| Summary: | Firefox 115.6 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | High | CC: | andrewsfarm, brtians1, davidwhodgins, fri, joselp, marja11, nicolas.salguero, sysadmin-bugs, yvesbrungard |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | nss firefox firefox-l10n | CVE: | CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6867 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 32643, 32713 | ||
|
Description
Nicolas Salguero
2023-12-21 10:10:47 CET
NSS 3.96.1 was released on December 18: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96_1.html
Nicolas Salguero
2023-12-21 10:11:59 CET
Source RPM:
(none) =>
nss, firefox, firefox-l10n
Nicolas Salguero
2023-12-21 10:15:04 CET
Blocks:
(none) =>
32643 Strange: Firefox built OK 20 hours ago according to http://pkgsubmit.mageia.org/ but I do not find firefox rpm, but I do find the language and nss packages (and thunderbird). Mirror umu.se up to date, and same status on distrib-coffee. CC:
(none) =>
fri And same status on kernel.org mirror :-( Maybe it is a side effect of the lack of available space that affected the BS. Space problem is the cause, according to Jani on dev ml. Good detective work, Morgan. Assigning to Nicolas anyway, since you 'do' Firefox - already put version 115.6.0 into Cauldron. Assignee:
bugsquad =>
nicolas.salguero In between, Chromium got built and is on mirrors, so maybe trying Firefox build again will work. This is a critical security update, so hurry Firefox succeeded building, but due to full disk it did not make it to mirrors nss incl lib and firefox internationalisation are OK on mirrors. Maybe missing firefox rpm is fixable by sysadmin (it did list as sucessfully built so it is somewhere?), or it need a new build. Please proceed using best method. CC:
(none) =>
nicolas.salguero, sysadmin-bugs Firefox rpm is now since a couple days in updates_testing OK mga9-64 Plasma nvidia470 Swedish Translation OK Settings and tabs restored. Tested Video sites, banking, Tax office, shops, news... --- @nicholas, please provide package list and advisory proposal Assignee:
pkg-bugs =>
qa-bugs
Thomas Andrews
2024-01-07 21:34:06 CET
CC:
(none) =>
andrewsfarm Setting feedback for packager to update cauldron. (Maybe it did it get lost due to the disk space problem?) Whiteboard:
(none) =>
MGA9TOO MGA9-64, Xfce, AMD APU The following 5 packages are going to be installed: - firefox-115.6.0-1.mga9.x86_64 - firefox-en_CA-115.6.0-1.mga9.noarch - firefox-en_GB-115.6.0-1.mga9.noarch - firefox-en_US-115.6.0-1.mga9.noarch - lib64nss3-3.96.1-1.mga9.x86_64 2.4MB of disk space will be freed. - usual websites work - youtube works - audio and video are flowing smoothly works for me CC:
(none) =>
brtians1 Hi, Sadly, neither Firefox ESR nor Thunderbird can be built with python 3.12 and Cauldron switched to that version of python. Best regards, We should not hinder a security update in our supported release because of whatever problem in our development cauldron. Please open a separate issue for Cauldron. Whiteboard:
MGA9TOO =>
(none) (In reply to Nicolas Salguero from comment #0) > > Security issues fixed: > https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/ Adding the FF CVEs to the CVE: field CVE:
(none) =>
CVE-2023-6856, CVE-2023-6857, CVE-2023-6858, CVE-2023-6859, CVE-2023-6860, CVE-2023-6861, CVE-2023-6862, CVE-2023-6863, CVE-2023-6864, CVE-2023-6865, CVE-2023-6867 Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856) Potential exposure of uninitialized data in EncryptingOutputStream. (CVE-2023-6865) Symlinks may resolve to smaller than expected buffers. (CVE-2023-6857) Heap buffer overflow in nsTextFragment. (CVE-2023-6858) Use-after-free in PR_GetIdentitiesLayer. (CVE-2023-6859) Potential sandbox escape due to VideoBridge lack of texture validation. (CVE-2023-6860) Clickjacking permission prompts using the popup transition. (CVE-2023-6867) Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode. (CVE-2023-6861) Use-after-free in nsDNSService. (CVE-2023-6862) Undefined behavior in ShutdownObserver(). (CVE-2023-6863) Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. (CVE-2023-6864) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20 https://www.mozilla.org/en-US/firefox/115.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96_1.html ======================== Updated packages in core/updates_testing: ======================== lib(64)nss3-3.96.1-1.mga9 lib(64)nss-devel-3.96.1-1.mga9 lib(64)nss-static-devel-3.96.1-1.mga9 nss-3.96.1-1.mga9 nss-doc-3.96.1-1.mga9 firefox-115.6.0-1.mga9 firefox-af-115.6.0-1.mga9 firefox-an-115.6.0-1.mga9 firefox-ar-115.6.0-1.mga9 firefox-ast-115.6.0-1.mga9 firefox-az-115.6.0-1.mga9 firefox-be-115.6.0-1.mga9 firefox-bg-115.6.0-1.mga9 firefox-bn-115.6.0-1.mga9 firefox-br-115.6.0-1.mga9 firefox-bs-115.6.0-1.mga9 firefox-ca-115.6.0-1.mga9 firefox-cs-115.6.0-1.mga9 firefox-cy-115.6.0-1.mga9 firefox-da-115.6.0-1.mga9 firefox-de-115.6.0-1.mga9 firefox-el-115.6.0-1.mga9 firefox-en_CA-115.6.0-1.mga9 firefox-en_GB-115.6.0-1.mga9 firefox-en_US-115.6.0-1.mga9 firefox-eo-115.6.0-1.mga9 firefox-es_AR-115.6.0-1.mga9 firefox-es_CL-115.6.0-1.mga9 firefox-es_ES-115.6.0-1.mga9 firefox-es_MX-115.6.0-1.mga9 firefox-et-115.6.0-1.mga9 firefox-eu-115.6.0-1.mga9 firefox-fa-115.6.0-1.mga9 firefox-ff-115.6.0-1.mga9 firefox-fi-115.6.0-1.mga9 firefox-fr-115.6.0-1.mga9 firefox-fur-115.6.0-1.mga9 firefox-fy_NL-115.6.0-1.mga9 firefox-ga_IE-115.6.0-1.mga9 firefox-gd-115.6.0-1.mga9 firefox-gl-115.6.0-1.mga9 firefox-gu_IN-115.6.0-1.mga9 firefox-he-115.6.0-1.mga9 firefox-hi_IN-115.6.0-1.mga9 firefox-hr-115.6.0-1.mga9 firefox-hsb-115.6.0-1.mga9 firefox-hu-115.6.0-1.mga9 firefox-hy_AM-115.6.0-1.mga9 firefox-ia-115.6.0-1.mga9 firefox-id-115.6.0-1.mga9 firefox-is-115.6.0-1.mga9 firefox-it-115.6.0-1.mga9 firefox-ja-115.6.0-1.mga9 firefox-ka-115.6.0-1.mga9 firefox-kab-115.6.0-1.mga9 firefox-kk-115.6.0-1.mga9 firefox-km-115.6.0-1.mga9 firefox-kn-115.6.0-1.mga9 firefox-ko-115.6.0-1.mga9 firefox-lij-115.6.0-1.mga9 firefox-lt-115.6.0-1.mga9 firefox-lv-115.6.0-1.mga9 firefox-mk-115.6.0-1.mga9 firefox-mr-115.6.0-1.mga9 firefox-ms-115.6.0-1.mga9 firefox-my-115.6.0-1.mga9 firefox-nb_NO-115.6.0-1.mga9 firefox-nl-115.6.0-1.mga9 firefox-nn_NO-115.6.0-1.mga9 firefox-oc-115.6.0-1.mga9 firefox-pa_IN-115.6.0-1.mga9 firefox-pl-115.6.0-1.mga9 firefox-pt_BR-115.6.0-1.mga9 firefox-pt_PT-115.6.0-1.mga9 firefox-ro-115.6.0-1.mga9 firefox-ru-115.6.0-1.mga9 firefox-sc-115.6.0-1.mga9 firefox-si-115.6.0-1.mga9 firefox-sk-115.6.0-1.mga9 firefox-sl-115.6.0-1.mga9 firefox-sq-115.6.0-1.mga9 firefox-sr-115.6.0-1.mga9 firefox-sv_SE-115.6.0-1.mga9 firefox-szl-115.6.0-1.mga9 firefox-ta-115.6.0-1.mga9 firefox-te-115.6.0-1.mga9 firefox-tg-115.6.0-1.mga9 firefox-th-115.6.0-1.mga9 firefox-tl-115.6.0-1.mga9 firefox-tr-115.6.0-1.mga9 firefox-uk-115.6.0-1.mga9 firefox-ur-115.6.0-1.mga9 firefox-uz-115.6.0-1.mga9 firefox-vi-115.6.0-1.mga9 firefox-xh-115.6.0-1.mga9 firefox-zh_CN-115.6.0-1.mga9 firefox-zh_TW-115.6.0-1.mga9 from SRPMS: nss-3.96.1-1.mga9.src.rpm firefox-115.6.0-1.mga9.src.rpm firefox-l10n-115.6.0-1.mga9.src.rpm Status:
NEW =>
ASSIGNED Ooops! References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6863 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6864 https://www.mozilla.org/en-US/firefox/115.6.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96_1.html
papoteur
2024-01-08 15:30:25 CET
CC:
(none) =>
yvesbrungard Thanks for the advisory, Nicolas. It is not really needed to add the cve.mitre.org links, they are automatically added to our advisories by the scripts from our sysadmins to push updates. Besides, www.cve.org will soon be the place for the CVE records instead of cve.mitre.org. The advisory from comment 15 has been added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete" Keywords:
(none) =>
advisory MGA9-64, Plasma, Ryzen 3015i APU The following 6 packages are going to be installed: - firefox-115.6.0-1.mga9.x86_64 - firefox-en_CA-115.6.0-1.mga9.noarch - firefox-en_GB-115.6.0-1.mga9.noarch - firefox-en_US-115.6.0-1.mga9.noarch - lib64nss3-3.96.1-1.mga9.x86_64 - nss-3.96.1-1.mga9.x86_64 --- using it for awhile - working as expected Installed in Mageia 9 x86_64 Plasma. Works fine for the moment. Audio, video, banks, certificates, ok. Spanish language and settings ok. Greetings!! CC:
(none) =>
joselp MGA9-64 Plasma. Installed Firefox and Thunderbird at the same time, with no issues. Tried Firefox with several sites afterward, with no apparent issues. Looks OK here. Can someone try this and see if firefox loops? https://mirrors.mageia.org/status Then click refresh button. On this laptop it loops, but it could be something weird on this box. I think I saw this on occasion on prior Firefox versions. No problems here. I tried it as the only tab open, and as a second tab with this bug in the first. Oh, wait. You said laptop. This is a desktop, with wired Internet. I've seen that sort of thing before on my laptops with wifi, but only when the connection isn't the greatest, like outside or on another floor. rebooted again and applied the new 111 drivers. Working okay now, seems random on this specific hardware. Setting version to cauldron and MGA9TOO, because firefox-115.6.0-1.mga10 still fails to build Version:
9 =>
Cauldron (In reply to Morgan Leijström from comment #13) > We should not hinder a security update in our supported release because of > whatever problem in our development cauldron. > > Please open a separate issue for Cauldron. Sorry, I had missed that, I'll clone these bug reports. (In reply to Marja Van Waes from comment #26) > (In reply to Morgan Leijström from comment #13) > > We should not hinder a security update in our supported release because of > > whatever problem in our development cauldron. > > > > Please open a separate issue for Cauldron. > > Sorry, I had missed that, I'll clone these bug reports. bug 32706 for Firefox. Whiteboard:
MGA9TOO =>
(none) I've been using this for a couple of days now, without any issues, so it's probably OK for mga9. I realize this is a critical security update, but... If we push this and Thunderbird now, before Cauldron has been updated, we break the upgrade path until the Cauldron version is fixed. I've been using Mageia almost from the beginning, but I haven't been with QA that long. In the time I've been here I don't recall this ever being done on purpose before. (In reply to Thomas Andrews from comment #28) > I've been using this for a couple of days now, without any issues, so it's > probably OK for mga9. > > I realize this is a critical security update, but... If we push this and > Thunderbird now, before Cauldron has been updated, we break the upgrade path > until the Cauldron version is fixed. > > I've been using Mageia almost from the beginning, but I haven't been with QA > that long. In the time I've been here I don't recall this ever being done on > purpose before. What is the less bad: have an insecure version in current stable, or wait an unknown amount of time to cauldron and mozilla fix the firefox/thunderbird issues with python 3.12? Cauldron is not for users. We state it over and over many places. If someone can not move from stable to Cauldron for quirks like this simple, they should definitely not run Cauldron. This is a security update needed for the release we DO support. Whiteboard:
(none) =>
MGA9-64-OK I agree. I only brought it up to have a record that we considered it, weighed the pros and cons, and made a decision accordingly. (I would have answered sooner, but we had a power outage this afternoon right as I was posting comment 28 that prevented it.) Maybe it should be lifted to council, to write some trategy down. I.e when we have two supported releases, i.e Mageia 8 and 9, updates should be shipped to the higher release first or at the same time. Then what if suddenly updating the higher release do not work - say we had the problem that now is in Cauildron in mga9, and was still supporting mga8. Should we hinder update of security impacted software on the lower supported release when there is a problem generating the update on an higher supported release? For normal no-hurry updates I understand it is valuable to first see if updates builds for "next" release, but security updates must be pushed ASAP to supported releases. And non critical functionality updates should not wait for many weeks either, or users drift way. I agree to relax the rule for this package. Compatible python 3.12 is not yet ready for Firefox. However this is not a package that will be forgotten. Ship ASAP to updates! TB is already out in updates repo and need this nss. Bug 32713 - impossibility to update thunderbird to 115.6.0-1.mga9.x86_64 version due to broken dependancies Priority:
Normal =>
High 2024-01-08 08:32:19 CST - Advisory for firefox/nss added (32642.adv) 2024-01-10 14:36:33 CST - this bug validated 2024-01-12 06:37:46 CST - thunderbird pushed, which went through ok as this bug was marked ready to be pushed too. bug 32643 comment 15 Most likely there is something the script doesn't like about the advisory in svn. $ cat 32642.adv type: security subject: Updated nss, firefox and firefox-l10n packages fix security vulnerabilities CVE: - CVE-2023-6856 - CVE-2023-6857 - CVE-2023-6858 - CVE-2023-6859 - CVE-2023-6860 - CVE-2023-6861 - CVE-2023-6862 - CVE-2023-6863 - CVE-2023-6864 - CVE-2023-6865 - CVE-2023-6867 src: 9: core: - nss-3.96.1-1.mga9 - firefox-115.6.0-1.mga9 - firefox-l10n-115.6.0-1.mga9 description: | The updated packages fix security vulnerabilities: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856) Potential exposure of uninitialized data in EncryptingOutputStream. (CVE-2023-6865) Symlinks may resolve to smaller than expected buffers. (CVE-2023-6857) Heap buffer overflow in nsTextFragment. (CVE-2023-6858) Use-after-free in PR_GetIdentitiesLayer. (CVE-2023-6859) Potential sandbox escape due to VideoBridge lack of texture validation. (CVE-2023-6860) Clickjacking permission prompts using the popup transition. (CVE-2023-6867) Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode. (CVE-2023-6861) Use-after-free in nsDNSService. (CVE-2023-6862) Undefined behavior in ShutdownObserver(). (CVE-2023-6863) Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. (CVE-2023-6864) references: - https://bugs.mageia.org/show_bug.cgi?id=32642 - https://www.mozilla.org/en-US/firefox/115.6.0/releasenotes/ - https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/ - https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_96_1.html $ urpmq -i nss|grep ^Source|sort -uV|tail -n 1 Source RPM : nss-3.96.1-1.mga9.src.rpm $ urpmq -i firefox|grep ^Source|sort -uV|tail -n 1 Source RPM : firefox-115.6.0-1.mga9.src.rpm $ urpmq -i firefox-en_GB|grep ^Source|sort -uV|tail -n 1 Source RPM : firefox-l10n-115.6.0-1.mga9.src.rpm I don't see the mistake. Anyone else see what's wrong? CC:
(none) =>
davidwhodgins (In reply to Dave Hodgins from comment #35) I'm not sure, but the previous 2 firefox advisories have an ID at the end https://svnweb.mageia.org/advisories/32551.adv?view=markup https://svnweb.mageia.org/advisories/32477.adv?view=markup And also the thunderbird https://svnweb.mageia.org/advisories/32643.adv?view=markup (In reply to katnatek from comment #36) > (In reply to Dave Hodgins from comment #35) > I'm not sure, but the previous 2 firefox advisories have an ID at the end That get's added by the script that pushes the updates, when it's successful. Adding the sysadmin team to the cc list. Please help debug why the script used to push updates is failing to push this firefox/nss/firefox-l18n update. The advisory looks correct to me as per comment 35. Also, why did the Thunderbird update Bug 32643 slip out before this despite it depend on this bug? Manual mistake? - mistakes do happen, you are forgiven :) or script fault - easier to fix for the future - if so rise a bug. The only difference I see (other than the ID line at the end) between the old Firefox advisories and this one, and it seems MUCH too trivial to be a problem, is that in the descriptions of the older two there is a blank line between each CVE. I can't imagine that would be it... Grasping at straws - could there be an unprintable character somewhere that it doesn't like? I looked for a comma where a period should be - a typo I sometimes fall into - and didn't see any. I load thuderbird advisory for bug#32643 and for this even in writer and make visible all characters and not found anything evident :( (In reply to Thomas Andrews from comment #39) > The only difference I see (other than the ID line at the end) between the > old Firefox advisories and this one, and it seems MUCH too trivial to be a > problem, is that in the descriptions of the older two there is a blank line > between each CVE. > > I can't imagine that would be it... > > Grasping at straws - could there be an unprintable character somewhere that > it doesn't like? I looked for a comma where a period should be - a typo I > sometimes fall into - and didn't see any. Could be? This advisory have subject: Updated nss, firefox and firefox-l10n packages fix security And for 32477 subject: Updated nss and firefox packages fix security vulnerabilities The script that pushes updates looks at the bug whiteboard and keyword entries, assignment to qa, presence of the advisory file in svn, and bug dependencies. Both the firefox/nss and this thunderbird bugs were selected by the script meaning the dependency requirement and all other requirements were met. When it actually went to push the update, the thunderbird update was successfully pushed, but the firefox update failed to get pushed. As far as I know, the only things that can cause a failure at that point are problems with the srpm list in the svn advisory (not found in updates testing or not being greater than what's already present in the release or updates repos), or a syntax error in the advisory file in svn. The syntax errors are the hardest to debug as there is no information returned to qa from the script that pushes the update to indicate why the push failed. The srpm entries in the svn advisory file match what's in update testing and they have a greater version than any prior version. If there is a syntax error, I don't see it. There are no trailing blanks on any line, no blank lines where there shouldn't be one such as between the cve lines and the header lines all look correct to me. I just committed a change to the svn advisory removing the trailing colon from the line "The updated packages fix security vulnerabilities:" in the description, just in case the script is mistaking that line for a header. (The presence of a comma in the subject line is not the cause). Please run the script to push updates and let's see if that's why it didn't like the advisory. (In reply to Dave Hodgins from comment #42) > > I just committed a change to the svn advisory removing the trailing colon > from the line "The updated packages fix security vulnerabilities:" in > the description, just in case the script is mistaking that line for a header. > I doubt that's the cause, because there are 649 advisories with "vulnerabilies:" in the description. Could it be that the subject line is too long (84 characters)? (In reply to Dave Hodgins from comment #42) > I just committed a change to the svn advisory removing the trailing colon > from the line "The updated packages fix security vulnerabilities:" in > the description, just in case the script is mistaking that line for a header. > > (The presence of a comma in the subject line is not the cause). > > Please run the script to push updates and let's see if that's why it didn't > like the advisory. I not think so, the advisory for thunderbird also have that https://svnweb.mageia.org/advisories/32643.adv?view=markup : I check versions and look right I've shortened the subject. Note that a few days ago, https://bugs.mageia.org/show_bug.cgi?id=32656 wasn't pushed along with the other updates, but over 8 hours later. However neither the bug report nor the advisory needed to be changed.
katnatek
2024-01-13 23:00:32 CET
Blocks:
(none) =>
32713 Probably not relevant to the subject at hand, but firefox-l10n needn't be listed in the advisory subject line as it doesn't fix any vulnerabilities. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0012.html Resolution:
(none) =>
FIXED |