Bug 30976

Summary: Firefox 102.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fri, joselp, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nss, firefox CVE:
Status comment:

Description David Walser 2022-10-17 18:11:55 CEST 
Mozilla has released Firefox 102.4.0 today (October 17):
https://www.mozilla.org/en-US/firefox/102.4.0/releasenotes/

The release notes have not been posted yet.

There is also an nss update:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uV-FYp6SUr8
https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
libnss3-3.84.0-1.mga8
libnss-devel-3.84.0-1.mga8
libnss-static-devel-3.84.0-1.mga8
nss-3.84.0-1.mga8
nss-doc-3.84.0-1.mga8
firefox-102.4.0-1.mga8
firefox-af-102.4.0-1.mga8
firefox-an-102.4.0-1.mga8
firefox-ar-102.4.0-1.mga8
firefox-ast-102.4.0-1.mga8
firefox-az-102.4.0-1.mga8
firefox-be-102.4.0-1.mga8
firefox-bg-102.4.0-1.mga8
firefox-bn-102.4.0-1.mga8
firefox-br-102.4.0-1.mga8
firefox-bs-102.4.0-1.mga8
firefox-ca-102.4.0-1.mga8
firefox-cs-102.4.0-1.mga8
firefox-cy-102.4.0-1.mga8
firefox-da-102.4.0-1.mga8
firefox-de-102.4.0-1.mga8
firefox-el-102.4.0-1.mga8
firefox-en_CA-102.4.0-1.mga8
firefox-en_GB-102.4.0-1.mga8
firefox-en_US-102.4.0-1.mga8
firefox-eo-102.4.0-1.mga8
firefox-es_AR-102.4.0-1.mga8
firefox-es_CL-102.4.0-1.mga8
firefox-es_ES-102.4.0-1.mga8
firefox-es_MX-102.4.0-1.mga8
firefox-et-102.4.0-1.mga8
firefox-eu-102.4.0-1.mga8
firefox-fa-102.4.0-1.mga8
firefox-ff-102.4.0-1.mga8
firefox-fi-102.4.0-1.mga8
firefox-fr-102.4.0-1.mga8
firefox-fy_NL-102.4.0-1.mga8
firefox-ga_IE-102.4.0-1.mga8
firefox-gd-102.4.0-1.mga8
firefox-gl-102.4.0-1.mga8
firefox-gu_IN-102.4.0-1.mga8
firefox-he-102.4.0-1.mga8
firefox-hi_IN-102.4.0-1.mga8
firefox-hr-102.4.0-1.mga8
firefox-hsb-102.4.0-1.mga8
firefox-hu-102.4.0-1.mga8
firefox-hy_AM-102.4.0-1.mga8
firefox-ia-102.4.0-1.mga8
firefox-id-102.4.0-1.mga8
firefox-is-102.4.0-1.mga8
firefox-it-102.4.0-1.mga8
firefox-ja-102.4.0-1.mga8
firefox-ka-102.4.0-1.mga8
firefox-kab-102.4.0-1.mga8
firefox-kk-102.4.0-1.mga8
firefox-km-102.4.0-1.mga8
firefox-kn-102.4.0-1.mga8
firefox-ko-102.4.0-1.mga8
firefox-lij-102.4.0-1.mga8
firefox-lt-102.4.0-1.mga8
firefox-lv-102.4.0-1.mga8
firefox-mk-102.4.0-1.mga8
firefox-mr-102.4.0-1.mga8
firefox-ms-102.4.0-1.mga8
firefox-my-102.4.0-1.mga8
firefox-nb_NO-102.4.0-1.mga8
firefox-nl-102.4.0-1.mga8
firefox-nn_NO-102.4.0-1.mga8
firefox-oc-102.4.0-1.mga8
firefox-pa_IN-102.4.0-1.mga8
firefox-pl-102.4.0-1.mga8
firefox-pt_BR-102.4.0-1.mga8
firefox-pt_PT-102.4.0-1.mga8
firefox-ro-102.4.0-1.mga8
firefox-ru-102.4.0-1.mga8
firefox-si-102.4.0-1.mga8
firefox-sk-102.4.0-1.mga8
firefox-sl-102.4.0-1.mga8
firefox-sq-102.4.0-1.mga8
firefox-sr-102.4.0-1.mga8
firefox-sv_SE-102.4.0-1.mga8
firefox-szl-102.4.0-1.mga8
firefox-ta-102.4.0-1.mga8
firefox-te-102.4.0-1.mga8
firefox-th-102.4.0-1.mga8
firefox-tl-102.4.0-1.mga8
firefox-tr-102.4.0-1.mga8
firefox-uk-102.4.0-1.mga8
firefox-ur-102.4.0-1.mga8
firefox-uz-102.4.0-1.mga8
firefox-vi-102.4.0-1.mga8
firefox-xh-102.4.0-1.mga8
firefox-zh_CN-102.4.0-1.mga8
firefox-zh_TW-102.4.0-1.mga8

from SRPMS:
nss-3.84.0-1.mga8.src.rpm
firefox-102.4.0-1.mga8.src.rpm
firefox-l10n-102.4.0-1.mga8.src.rpm
Comment 1 David Walser 2022-10-17 20:23:49 CEST 
Updates have been submitted to the build system and should be available by the end of the day.  Release notes should be available tomorrow.

Assignee: luigiwalser => qa-bugs

Comment 2 Jose Manuel López 2022-10-18 10:52:41 CEST 
Installed in MGA8-64 Plasma, all works fine for the moment. 

- Audio and video ok.
- Addons ok.
- Settings and spanish translation ok.

Updated from 102.3 version without issues in firefox profile.

CC: (none) => joselp

Comment 3 Morgan Leijström 2022-10-18 11:48:08 CEST 
mga8-64 Plasma nvidia-current i7


OK, been using it today:
clean update
Settings and open tabs kept
Swedish localisation
Some video sites
Some banking and shops


Old minor problem: The about box say "mageia 1.0"
https://bugs.mageia.org/show_bug.cgi?id=30867#c4

CC: (none) => fri

Comment 4 David Walser 2022-10-18 15:01:26 CEST 
Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-45/

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A same-origin policy violation could have allowed the theft of cross-origin URL
entries, leaking the result of a redirect, via performance.getEntries()
(CVE-2022-42927).

Certain types of allocations were missing annotations that, if the Garbage
Collector was in a specific state, could have lead to memory corruption in the
JS engine and a potentially exploitable crash (CVE-2022-42928).

If a website called window.print() in a particular way, it could cause a denial
of service of the browser, which may persist beyond browser restart depending on
the user's session restore settings (CVE-2022-42929).

Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory
safety bugs present in Firefox ESR 102.3. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code (CVE-2022-42932).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42932
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uV-FYp6SUr8
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html
https://www.mozilla.org/en-US/security/advisories/mfsa2022-45/
Comment 5 Dave Hodgins 2022-10-18 23:11:16 CEST 
Advisory committed to svn. Validating the update.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2022-10-19 01:16:36 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0378.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2022-10-21 19:33:53 CEST 
RedHat has issued an advisory for this on October 20:
https://access.redhat.com/errata/RHSA-2022:7071