| Summary: | Firefox 115.5 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, fri, guillaume.royer, herman.viaene, marja11, sysadmin-bugs, tarazed25, xerxes2 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-32-OK MGA9-64-OK | ||
| Source RPM: | rootcerts, nss, firefox, firefox-l10n | CVE: | CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 32552 | ||
|
Description
Nicolas Salguero
2023-11-22 10:13:12 CET
There is also an update for rootcerts (2023-11-13). CC:
(none) =>
nicolas.salguero Nicolas, once again excuse me for assigning this to you - being the principle maintainer of Firefox. Assignee:
bugsquad =>
nicolas.salguero
Nicolas Salguero
2023-11-24 11:36:32 CET
Assignee:
nicolas.salguero =>
pkg-bugs (In reply to Nicolas Salguero from comment #1) > There is also an update for rootcerts (2023-11-13). In fact, rootcerts (2023-11-16). For Cauldron and Mageia 9, new versions of rootcerts, firefox and firefox-l10n are into SVN. NSS 3.95 was released on November 16: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html Source RPM:
rootcerts, firefox, firefox-l10n =>
rootcerts, nss, firefox, firefox-l10n
Nicolas Salguero
2023-11-30 10:28:12 CET
Blocks:
(none) =>
32552 firefox-115.5.0-3.mga9 will include a patch from Centos for CVE-2023-44488 (see bug 32586). For Mageia 9, all is built. For Cauldron, firefox and firefox-l10n need to be built. Updated packages in core/updates_testing: ======================== rootcerts-20231116.00-1.mga9 rootcerts-java-20231116.00-1.mga9 lib(64)nss3-3.95.0-1.mga9 lib(64)nss-devel-3.95.0-1.mga9 lib(64)nss-static-devel-3.95.0-1.mga9 nss-3.95.0-1.mga9 nss-doc-3.95.0-1.mga9 firefox-115.5.0-3.mga9 firefox-af-115.5.0-1.mga9 firefox-an-115.5.0-1.mga9 firefox-ar-115.5.0-1.mga9 firefox-ast-115.5.0-1.mga9 firefox-az-115.5.0-1.mga9 firefox-be-115.5.0-1.mga9 firefox-bg-115.5.0-1.mga9 firefox-bn-115.5.0-1.mga9 firefox-br-115.5.0-1.mga9 firefox-bs-115.5.0-1.mga9 firefox-ca-115.5.0-1.mga9 firefox-cs-115.5.0-1.mga9 firefox-cy-115.5.0-1.mga9 firefox-da-115.5.0-1.mga9 firefox-de-115.5.0-1.mga9 firefox-el-115.5.0-1.mga9 firefox-en_CA-115.5.0-1.mga9 firefox-en_GB-115.5.0-1.mga9 firefox-en_US-115.5.0-1.mga9 firefox-eo-115.5.0-1.mga9 firefox-es_AR-115.5.0-1.mga9 firefox-es_CL-115.5.0-1.mga9 firefox-es_ES-115.5.0-1.mga9 firefox-es_MX-115.5.0-1.mga9 firefox-et-115.5.0-1.mga9 firefox-eu-115.5.0-1.mga9 firefox-fa-115.5.0-1.mga9 firefox-ff-115.5.0-1.mga9 firefox-fi-115.5.0-1.mga9 firefox-fr-115.5.0-1.mga9 firefox-fur-115.5.0-1.mga9 firefox-fy_NL-115.5.0-1.mga9 firefox-ga_IE-115.5.0-1.mga9 firefox-gd-115.5.0-1.mga9 firefox-gl-115.5.0-1.mga9 firefox-gu_IN-115.5.0-1.mga9 firefox-he-115.5.0-1.mga9 firefox-hi_IN-115.5.0-1.mga9 firefox-hr-115.5.0-1.mga9 firefox-hsb-115.5.0-1.mga9 firefox-hu-115.5.0-1.mga9 firefox-hy_AM-115.5.0-1.mga9 firefox-ia-115.5.0-1.mga9 firefox-id-115.5.0-1.mga9 firefox-is-115.5.0-1.mga9 firefox-it-115.5.0-1.mga9 firefox-ja-115.5.0-1.mga9 firefox-ka-115.5.0-1.mga9 firefox-kab-115.5.0-1.mga9 firefox-kk-115.5.0-1.mga9 firefox-km-115.5.0-1.mga9 firefox-kn-115.5.0-1.mga9 firefox-ko-115.5.0-1.mga9 firefox-lij-115.5.0-1.mga9 firefox-lt-115.5.0-1.mga9 firefox-lv-115.5.0-1.mga9 firefox-mk-115.5.0-1.mga9 firefox-mr-115.5.0-1.mga9 firefox-ms-115.5.0-1.mga9 firefox-my-115.5.0-1.mga9 firefox-nb_NO-115.5.0-1.mga9 firefox-nl-115.5.0-1.mga9 firefox-nn_NO-115.5.0-1.mga9 firefox-oc-115.5.0-1.mga9 firefox-pa_IN-115.5.0-1.mga9 firefox-pl-115.5.0-1.mga9 firefox-pt_BR-115.5.0-1.mga9 firefox-pt_PT-115.5.0-1.mga9 firefox-ro-115.5.0-1.mga9 firefox-ru-115.5.0-1.mga9 firefox-sc-115.5.0-1.mga9 firefox-si-115.5.0-1.mga9 firefox-sk-115.5.0-1.mga9 firefox-sl-115.5.0-1.mga9 firefox-sq-115.5.0-1.mga9 firefox-sr-115.5.0-1.mga9 firefox-sv_SE-115.5.0-1.mga9 firefox-szl-115.5.0-1.mga9 firefox-ta-115.5.0-1.mga9 firefox-te-115.5.0-1.mga9 firefox-tg-115.5.0-1.mga9 firefox-th-115.5.0-1.mga9 firefox-tl-115.5.0-1.mga9 firefox-tr-115.5.0-1.mga9 firefox-uk-115.5.0-1.mga9 firefox-ur-115.5.0-1.mga9 firefox-uz-115.5.0-1.mga9 firefox-vi-115.5.0-1.mga9 firefox-xh-115.5.0-1.mga9 firefox-zh_CN-115.5.0-1.mga9 firefox-zh_TW-115.5.0-1.mga9 from SRPMS: rootcerts-20231116.00-1.mga9.src.rpm nss-3.95.0-1.mga9.src.rpm firefox-115.5.0-3.mga9.src.rpm firefox-l10n-115.5.0-1.mga9.src.rpm Ready for QA? If so, assign to QA :) CC:
(none) =>
fri Suggested advisory: ======================== The updated packages fix security vulnerabilities: Out-of-bound memory access in WebGL2 blitFramebuffer. (CVE-2023-6204) Use-after-free in MessagePort::Entangled. (CVE-2023-6205) Clickjacking permission prompts using the fullscreen transition. (CVE-2023-6206) Use-after-free in ReadableByteStreamQueueEntry::Buffer. (CVE-2023-6207) Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208) Incorrect parsing of relative URLs starting with "///". (CVE-2023-6209) Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. (CVE-2023-6212) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6205 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6206 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6207 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6208 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6212 https://www.mozilla.org/en-US/firefox/115.5.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html Version:
Cauldron =>
9 This version as well as our last update do not list the article in this catalogue at page https://se.rs-online.com/web/c/displays-optoelectronics/led-lighting-components/cob-leds/ Just me? (maybe I have some plugin or too many tabs or some setting...) Even stranger, other listings on that site works. Our chromium display the content (232 products), as well as Firefox flatpak 119.0.1. Advisory from comment 9 with SRPMs from comment 7 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete" Keywords:
(none) =>
advisory (In reply to Morgan Leijström from comment #10) > This version as well as our last update do not list the article in this > catalogue at page > https://se.rs-online.com/web/c/displays-optoelectronics/led-lighting- > components/cob-leds/ > > Just me? (maybe I have some plugin or too many tabs or some setting...) > Even stranger, other listings on that site works. In my tests, I did not see any difference between what is displayed with firefox 115.5 and chromium. Mageia9, x86_64 Before updating the indicated page worked fine for the current firefox 115.4 and chromium-browser and continued to work for the updated firefox all with en_GB/CA/US. The updated browser works fine. CC:
(none) =>
tarazed25 MGA9 x86_64 GNOME Updated with QArepo and RPM: firefox 115.5.0 3.mga9 x86_64 firefox-fr 115.5.0 1.mga9 noarch lib64nss3 3.95.0 1.mga9 x86_64 nss 3.95.0 1.mga9 x86_64 rootcerts 20231116.00 1.mga9 noarch rootcerts-java 20231116.00 1.mga9 noarch Browsing OK, sites: Bank Ok Streaming (Netflix) Ok Element web matrix Ok CC:
(none) =>
guillaume.royer Could you please consider adding support for Wayland? --enable-default-toolkit=cairo-gtk3-wayland https://svnweb.mageia.org/packages/cauldron/firefox/current/SPECS/firefox.spec?revision=2013416&view=markup&pathrev=2013501#l296 CC:
(none) =>
xerxes2
Marja Van Waes
2023-12-06 12:37:18 CET
CVE:
(none) =>
CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212 MGA9-64 MATE on HPPavillion No installation issues Doing this update, usual newspaper site with text, images, livestream all OK. CC:
(none) =>
herman.viaene OK mga9-64 Plasma nvidia470 Swedish Translation OK, settings and tabs restored. Videos, banking, Tax office, shops, news Weird issue in comment 10 can not be packaging related. I've used this on three mga9-64 Plasma installs and one mga9-32 Xfce install over the last two days without issues. I use DuckDuckGo as my home page, and for a while today I wondered about the update because when the search site came up it immediately scrolled to the bottom of the page, unlike before. But I checked with the older Firefox, and it was doing the same, and then about two hours ago it displayed the way it's supposed to again. I've decided it was a glitch with the page, and not with Firefox. So it looks OK on all those systems. CC:
(none) =>
andrewsfarm (In reply to Morgan Leijström from comment #10) > This version as well as our last update do not list the article in this > catalogue at page > https://se.rs-online.com/web/c/displays-optoelectronics/led-lighting- > components/cob-leds/ > > Just me? (maybe I have some plugin or too many tabs or some setting...) > Even stranger, other listings on that site works. > > Our chromium display the content (232 products), as well as Firefox flatpak > 119.0.1. That page displayed the content on my system with our Firefox, but after I told it I would accept all cookies. (At least I think that's what it was - it wasn't in English.) Could it be you are somehow set to reject their cookies in our Firefox? Given that this is a critical security update, I think it's time to send it on. Validating. Whiteboard:
(none) =>
MGA9-32-OK MGA9-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0342.html Resolution:
(none) =>
FIXED |