| Summary: | Firefox 91.12 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, fri, herman.viaene, joselp, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | nss, firefox | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 30681 | ||
|
Description
David Walser
2022-07-25 17:22:45 CEST
Copy-paste error in Comment 0. There is an nss update, but not rootcerts. Updates have been submitted to the build system and should be available by the end of the day. Assignee:
luigiwalser =>
qa-bugs The following package has to be removed for others to be upgraded: lib64openssl-static-devel-1.1.1q-1.mga8.x86_64 (due to conflicts with lib64nss-static-devel-3.81.0-1.mga8.x86_64) CC:
(none) =>
herman.viaene MGA8-64 Plasma on Acer Aspire 5253 No installation issues apart from the niggle in Comment 2. Running usual newspaper site and beloved manamana on youtube and editing here shows no problems. Mageia 8 Plasma X86_64. No installations issues. Banks, addons, settings, language es-ES, video and audio ok. Works fine for me. CC:
(none) =>
joselp Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2022-29/ Advisory: ======================== Updated firefox packages fix security vulnerabilities: When visiting directory listings for chrome:// URLs as source text, some parameters were reflected (CVE-2022-36318). When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed (CVE-2022-36319). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36318 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36319 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jYrL4b47r3A https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_81.html https://www.mozilla.org/en-US/security/advisories/mfsa2022-29/ Severity:
critical =>
major (In reply to Herman Viaene from comment #2) > The following package has to be removed for others to be upgraded: > lib64openssl-static-devel-1.1.1q-1.mga8.x86_64 > (due to conflicts with lib64nss-static-devel-3.81.0-1.mga8.x86_64) That's normal. Allow it. Most people will not have the devel libs installed. CC:
(none) =>
davidwhodgins Selecting Firefox in drakrpm, correctly libnss is selected too. But should not also nss be autoselected, by libnss version? CC:
(none) =>
fri No, you always need to make sure all relevant updates are selected when testing. They won't always automatically. It's not an issue once updates are pushed because you just install all available updates. Well for normal cases yes. We could also say that for libnss. There is a irrergularity that libnss is a dep of ff but not nss of libnss. It is a dependency, just not all the way down to the version-release level. That's common among subpackages, as too tight dependencies can cause dependency loops and other issues that cause upgrade problems. mga8-64 OK Plasma, nvidia-current, 4k screen, i7 Localisation Swedish Restored saved tabs Plugins I have seem OK Browsing some sites with video and different logins No regression noted. MGA8-64, Gnome, Asus Laptop AMD A6-9225 RADEON R4 RTL8723BE Bluetooth The following 6 packages are going to be installed: - firefox-91.12.0-1.mga8.x86_64 - firefox-en_CA-91.12.0-1.mga8.noarch - firefox-en_GB-91.12.0-1.mga8.noarch - firefox-en_US-91.12.0-1.mga8.noarch - lib64nss3-3.81.0-1.mga8.x86_64 - nss-3.81.0-1.mga8.x86_64 ---- restarted system I've used it on my favorite websites (video/audio/text) - no issues CC:
(none) =>
brtians1
David Walser
2022-07-29 17:34:33 CEST
Blocks:
(none) =>
30681 No regressions noticed. Validating the update. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-07-29 20:35:38 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0271.html Status:
NEW =>
RESOLVED I've been told that the nss update wasn't pushed. Resolution:
FIXED =>
(none) Per msg on dev list 11 hours ago tmb moved it, and later a user responded it worked. Resolution:
(none) =>
FIXED RedHat has issued an advisory for this today (August 1): https://access.redhat.com/errata/RHSA-2022:5767 |