderbird, doktor5000 is the registered maintainer, but NicolasS has been nursing it for somùe time; he is already CC'd.

Assignee: bugsquad => chb0
CC: chb0 => (none)

Comment 3 christian barranco 2022-05-22 22:09:26 CEST 
Hi Lewis. Yes, you picked up the "right" Christian.

However, here, it is David W. who has done most of the job!

Firefox seems to be ready by now, based on our BS status; I let David confirming.

Is anyone taking care of Thunderbird?
Comment 4 David Walser 2022-05-22 23:05:57 CEST 
Yes, Firefox is ready.  I assume Nicolas is taking care of Thunderbird as usual.
Comment 5 Morgan Leijström 2022-05-23 07:42:09 CEST 
(In reply to David Walser from comment #4)
> Yes, Firefox is ready.

CC: (none) => fri
Assignee: chb0 => qa-bugs

Comment 6 Morgan Leijström 2022-05-23 09:27:36 CEST 
mga8-64 OK here on Plasma, Swedish, Nvidia-current.
Tabs and settings preserved, various logins, video.
Comment 7 Nicolas Salguero 2022-05-23 13:33:34 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Prototype pollution in Top-Level Await implementation. (CVE-2022-1802)

Untrusted input used in JavaScript object indexing, leading to prototype pollution. (CVE-2022-1529)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1529
https://www.mozilla.org/en-US/firefox/91.9.1/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/91.9.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
========================

Updated packages in core/updates_testing:
========================
firefox-91.9.1-1.mga8
firefox-be-91.9.1-1.mga8
firefox-ru-91.9.1-1.mga8
firefox-uk-91.9.1-1.mga8
firefox-el-91.9.1-1.mga8
firefox-th-91.9.1-1.mga8
firefox-kk-91.9.1-1.mga8
firefox-ka-91.9.1-1.mga8
firefox-pa_IN-91.9.1-1.mga8
firefox-sr-91.9.1-1.mga8
firefox-hy_AM-91.9.1-1.mga8
firefox-ja-91.9.1-1.mga8
firefox-ko-91.9.1-1.mga8
firefox-zh_TW-91.9.1-1.mga8
firefox-zh_CN-91.9.1-1.mga8
firefox-vi-91.9.1-1.mga8
firefox-bg-91.9.1-1.mga8
firefox-sk-91.9.1-1.mga8
firefox-hu-91.9.1-1.mga8
firefox-cs-91.9.1-1.mga8
firefox-hsb-91.9.1-1.mga8
firefox-hi_IN-91.9.1-1.mga8
firefox-lt-91.9.1-1.mga8
firefox-fa-91.9.1-1.mga8
firefox-ar-91.9.1-1.mga8
firefox-fr-91.9.1-1.mga8
firefox-ur-91.9.1-1.mga8
firefox-bn-91.9.1-1.mga8
firefox-he-91.9.1-1.mga8
firefox-sq-91.9.1-1.mga8
firefox-tr-91.9.1-1.mga8
firefox-de-91.9.1-1.mga8
firefox-pl-91.9.1-1.mga8
firefox-oc-91.9.1-1.mga8
firefox-es_AR-91.9.1-1.mga8
firefox-te-91.9.1-1.mga8
firefox-es_MX-91.9.1-1.mga8
firefox-es_CL-91.9.1-1.mga8
firefox-kab-91.9.1-1.mga8
firefox-pt_PT-91.9.1-1.mga8
firefox-fy_NL-91.9.1-1.mga8
firefox-pt_BR-91.9.1-1.mga8
firefox-gl-91.9.1-1.mga8
firefox-cy-91.9.1-1.mga8
firefox-sv_SE-91.9.1-1.mga8
firefox-sl-91.9.1-1.mga8
firefox-eu-91.9.1-1.mga8
firefox-nl-91.9.1-1.mga8
firefox-es_ES-91.9.1-1.mga8
firefox-km-91.9.1-1.mga8
firefox-da-91.9.1-1.mga8
firefox-eo-91.9.1-1.mga8
firefox-ca-91.9.1-1.mga8
firefox-ia-91.9.1-1.mga8
firefox-mr-91.9.1-1.mga8
firefox-nn_NO-91.9.1-1.mga8
firefox-fi-91.9.1-1.mga8
firefox-gd-91.9.1-1.mga8
firefox-hr-91.9.1-1.mga8
firefox-nb_NO-91.9.1-1.mga8
firefox-gu_IN-91.9.1-1.mga8
firefox-ro-91.9.1-1.mga8
firefox-id-91.9.1-1.mga8
firefox-br-91.9.1-1.mga8
firefox-my-91.9.1-1.mga8
firefox-tl-91.9.1-1.mga8
firefox-ta-91.9.1-1.mga8
firefox-en_GB-91.9.1-1.mga8
firefox-szl-91.9.1-1.mga8
firefox-en_CA-91.9.1-1.mga8
firefox-et-91.9.1-1.mga8
firefox-an-91.9.1-1.mga8
firefox-kn-91.9.1-1.mga8
firefox-ast-91.9.1-1.mga8
firefox-az-91.9.1-1.mga8
firefox-en_US-91.9.1-1.mga8
firefox-si-91.9.1-1.mga8
firefox-ff-91.9.1-1.mga8
firefox-lij-91.9.1-1.mga8
firefox-is-91.9.1-1.mga8
firefox-uz-91.9.1-1.mga8
firefox-mk-91.9.1-1.mga8
firefox-bs-91.9.1-1.mga8
firefox-lv-91.9.1-1.mga8
firefox-ga_IE-91.9.1-1.mga8
firefox-it-91.9.1-1.mga8
firefox-xh-91.9.1-1.mga8
firefox-ms-91.9.1-1.mga8
firefox-af-91.9.1-1.mga8

thunderbird-91.9.1-1.mga8
thunderbird-ru-91.9.1-1.mga8
thunderbird-uk-91.9.1-1.mga8
thunderbird-ka-91.9.1-1.mga8
thunderbird-el-91.9.1-1.mga8
thunderbird-th-91.9.1-1.mga8
thunderbird-ja-91.9.1-1.mga8
thunderbird-kk-91.9.1-1.mga8
thunderbird-zh_TW-91.9.1-1.mga8
thunderbird-zh_CN-91.9.1-1.mga8
thunderbird-hy_AM-91.9.1-1.mga8
thunderbird-sk-91.9.1-1.mga8
thunderbird-hu-91.9.1-1.mga8
thunderbird-dsb-91.9.1-1.mga8
thunderbird-vi-91.9.1-1.mga8
thunderbird-hsb-91.9.1-1.mga8
thunderbird-sr-91.9.1-1.mga8
thunderbird-cs-91.9.1-1.mga8
thunderbird-fr-91.9.1-1.mga8
thunderbird-ko-91.9.1-1.mga8
thunderbird-sq-91.9.1-1.mga8
thunderbird-lt-91.9.1-1.mga8
thunderbird-be-91.9.1-1.mga8
thunderbird-bg-91.9.1-1.mga8
thunderbird-es_AR-91.9.1-1.mga8
thunderbird-de-91.9.1-1.mga8
thunderbird-tr-91.9.1-1.mga8
thunderbird-pl-91.9.1-1.mga8
thunderbird-pt_BR-91.9.1-1.mga8
thunderbird-fy_NL-91.9.1-1.mga8
thunderbird-sv_SE-91.9.1-1.mga8
thunderbird-kab-91.9.1-1.mga8
thunderbird-nl-91.9.1-1.mga8
thunderbird-cy-91.9.1-1.mga8
thunderbird-gl-91.9.1-1.mga8
thunderbird-eu-91.9.1-1.mga8
thunderbird-he-91.9.1-1.mga8
thunderbird-pt_PT-91.9.1-1.mga8
thunderbird-fi-91.9.1-1.mga8
thunderbird-ar-91.9.1-1.mga8
thunderbird-sl-91.9.1-1.mga8
thunderbird-ro-91.9.1-1.mga8
thunderbird-da-91.9.1-1.mga8
thunderbird-nn_NO-91.9.1-1.mga8
thunderbird-nb_NO-91.9.1-1.mga8
thunderbird-pa_IN-91.9.1-1.mga8
thunderbird-hr-91.9.1-1.mga8
thunderbird-ca-91.9.1-1.mga8
thunderbird-id-91.9.1-1.mga8
thunderbird-en_GB-91.9.1-1.mga8
thunderbird-gd-91.9.1-1.mga8
thunderbird-en_CA-91.9.1-1.mga8
thunderbird-en_US-91.9.1-1.mga8
thunderbird-br-91.9.1-1.mga8
thunderbird-lv-91.9.1-1.mga8
thunderbird-it-91.9.1-1.mga8
thunderbird-ga_IE-91.9.1-1.mga8
thunderbird-et-91.9.1-1.mga8
thunderbird-uz-91.9.1-1.mga8
thunderbird-ast-91.9.1-1.mga8
thunderbird-is-91.9.1-1.mga8
thunderbird-ms-91.9.1-1.mga8
thunderbird-es_ES-91.9.1-1.mga8
thunderbird-af-91.9.1-1.mga8

from SRPMS:
firefox-91.9.1-1.mga8.src.rpm
firefox-l10n-91.9.1-1.mga8.src.rpm

thunderbird-91.9.1-1.mga8.src.rpm
thunderbird-l10n-91.9.1-1.mga8.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 8 Thomas Andrews 2022-05-24 03:15:33 CEST 
Updated the US English versions of both, sent/received some emails, visited several web pages, using Firefox here now. No issues noted.

CC: (none) => andrewsfarm

Comment 9 Guillaume Royer 2022-05-24 09:29:23 CEST 
MGA 64 XFCE

Test FF with:

Video (Netflix) Ok
Sound Ok
Bank sites Ok
Jitsi Ok

Test TB:

Send and receive mail Ok
Synchronization calendar & contact Ok

CC: (none) => guillaume.royer

Comment 10 Morgan Leijström 2022-05-24 09:45:10 CEST 
mga8-64 Thunderbird OK; 
Plasma, Swedish
Settings and local mail preserved.
IMAP online and offline, SMTP
Not using filter, calendar, ...

Comment 6 was OK for Firefox.
Comment 11 David Walser 2022-05-24 17:13:02 CEST 
RedHat has issued an advisory for Thunderbird today (May 24):
https://access.redhat.com/errata/RHSA-2022:4730
Comment 12 Jose Manuel López 2022-05-24 17:43:33 CEST 
Hi,

Tested in Mga 8 Plasma.

Thunderbird ok, send and receive, contacts, task, calendar. Updated from the last stable version.

Firefox ok, writing from this version right now, addons ok, bookmarks and passworkds ok, settings and locale ok.

CC: (none) => joselp

Comment 13 Brian Rockwell 2022-05-24 20:12:17 CEST 
MGA8-64, Xfce


The following 4 packages are going to be installed:

- firefox-91.9.1-1.mga8.x86_64
- firefox-en_CA-91.9.1-1.mga8.noarch
- firefox-en_GB-91.9.1-1.mga8.noarch
- firefox-en_US-91.9.1-1.mga8.noarch



working as expected

CC: (none) => brtians1

Comment 14 Thomas Andrews 2022-05-25 00:11:30 CEST 
Looks good enough to me. Validating. Advisory in Comment 7.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-05-25 02:46:11 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 15 Mageia Robot 2022-05-25 20:47:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0207.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 16 David Walser 2022-05-31 21:56:03 CEST 
RedHat has issued an advisory for Firefox on May 27:
https://access.redhat.com/errata/RHSA-2022:4765