Bug 32077

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

An attacker could have triggered a use-after-free condition when creating a
WebRTC connection over HTTPS (CVE-2023-37201).

Cross-compartment wrappers wrapping a scripted proxy could have caused objects
from other compartments to be stored in the main compartment resulting in a
use-after-free in SpiderMonkey (CVE-2023-37202).

A website could have obscured the fullscreen notification by using a URL with
a scheme handled by an external program, such as a mailto URL. This could have
led to user confusion and possible spoofing attacks (CVE-2023-37207).

When opening Diagcab files, Firefox did not warn the user that these files may
contain malicious code (CVE-2023-37208).

Memory safety bugs present in Firefox ESR 102.12. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code (CVE-2023-37211).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37211
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/i-wiqdBIjMI
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html
https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/

Updates submitted to the build system, freeze move request posted for Cauldron, updated packages should be available on mirrors by the end of the day.

Assignee: luigiwalser => qa-bugs

I thought we do a regular testing here (qa) and move it afterwards, the regular way (maybe move to core and not to updates)

CC: (none) => mageia

MGA9-64 Plasma on an HP Pavilion 15. This install is an upgrade from a MGA8 install, I believe from the beta1 iso but I'm not sure now. 

After editing the list in comment 0 to change all "mga8" to "mga9" and "lib" to "lib64" I used it in qarepo to download the packages. I believe this is my first use of qarepo in Cauldron, definitely the first on this install, so it made for a good test of that, too. There were no installation issues for the US English version.

Checked this out with my normal morning use of a laptop, read my newspaper, checked in on Facebook, looked at a couple of other sites, then threw in watching a brief video on Youtube. No issues to report.

CC: (none) => andrewsfarm

MGA8-64 MATE on Acer Aspire.
No installation issues.
Newspaper site all OK

CC: (none) => herman.viaene

OK-64 on Cauldron, been using it some hours with various sites incl shops, banking and video

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => fri

Mageia8, x86_64 : Mate
Running here all afternoon for various sites and links from emails.

CC: (none) => tarazed25

Cauldron packages moved to release and are on second rc build

Giving this an MGA8 OK. 

Waiting on validation for Bug 32090 (Thunderbird), which has not been assigned to QA yet.

Whiteboard: (none) => MGA8-64-OK

While thunderbird depends on the firefox update, firefox does not depend on
thunderbird. Quick testing shows that thunderbird-102.12.0-1.mga8 still works
ok with this firefox update installed.

Validating the update. Advisory committed to svn.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

RedHat has issued an advisory for this on July 13:
https://access.redhat.com/errata/RHSA-2023:4071

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0235.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED