Bug 32876

Summary: Firefox 115.8
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, guillaume.royer, joselp, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/firefox/115.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_98.html
Whiteboard: MGA9-32-OK MGA9-64-OK
Source RPM: rootcerts, nss, firefox, firefox-l10n CVE: CVE-2023-5388, CVE-2024-1546, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1552, CVE-2024-1553
Status comment:
Bug Depends on:    
Bug Blocks: 32877    

Description Nicolas Salguero 2024-02-21 08:39:01 CET 
Mozilla has released Firefox 115.8 on February 20:
https://www.mozilla.org/en-US/firefox/115.8.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/

There is also new versions of rootcerts and NSS (3.98, which fixes CVE-2023-5388):
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_98.html
Nicolas Salguero 2024-02-21 08:42:00 CET

Status: NEW => ASSIGNED
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2023-5388, CVE-2024-1546, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1551, CVE-2024-1552, CVE-2024-1553
Source RPM: (none) => rootcerts, nss, firefox, firefox-l10n

Nicolas Salguero 2024-02-21 08:47:20 CET

Blocks: (none) => 32877

Comment 1 Nicolas Salguero 2024-02-21 16:11:57 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Timing attack against RSA decryption in TLS. (CVE-2023-5388)

Out-of-bounds memory read in networking channels. (CVE-2024-1546)

Alert dialog could have been spoofed on another site. (CVE-2024-1547)

Fullscreen Notification could have been hidden by select element. (CVE-2024-1548)

Custom cursor could obscure the permission dialog. (CVE-2024-1549)

Mouse cursor re-positioned unexpectedly could have led to unintended permission grants. (CVE-2024-1550)

Multipart HTTP Responses would accept the Set-Cookie header in response parts. (CVE-2024-1551)

Incorrect code generation on 32-bit ARM devices. (CVE-2024-1552)

Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. (CVE-2024-1553)

References:

========================

Updated packages in core/updates_testing:
========================
rootcerts-20240215.00-1.mga9
rootcerts-java-20240215.00-1.mga9

lib64nss3-3.98.0-1.mga9
lib64nss-devel-3.98.0-1.mga9
lib64nss-static-devel-3.98.0-1.mga9
nss-3.98.0-1.mga9
nss-doc-3.98.0-1.mga9

firefox-115.8.0-1.mga9
firefox-af-115.8.0-1.mga9
firefox-an-115.8.0-1.mga9
firefox-ar-115.8.0-1.mga9
firefox-ast-115.8.0-1.mga9
firefox-az-115.8.0-1.mga9
firefox-be-115.8.0-1.mga9
firefox-bg-115.8.0-1.mga9
firefox-bn-115.8.0-1.mga9
firefox-br-115.8.0-1.mga9
firefox-bs-115.8.0-1.mga9
firefox-ca-115.8.0-1.mga9
firefox-cs-115.8.0-1.mga9
firefox-cy-115.8.0-1.mga9
firefox-da-115.8.0-1.mga9
firefox-de-115.8.0-1.mga9
firefox-el-115.8.0-1.mga9
firefox-en_CA-115.8.0-1.mga9
firefox-en_GB-115.8.0-1.mga9
firefox-en_US-115.8.0-1.mga9
firefox-eo-115.8.0-1.mga9
firefox-es_AR-115.8.0-1.mga9
firefox-es_CL-115.8.0-1.mga9
firefox-es_ES-115.8.0-1.mga9
firefox-es_MX-115.8.0-1.mga9
firefox-et-115.8.0-1.mga9
firefox-eu-115.8.0-1.mga9
firefox-fa-115.8.0-1.mga9
firefox-ff-115.8.0-1.mga9
firefox-fi-115.8.0-1.mga9
firefox-fr-115.8.0-1.mga9
firefox-fur-115.8.0-1.mga9
firefox-fy_NL-115.8.0-1.mga9
firefox-ga_IE-115.8.0-1.mga9
firefox-gd-115.8.0-1.mga9
firefox-gl-115.8.0-1.mga9
firefox-gu_IN-115.8.0-1.mga9
firefox-he-115.8.0-1.mga9
firefox-hi_IN-115.8.0-1.mga9
firefox-hr-115.8.0-1.mga9
firefox-hsb-115.8.0-1.mga9
firefox-hu-115.8.0-1.mga9
firefox-hy_AM-115.8.0-1.mga9
firefox-ia-115.8.0-1.mga9
firefox-id-115.8.0-1.mga9
firefox-is-115.8.0-1.mga9
firefox-it-115.8.0-1.mga9
firefox-ja-115.8.0-1.mga9
firefox-ka-115.8.0-1.mga9
firefox-kab-115.8.0-1.mga9
firefox-kk-115.8.0-1.mga9
firefox-km-115.8.0-1.mga9
firefox-kn-115.8.0-1.mga9
firefox-ko-115.8.0-1.mga9
firefox-lij-115.8.0-1.mga9
firefox-lt-115.8.0-1.mga9
firefox-lv-115.8.0-1.mga9
firefox-mk-115.8.0-1.mga9
firefox-mr-115.8.0-1.mga9
firefox-ms-115.8.0-1.mga9
firefox-my-115.8.0-1.mga9
firefox-nb_NO-115.8.0-1.mga9
firefox-nl-115.8.0-1.mga9
firefox-nn_NO-115.8.0-1.mga9
firefox-oc-115.8.0-1.mga9
firefox-pa_IN-115.8.0-1.mga9
firefox-pl-115.8.0-1.mga9
firefox-pt_BR-115.8.0-1.mga9
firefox-pt_PT-115.8.0-1.mga9
firefox-ro-115.8.0-1.mga9
firefox-ru-115.8.0-1.mga9
firefox-sc-115.8.0-1.mga9
firefox-si-115.8.0-1.mga9
firefox-sk-115.8.0-1.mga9
firefox-sl-115.8.0-1.mga9
firefox-sq-115.8.0-1.mga9
firefox-sr-115.8.0-1.mga9
firefox-sv_SE-115.8.0-1.mga9
firefox-szl-115.8.0-1.mga9
firefox-ta-115.8.0-1.mga9
firefox-te-115.8.0-1.mga9
firefox-tg-115.8.0-1.mga9
firefox-th-115.8.0-1.mga9
firefox-tl-115.8.0-1.mga9
firefox-tr-115.8.0-1.mga9
firefox-uk-115.8.0-1.mga9
firefox-ur-115.8.0-1.mga9
firefox-uz-115.8.0-1.mga9
firefox-vi-115.8.0-1.mga9
firefox-xh-115.8.0-1.mga9
firefox-zh_CN-115.8.0-1.mga9
firefox-zh_TW-115.8.0-1.mga9

from SRPMS:
rootcerts-20240215.00-1.mga9.src.rpm
nss-3.98.0-1.mga9.src.rpm
firefox-115.8.0-1.mga9.src.rpm
firefox-l10n-115.8.0-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs

Comment 2 Nicolas Salguero 2024-02-21 16:13:06 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Timing attack against RSA decryption in TLS. (CVE-2023-5388)

Out-of-bounds memory read in networking channels. (CVE-2024-1546)

Alert dialog could have been spoofed on another site. (CVE-2024-1547)

Fullscreen Notification could have been hidden by select element. (CVE-2024-1548)

Custom cursor could obscure the permission dialog. (CVE-2024-1549)

Mouse cursor re-positioned unexpectedly could have led to unintended permission grants. (CVE-2024-1550)

Multipart HTTP Responses would accept the Set-Cookie header in response parts. (CVE-2024-1551)

Incorrect code generation on 32-bit ARM devices. (CVE-2024-1552)

Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. (CVE-2024-1553)

References:
https://www.mozilla.org/en-US/firefox/115.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_98.html
Marja Van Waes 2024-02-21 16:36:23 CET

CC: (none) => marja11
URL: (none) => https://www.mozilla.org/en-US/firefox/115.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_98.html

Marja Van Waes 2024-02-21 16:45:35 CET

Keywords: (none) => advisory

Comment 3 Thomas Andrews 2024-02-22 14:26:57 CET 
MGA9-64 Plasma on an HP Pavilion 15. 

No installation issues with the US English version. Launched from the panel icon, with no problems, going to my DuckDuckGo home page. I tried this and that, downloaded a pdf of my local newspaper, shopped a bit on Amazon(restraining myself from spending), watched a Youtube video about a new farmer learning to bale hay (he still has much to learn), and a couple of others. 

I no longer use Firefox to access my bank accounts, as the bank doesn't trust it as much as Chrome (or in my case, chromium), however misguided that may be.

Over all, looks good here.

CC: (none) => andrewsfarm

Comment 4 Morgan Leijström 2024-02-23 02:08:35 CET 
mga9-64 OK

Tested under Plasma, Intel I7-870, nvidia-newfeature (testing) on GTX750, 4K screen, kernel desktop 6.6.17-3.

Closed, updated, started

Localisation Swedish OK
Settings and opened tabs preserved
Some banking sites, shops, different login methods
Some video sites including YouTube

CC: (none) => fri

Comment 5 Jose Manuel López 2024-02-23 09:06:58 CET 
Hi, 
Updated frome testing repos for Mageia X86_64 Plasma no VM.

Actually, I am using this version without issues.
Banks ok.
Language spanish ok.
Settings and addons ok.
Firefox account ok.
Youtube ok.
Sound and video ok.
Addons ok.

CC: (none) => joselp

Comment 6 Guillaume Royer 2024-02-25 11:29:19 CET 
Mageia X86_64 GNOME Mac Mini Core I5 16Go RAM

Updated with QA repo and RPMs:

lib64nss3                      3.98.0       1.mga9        x86_64  
nss                            3.98.0       1.mga9        x86_64  
rootcerts                      20240215.00  1.mga9        noarch  
rootcerts-java                 20240215.00  1.mga9        noarch
firefox                        115.8.0      1.mga9        x86_64  
firefox-fr                     115.8.0      1.mga9        noarch 

Tested with:
Bank site Ok
Spotify Ok
Netflix Ok
Addon Ok 
Element Matrix client Ok

CC: (none) => guillaume.royer

Comment 7 Thomas Andrews 2024-02-25 17:54:14 CET 
MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, Atheros wifi.

No installation issues. Tried a few sites, with no real issues to report. The response is slow compared to the 64-bit version, but that's from the limitations of the hardware.

With several tests and no issues, I'm sending this on its way. Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-02-27 02:09:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0049.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED