RedHat has issued advisories today (September 17): https://rhn.redhat.com/errata/RHSA-2013-1268.html https://rhn.redhat.com/errata/RHSA-2013-1269.html Updated packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox or Thunderbird (CVE-2013-1718, CVE-2013-1722, CVE-2013-1725, CVE-2013-1730, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736). A flaw was found in the way Firefox and Thunderbird handled certain DOM JavaScript objects. An attacker could use this flaw to make JavaScript client or add-on code make incorrect, security sensitive decisions (CVE-2013-1737). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1725 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1732 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1735 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1736 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1737 http://www.mozilla.org/security/announce/2013/mfsa2013-76.html http://www.mozilla.org/security/announce/2013/mfsa2013-79.html http://www.mozilla.org/security/announce/2013/mfsa2013-82.html http://www.mozilla.org/security/announce/2013/mfsa2013-83.html http://www.mozilla.org/security/announce/2013/mfsa2013-88.html http://www.mozilla.org/security/announce/2013/mfsa2013-89.html http://www.mozilla.org/security/announce/2013/mfsa2013-90.html http://www.mozilla.org/security/announce/2013/mfsa2013-91.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html https://rhn.redhat.com/errata/RHSA-2013-1268.html https://rhn.redhat.com/errata/RHSA-2013-1269.html ======================== Updated packages in core/updates_testing: ======================== firefox-17.0.9-1.mga2 firefox-devel-17.0.9-1.mga2 firefox-af-17.0.9-1.mga2 firefox-ar-17.0.9-1.mga2 firefox-ast-17.0.9-1.mga2 firefox-be-17.0.9-1.mga2 firefox-bg-17.0.9-1.mga2 firefox-bn_BD-17.0.9-1.mga2 firefox-bn_IN-17.0.9-1.mga2 firefox-br-17.0.9-1.mga2 firefox-bs-17.0.9-1.mga2 firefox-ca-17.0.9-1.mga2 firefox-cs-17.0.9-1.mga2 firefox-cy-17.0.9-1.mga2 firefox-da-17.0.9-1.mga2 firefox-de-17.0.9-1.mga2 firefox-el-17.0.9-1.mga2 firefox-en_GB-17.0.9-1.mga2 firefox-en_ZA-17.0.9-1.mga2 firefox-eo-17.0.9-1.mga2 firefox-es_AR-17.0.9-1.mga2 firefox-es_CL-17.0.9-1.mga2 firefox-es_ES-17.0.9-1.mga2 firefox-es_MX-17.0.9-1.mga2 firefox-et-17.0.9-1.mga2 firefox-eu-17.0.9-1.mga2 firefox-fa-17.0.9-1.mga2 firefox-fi-17.0.9-1.mga2 firefox-fr-17.0.9-1.mga2 firefox-fy-17.0.9-1.mga2 firefox-ga_IE-17.0.9-1.mga2 firefox-gd-17.0.9-1.mga2 firefox-gl-17.0.9-1.mga2 firefox-gu_IN-17.0.9-1.mga2 firefox-he-17.0.9-1.mga2 firefox-hi-17.0.9-1.mga2 firefox-hr-17.0.9-1.mga2 firefox-hu-17.0.9-1.mga2 firefox-hy-17.0.9-1.mga2 firefox-id-17.0.9-1.mga2 firefox-is-17.0.9-1.mga2 firefox-it-17.0.9-1.mga2 firefox-ja-17.0.9-1.mga2 firefox-kk-17.0.9-1.mga2 firefox-kn-17.0.9-1.mga2 firefox-ko-17.0.9-1.mga2 firefox-ku-17.0.9-1.mga2 firefox-lg-17.0.9-1.mga2 firefox-lt-17.0.9-1.mga2 firefox-lv-17.0.9-1.mga2 firefox-mai-17.0.9-1.mga2 firefox-mk-17.0.9-1.mga2 firefox-ml-17.0.9-1.mga2 firefox-mr-17.0.9-1.mga2 firefox-nb_NO-17.0.9-1.mga2 firefox-nl-17.0.9-1.mga2 firefox-nn_NO-17.0.9-1.mga2 firefox-nso-17.0.9-1.mga2 firefox-or-17.0.9-1.mga2 firefox-pa_IN-17.0.9-1.mga2 firefox-pl-17.0.9-1.mga2 firefox-pt_BR-17.0.9-1.mga2 firefox-pt_PT-17.0.9-1.mga2 firefox-ro-17.0.9-1.mga2 firefox-ru-17.0.9-1.mga2 firefox-si-17.0.9-1.mga2 firefox-sk-17.0.9-1.mga2 firefox-sl-17.0.9-1.mga2 firefox-sq-17.0.9-1.mga2 firefox-sr-17.0.9-1.mga2 firefox-sv_SE-17.0.9-1.mga2 firefox-ta-17.0.9-1.mga2 firefox-ta_LK-17.0.9-1.mga2 firefox-te-17.0.9-1.mga2 firefox-th-17.0.9-1.mga2 firefox-tr-17.0.9-1.mga2 firefox-uk-17.0.9-1.mga2 firefox-vi-17.0.9-1.mga2 firefox-zh_CN-17.0.9-1.mga2 firefox-zh_TW-17.0.9-1.mga2 firefox-zu-17.0.9-1.mga2 thunderbird-17.0.9-1.mga2 thunderbird-enigmail-17.0.9-1.mga2 nsinstall-17.0.9-1.mga2 thunderbird-ar-17.0.9-1.mga2 thunderbird-ast-17.0.9-1.mga2 thunderbird-be-17.0.9-1.mga2 thunderbird-bg-17.0.9-1.mga2 thunderbird-bn_BD-17.0.9-1.mga2 thunderbird-br-17.0.9-1.mga2 thunderbird-ca-17.0.9-1.mga2 thunderbird-cs-17.0.9-1.mga2 thunderbird-da-17.0.9-1.mga2 thunderbird-de-17.0.9-1.mga2 thunderbird-el-17.0.9-1.mga2 thunderbird-en_GB-17.0.9-1.mga2 thunderbird-es_AR-17.0.9-1.mga2 thunderbird-es_ES-17.0.9-1.mga2 thunderbird-et-17.0.9-1.mga2 thunderbird-eu-17.0.9-1.mga2 thunderbird-fi-17.0.9-1.mga2 thunderbird-fr-17.0.9-1.mga2 thunderbird-fy-17.0.9-1.mga2 thunderbird-ga-17.0.9-1.mga2 thunderbird-gd-17.0.9-1.mga2 thunderbird-gl-17.0.9-1.mga2 thunderbird-he-17.0.9-1.mga2 thunderbird-hu-17.0.9-1.mga2 thunderbird-id-17.0.9-1.mga2 thunderbird-is-17.0.9-1.mga2 thunderbird-it-17.0.9-1.mga2 thunderbird-ja-17.0.9-1.mga2 thunderbird-ko-17.0.9-1.mga2 thunderbird-lt-17.0.9-1.mga2 thunderbird-nb_NO-17.0.9-1.mga2 thunderbird-nl-17.0.9-1.mga2 thunderbird-nn_NO-17.0.9-1.mga2 thunderbird-pa_IN-17.0.9-1.mga2 thunderbird-pl-17.0.9-1.mga2 thunderbird-pt_BR-17.0.9-1.mga2 thunderbird-pt_PT-17.0.9-1.mga2 thunderbird-ro-17.0.9-1.mga2 thunderbird-ru-17.0.9-1.mga2 thunderbird-si-17.0.9-1.mga2 thunderbird-sk-17.0.9-1.mga2 thunderbird-sl-17.0.9-1.mga2 thunderbird-sq-17.0.9-1.mga2 thunderbird-sv_SE-17.0.9-1.mga2 thunderbird-ta_LK-17.0.9-1.mga2 thunderbird-tr-17.0.9-1.mga2 thunderbird-uk-17.0.9-1.mga2 thunderbird-vi-17.0.9-1.mga2 thunderbird-zh_CN-17.0.9-1.mga2 thunderbird-zh_TW-17.0.9-1.mga2 firefox-17.0.9-1.mga3 firefox-devel-17.0.9-1.mga3 firefox-af-17.0.9-1.mga3 firefox-ar-17.0.9-1.mga3 firefox-ast-17.0.9-1.mga3 firefox-be-17.0.9-1.mga3 firefox-bg-17.0.9-1.mga3 firefox-bn_BD-17.0.9-1.mga3 firefox-bn_IN-17.0.9-1.mga3 firefox-br-17.0.9-1.mga3 firefox-bs-17.0.9-1.mga3 firefox-ca-17.0.9-1.mga3 firefox-cs-17.0.9-1.mga3 firefox-cy-17.0.9-1.mga3 firefox-da-17.0.9-1.mga3 firefox-de-17.0.9-1.mga3 firefox-el-17.0.9-1.mga3 firefox-en_GB-17.0.9-1.mga3 firefox-en_ZA-17.0.9-1.mga3 firefox-eo-17.0.9-1.mga3 firefox-es_AR-17.0.9-1.mga3 firefox-es_CL-17.0.9-1.mga3 firefox-es_ES-17.0.9-1.mga3 firefox-es_MX-17.0.9-1.mga3 firefox-et-17.0.9-1.mga3 firefox-eu-17.0.9-1.mga3 firefox-fa-17.0.9-1.mga3 firefox-fi-17.0.9-1.mga3 firefox-fr-17.0.9-1.mga3 firefox-fy-17.0.9-1.mga3 firefox-ga_IE-17.0.9-1.mga3 firefox-gd-17.0.9-1.mga3 firefox-gl-17.0.9-1.mga3 firefox-gu_IN-17.0.9-1.mga3 firefox-he-17.0.9-1.mga3 firefox-hi-17.0.9-1.mga3 firefox-hr-17.0.9-1.mga3 firefox-hu-17.0.9-1.mga3 firefox-hy-17.0.9-1.mga3 firefox-id-17.0.9-1.mga3 firefox-is-17.0.9-1.mga3 firefox-it-17.0.9-1.mga3 firefox-ja-17.0.9-1.mga3 firefox-kk-17.0.9-1.mga3 firefox-kn-17.0.9-1.mga3 firefox-ko-17.0.9-1.mga3 firefox-ku-17.0.9-1.mga3 firefox-lg-17.0.9-1.mga3 firefox-lt-17.0.9-1.mga3 firefox-lv-17.0.9-1.mga3 firefox-mai-17.0.9-1.mga3 firefox-mk-17.0.9-1.mga3 firefox-ml-17.0.9-1.mga3 firefox-mr-17.0.9-1.mga3 firefox-nb_NO-17.0.9-1.mga3 firefox-nl-17.0.9-1.mga3 firefox-nn_NO-17.0.9-1.mga3 firefox-nso-17.0.9-1.mga3 firefox-or-17.0.9-1.mga3 firefox-pa_IN-17.0.9-1.mga3 firefox-pl-17.0.9-1.mga3 firefox-pt_BR-17.0.9-1.mga3 firefox-pt_PT-17.0.9-1.mga3 firefox-ro-17.0.9-1.mga3 firefox-ru-17.0.9-1.mga3 firefox-si-17.0.9-1.mga3 firefox-sk-17.0.9-1.mga3 firefox-sl-17.0.9-1.mga3 firefox-sq-17.0.9-1.mga3 firefox-sr-17.0.9-1.mga3 firefox-sv_SE-17.0.9-1.mga3 firefox-ta-17.0.9-1.mga3 firefox-ta_LK-17.0.9-1.mga3 firefox-te-17.0.9-1.mga3 firefox-th-17.0.9-1.mga3 firefox-tr-17.0.9-1.mga3 firefox-uk-17.0.9-1.mga3 firefox-vi-17.0.9-1.mga3 firefox-zh_CN-17.0.9-1.mga3 firefox-zh_TW-17.0.9-1.mga3 firefox-zu-17.0.9-1.mga3 thunderbird-17.0.9-1.mga3 thunderbird-enigmail-17.0.9-1.mga3 nsinstall-17.0.9-1.mga3 thunderbird-ar-17.0.9-1.mga3 thunderbird-ast-17.0.9-1.mga3 thunderbird-be-17.0.9-1.mga3 thunderbird-bg-17.0.9-1.mga3 thunderbird-bn_BD-17.0.9-1.mga3 thunderbird-br-17.0.9-1.mga3 thunderbird-ca-17.0.9-1.mga3 thunderbird-cs-17.0.9-1.mga3 thunderbird-da-17.0.9-1.mga3 thunderbird-de-17.0.9-1.mga3 thunderbird-el-17.0.9-1.mga3 thunderbird-en_GB-17.0.9-1.mga3 thunderbird-es_AR-17.0.9-1.mga3 thunderbird-es_ES-17.0.9-1.mga3 thunderbird-et-17.0.9-1.mga3 thunderbird-eu-17.0.9-1.mga3 thunderbird-fi-17.0.9-1.mga3 thunderbird-fr-17.0.9-1.mga3 thunderbird-fy-17.0.9-1.mga3 thunderbird-ga-17.0.9-1.mga3 thunderbird-gd-17.0.9-1.mga3 thunderbird-gl-17.0.9-1.mga3 thunderbird-he-17.0.9-1.mga3 thunderbird-hu-17.0.9-1.mga3 thunderbird-id-17.0.9-1.mga3 thunderbird-is-17.0.9-1.mga3 thunderbird-it-17.0.9-1.mga3 thunderbird-ja-17.0.9-1.mga3 thunderbird-ko-17.0.9-1.mga3 thunderbird-lt-17.0.9-1.mga3 thunderbird-nb_NO-17.0.9-1.mga3 thunderbird-nl-17.0.9-1.mga3 thunderbird-nn_NO-17.0.9-1.mga3 thunderbird-pa_IN-17.0.9-1.mga3 thunderbird-pl-17.0.9-1.mga3 thunderbird-pt_BR-17.0.9-1.mga3 thunderbird-pt_PT-17.0.9-1.mga3 thunderbird-ro-17.0.9-1.mga3 thunderbird-ru-17.0.9-1.mga3 thunderbird-si-17.0.9-1.mga3 thunderbird-sk-17.0.9-1.mga3 thunderbird-sl-17.0.9-1.mga3 thunderbird-sq-17.0.9-1.mga3 thunderbird-sv_SE-17.0.9-1.mga3 thunderbird-ta_LK-17.0.9-1.mga3 thunderbird-tr-17.0.9-1.mga3 thunderbird-uk-17.0.9-1.mga3 thunderbird-vi-17.0.9-1.mga3 thunderbird-zh_CN-17.0.9-1.mga3 thunderbird-zh_TW-17.0.9-1.mga3 from SRPMS: firefox-17.0.9-1.mga2.src.rpm firefox-l10n-17.0.9-1.mga2.src.rpm thunderbird-17.0.9-1.mga2.src.rpm thunderbird-l10n-17.0.9-1.mga2.src.rpm firefox-17.0.9-1.mga3.src.rpm firefox-l10n-17.0.9-1.mga3.src.rpm thunderbird-17.0.9-1.mga3.src.rpm thunderbird-l10n-17.0.9-1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
No PoC on SecurityFocus. Testing mga3-64.
CC: (none) => wrw105
Firefox: tested general browsing, sunspider javascript, javatester for java, youtube for flash. Thunderbird: read/write, move messages over IMAP, send SMTP, receive IMAP. As a side note, will there be an NSS/NSPR update for this release?
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok
(In reply to Bill Wilkinson from comment #2) > As a side note, will there be an NSS/NSPR update for this release? No, just as a reminder of what I said during the 17.0.8 update, we'll update nss and nspr when we update to 24 ESR, which should be the next round of FF/TB updates after this one. Also, while it's good to ask that question, as we don't want to forget it (and the packager who usually packages the TB/FF updates, usually does forget about nss/nspr), as well as rootcerts, I personally won't push a FF/TB update to QA without considering nss/nspr first (although I did forget rootcerts until just now, so it's still good you asked...it's good for now too BTW :o).
Thanks, David! Just trying to be thorough! Completed same tests with mga3-32, all OK.
Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga3-32-ok
completed same tests with mga2-32, all OK. As I don't have a working mga2-64 I'll ask someone else to test that one.
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok
Testing complete and advisory committed to svn. Someone from the sysadmin team please push 11250.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-okCC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok mga2-64-ok
URL: (none) => http://lwn.net/Vulnerabilities/567271/
FYI. For NSS/NSPR, I find it faster to view a diff between the old and new firefox version to see if there is changes in the bundled ones, than try to find info elsewhere.
CC: (none) => oe
Update pushed: http://advisories.mageia.org/MGASA-2013-0287.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED