Description of problem: Mozilla Firefox and Thunderbird ESR 17 EOL is near. In december there will be no more security updates for this version. Reproducible: Steps to Reproduce:
we know, firefox 21 esr is coming soon
Component: RPM Packages => Security
The next ESR is 24 actually. We won't need to update Mageia 2 to 24 due to its own EOL date. Along with Firefox itself, rootcerts, nspr, and nss will need to be updated as well. Those latter three should also be updated on Mageia 2, as the nss update to 3.15.2 fixes a security bug: http://lwn.net/Vulnerabilities/570149/
QA Contact: (none) => security
nspr-4.10.1-1.mga2, nss-3.15.2-1.mga2, nspr-4.10.1-1.mga3 and nss-3.15.2-1.mga3 has been submitted. rootcerts-20130411.00-1.mga2 and rootcerts-20130411.00-1.mga3 was submitted to updates_testing by me Fri 04 Oct 2013.
CC: (none) => oe
Some headsup. I will upgrade to 24 ESR for mga2 as the update for mes5 is based on the mga2 one if that's OK? Will start with this soon'ish. For mga3 it shouldn't pose much extra work, so I will fix it there too.
yep it will be great to make it before 22 november
ff 24 was submitted to mga3, please test.
urpmi firefox-fr which install: firefox 24.0 1.mga3 x86_64 firefox-fr 24.0 1.mga3 noarch lib64nspr4 4.10.1 1.mga3 x86_64 lib64nss3 3.15.2 1.1.mga3 x86_64 lib64sqlite3_0 3.7.17 1.mga3 x86_64 No issue for me
ff 24 was submitted to mga2, please test.
CC'ing the QA team for early testing. We don't need to push the FF 24 update as it doesn't fix anything beyond what we've already fixed in 17.0.9, but it'd be good to start testing it so if there are any issues, they can be corrected before we need to push the next security update, which will be 24.0.1 or 24.0.2. BTW, Oden, if you wouldn't mind, it'd be good to have Thunderbird in testing too. The next FF update will also include the updated rootcerts, nspr, and nss packages (also already in updates_testing). Full package list to come.
CC: (none) => qa-bugs
Oh, sqlite3 is also being updated along with this, as it usually is when we switch to a new ESR branch. It's also in updates_testing as Manuel noted.
There wasn't that much work making the cauldron ff backport. http://svnweb.mageia.org/packages/cauldron/firefox/current/SPECS/firefox.spec?r1=492484&r2=497301
Packages in updates_testing: libsqlite3-devel-3.7.17-1.mga2 libsqlite3-static-devel-3.7.17-1.mga2 libsqlite3_0-3.7.17-1.mga2 sqlite3-tcl-3.7.17-1.mga2 sqlite3-tools-3.7.17-1.mga2 lemon-3.7.17-1.mga2 rootcerts-20130411.00-1.mga2 rootcerts-java-20130411.00-1.mga2 libnspr-devel-4.10.1-1.mga2 libnspr4-4.10.1-1.mga2 libnss-devel-3.15.2-1.1.mga2 libnss-static-devel-3.15.2-1.1.mga2 libnss3-3.15.2-1.1.mga2 nss-3.15.2-1.1.mga2 nss-doc-3.15.2-1.1.mga2 firefox-24.0-1.mga2 firefox-af-24.0-1.mga2 firefox-ar-24.0-1.mga2 firefox-as-24.0-1.mga2 firefox-ast-24.0-1.mga2 firefox-be-24.0-1.mga2 firefox-bg-24.0-1.mga2 firefox-bn_BD-24.0-1.mga2 firefox-bn_IN-24.0-1.mga2 firefox-br-24.0-1.mga2 firefox-bs-24.0-1.mga2 firefox-ca-24.0-1.mga2 firefox-cs-24.0-1.mga2 firefox-csb-24.0-1.mga2 firefox-cy-24.0-1.mga2 firefox-da-24.0-1.mga2 firefox-de-24.0-1.mga2 firefox-devel-24.0-1.mga2 firefox-el-24.0-1.mga2 firefox-en_GB-24.0-1.mga2 firefox-en_ZA-24.0-1.mga2 firefox-eo-24.0-1.mga2 firefox-es_AR-24.0-1.mga2 firefox-es_CL-24.0-1.mga2 firefox-es_ES-24.0-1.mga2 firefox-es_MX-24.0-1.mga2 firefox-et-24.0-1.mga2 firefox-eu-24.0-1.mga2 firefox-fa-24.0-1.mga2 firefox-ff-24.0-1.mga2 firefox-fi-24.0-1.mga2 firefox-fr-24.0-1.mga2 firefox-fy-24.0-1.mga2 firefox-ga_IE-24.0-1.mga2 firefox-gd-24.0-1.mga2 firefox-gl-24.0-1.mga2 firefox-gu_IN-24.0-1.mga2 firefox-he-24.0-1.mga2 firefox-hi-24.0-1.mga2 firefox-hr-24.0-1.mga2 firefox-hu-24.0-1.mga2 firefox-hy-24.0-1.mga2 firefox-id-24.0-1.mga2 firefox-is-24.0-1.mga2 firefox-it-24.0-1.mga2 firefox-ja-24.0-1.mga2 firefox-kk-24.0-1.mga2 firefox-km-24.0-1.mga2 firefox-kn-24.0-1.mga2 firefox-ko-24.0-1.mga2 firefox-ku-24.0-1.mga2 firefox-lg-24.0-1.mga2 firefox-lij-24.0-1.mga2 firefox-lt-24.0-1.mga2 firefox-lv-24.0-1.mga2 firefox-mai-24.0-1.mga2 firefox-mk-24.0-1.mga2 firefox-ml-24.0-1.mga2 firefox-mr-24.0-1.mga2 firefox-nb_NO-24.0-1.mga2 firefox-nl-24.0-1.mga2 firefox-nn_NO-24.0-1.mga2 firefox-nso-24.0-1.mga2 firefox-or-24.0-1.mga2 firefox-pa_IN-24.0-1.mga2 firefox-pl-24.0-1.mga2 firefox-pt_BR-24.0-1.mga2 firefox-pt_PT-24.0-1.mga2 firefox-ro-24.0-1.mga2 firefox-ru-24.0-1.mga2 firefox-si-24.0-1.mga2 firefox-sk-24.0-1.mga2 firefox-sl-24.0-1.mga2 firefox-sq-24.0-1.mga2 firefox-sr-24.0-1.mga2 firefox-sv_SE-24.0-1.mga2 firefox-ta-24.0-1.mga2 firefox-ta_LK-24.0-1.mga2 firefox-te-24.0-1.mga2 firefox-th-24.0-1.mga2 firefox-tr-24.0-1.mga2 firefox-uk-24.0-1.mga2 firefox-vi-24.0-1.mga2 firefox-zh_CN-24.0-1.mga2 firefox-zh_TW-24.0-1.mga2 firefox-zu-24.0-1.mga2 libsqlite3-devel-3.7.17-1.mga3 libsqlite3-static-devel-3.7.17-1.mga3 libsqlite3_0-3.7.17-1.mga3 sqlite3-tcl-3.7.17-1.mga3 sqlite3-tools-3.7.17-1.mga3 lemon-3.7.17-1.mga3 rootcerts-20130411.00-1.mga3 rootcerts-java-20130411.00-1.mga3 libnspr-devel-4.10.1-1.mga3 libnspr4-4.10.1-1.mga3 libnss-devel-3.15.2-1.1.mga3 libnss-static-devel-3.15.2-1.1.mga3 libnss3-3.15.2-1.1.mga3 nss-3.15.2-1.1.mga3 nss-doc-3.15.2-1.1.mga3 firefox-24.0-1.mga3 firefox-af-24.0-1.mga3 firefox-ar-24.0-1.mga3 firefox-as-24.0-1.mga3 firefox-ast-24.0-1.mga3 firefox-be-24.0-1.mga3 firefox-bg-24.0-1.mga3 firefox-bn_BD-24.0-1.mga3 firefox-bn_IN-24.0-1.mga3 firefox-br-24.0-1.mga3 firefox-bs-24.0-1.mga3 firefox-ca-24.0-1.mga3 firefox-cs-24.0-1.mga3 firefox-csb-24.0-1.mga3 firefox-cy-24.0-1.mga3 firefox-da-24.0-1.mga3 firefox-de-24.0-1.mga3 firefox-devel-24.0-1.mga3 firefox-el-24.0-1.mga3 firefox-en_GB-24.0-1.mga3 firefox-en_ZA-24.0-1.mga3 firefox-eo-24.0-1.mga3 firefox-es_AR-24.0-1.mga3 firefox-es_CL-24.0-1.mga3 firefox-es_ES-24.0-1.mga3 firefox-es_MX-24.0-1.mga3 firefox-et-24.0-1.mga3 firefox-eu-24.0-1.mga3 firefox-fa-24.0-1.mga3 firefox-ff-24.0-1.mga3 firefox-fi-24.0-1.mga3 firefox-fr-24.0-1.mga3 firefox-fy-24.0-1.mga3 firefox-ga_IE-24.0-1.mga3 firefox-gd-24.0-1.mga3 firefox-gl-24.0-1.mga3 firefox-gu_IN-24.0-1.mga3 firefox-he-24.0-1.mga3 firefox-hi-24.0-1.mga3 firefox-hr-24.0-1.mga3 firefox-hu-24.0-1.mga3 firefox-hy-24.0-1.mga3 firefox-id-24.0-1.mga3 firefox-is-24.0-1.mga3 firefox-it-24.0-1.mga3 firefox-ja-24.0-1.mga3 firefox-kk-24.0-1.mga3 firefox-km-24.0-1.mga3 firefox-kn-24.0-1.mga3 firefox-ko-24.0-1.mga3 firefox-ku-24.0-1.mga3 firefox-lg-24.0-1.mga3 firefox-lij-24.0-1.mga3 firefox-lt-24.0-1.mga3 firefox-lv-24.0-1.mga3 firefox-mai-24.0-1.mga3 firefox-mk-24.0-1.mga3 firefox-ml-24.0-1.mga3 firefox-mr-24.0-1.mga3 firefox-nb_NO-24.0-1.mga3 firefox-nl-24.0-1.mga3 firefox-nn_NO-24.0-1.mga3 firefox-nso-24.0-1.mga3 firefox-or-24.0-1.mga3 firefox-pa_IN-24.0-1.mga3 firefox-pl-24.0-1.mga3 firefox-pt_BR-24.0-1.mga3 firefox-pt_PT-24.0-1.mga3 firefox-ro-24.0-1.mga3 firefox-ru-24.0-1.mga3 firefox-si-24.0-1.mga3 firefox-sk-24.0-1.mga3 firefox-sl-24.0-1.mga3 firefox-sq-24.0-1.mga3 firefox-sr-24.0-1.mga3 firefox-sv_SE-24.0-1.mga3 firefox-ta-24.0-1.mga3 firefox-ta_LK-24.0-1.mga3 firefox-te-24.0-1.mga3 firefox-th-24.0-1.mga3 firefox-tr-24.0-1.mga3 firefox-uk-24.0-1.mga3 firefox-vi-24.0-1.mga3 firefox-zh_CN-24.0-1.mga3 firefox-zh_TW-24.0-1.mga3 firefox-zu-24.0-1.mga3 from SRPMS: sqlite3-3.7.17-1.mga2.src.rpm rootcerts-20130411.00-1.mga2.src.rpm nspr-4.10.1-1.mga2.src.rpm nss-3.15.2-1.1.mga2.src.rpm firefox-24.0-1.mga2.src.rpm firefox-l10n-24.0-1.mga2.src.rpm sqlite3-3.7.17-1.mga3.src.rpm rootcerts-20130411.00-1.mga3.src.rpm nspr-4.10.1-1.mga3.src.rpm nss-3.15.2-1.1.mga3.src.rpm firefox-24.0-1.mga3.src.rpm firefox-l10n-24.0-1.mga3.src.rpm
CC: (none) => luigiwalser
Whiteboard: (none) => MGA2TOO
tb 24 has been submitted to mga 2 and 3.
Thanks Oden! Thunderbird packages in updates_testing: thunderbird-24.0.1-1.mga2 thunderbird-enigmail-24.0.1-1.mga2 nsinstall-24.0.1-1.mga2 thunderbird-ar-24.0.1-1.mga2 thunderbird-ast-24.0.1-1.mga2 thunderbird-be-24.0.1-1.mga2 thunderbird-bg-24.0.1-1.mga2 thunderbird-bn_BD-24.0.1-1.mga2 thunderbird-br-24.0.1-1.mga2 thunderbird-ca-24.0.1-1.mga2 thunderbird-cs-24.0.1-1.mga2 thunderbird-da-24.0.1-1.mga2 thunderbird-de-24.0.1-1.mga2 thunderbird-el-24.0.1-1.mga2 thunderbird-en_GB-24.0.1-1.mga2 thunderbird-es_AR-24.0.1-1.mga2 thunderbird-es_ES-24.0.1-1.mga2 thunderbird-et-24.0.1-1.mga2 thunderbird-eu-24.0.1-1.mga2 thunderbird-fi-24.0.1-1.mga2 thunderbird-fr-24.0.1-1.mga2 thunderbird-fy-24.0.1-1.mga2 thunderbird-ga-24.0.1-1.mga2 thunderbird-gd-24.0.1-1.mga2 thunderbird-gl-24.0.1-1.mga2 thunderbird-he-24.0.1-1.mga2 thunderbird-hr-24.0.1-1.mga2 thunderbird-hu-24.0.1-1.mga2 thunderbird-hy-24.0.1-1.mga2 thunderbird-id-24.0.1-1.mga2 thunderbird-is-24.0.1-1.mga2 thunderbird-it-24.0.1-1.mga2 thunderbird-ja-24.0.1-1.mga2 thunderbird-ko-24.0.1-1.mga2 thunderbird-lt-24.0.1-1.mga2 thunderbird-nb_NO-24.0.1-1.mga2 thunderbird-nl-24.0.1-1.mga2 thunderbird-nn_NO-24.0.1-1.mga2 thunderbird-pl-24.0.1-1.mga2 thunderbird-pa_IN-24.0.1-1.mga2 thunderbird-pt_BR-24.0.1-1.mga2 thunderbird-pt_PT-24.0.1-1.mga2 thunderbird-ro-24.0.1-1.mga2 thunderbird-ru-24.0.1-1.mga2 thunderbird-si-24.0.1-1.mga2 thunderbird-sk-24.0.1-1.mga2 thunderbird-sl-24.0.1-1.mga2 thunderbird-sq-24.0.1-1.mga2 thunderbird-sv_SE-24.0.1-1.mga2 thunderbird-ta_LK-24.0.1-1.mga2 thunderbird-tr-24.0.1-1.mga2 thunderbird-uk-24.0.1-1.mga2 thunderbird-vi-24.0.1-1.mga2 thunderbird-zh_CN-24.0.1-1.mga2 thunderbird-zh_TW-24.0.1-1.mga2 thunderbird-24.0.1-1.mga3 thunderbird-enigmail-24.0.1-1.mga3 nsinstall-24.0.1-1.mga3 thunderbird-ar-24.0.1-1.mga3 thunderbird-ast-24.0.1-1.mga3 thunderbird-be-24.0.1-1.mga3 thunderbird-bg-24.0.1-1.mga3 thunderbird-bn_BD-24.0.1-1.mga3 thunderbird-br-24.0.1-1.mga3 thunderbird-ca-24.0.1-1.mga3 thunderbird-cs-24.0.1-1.mga3 thunderbird-da-24.0.1-1.mga3 thunderbird-de-24.0.1-1.mga3 thunderbird-el-24.0.1-1.mga3 thunderbird-en_GB-24.0.1-1.mga3 thunderbird-es_AR-24.0.1-1.mga3 thunderbird-es_ES-24.0.1-1.mga3 thunderbird-et-24.0.1-1.mga3 thunderbird-eu-24.0.1-1.mga3 thunderbird-fi-24.0.1-1.mga3 thunderbird-fr-24.0.1-1.mga3 thunderbird-fy-24.0.1-1.mga3 thunderbird-ga-24.0.1-1.mga3 thunderbird-gd-24.0.1-1.mga3 thunderbird-gl-24.0.1-1.mga3 thunderbird-he-24.0.1-1.mga3 thunderbird-hr-24.0.1-1.mga3 thunderbird-hu-24.0.1-1.mga3 thunderbird-hy-24.0.1-1.mga3 thunderbird-id-24.0.1-1.mga3 thunderbird-is-24.0.1-1.mga3 thunderbird-it-24.0.1-1.mga3 thunderbird-ja-24.0.1-1.mga3 thunderbird-ko-24.0.1-1.mga3 thunderbird-lt-24.0.1-1.mga3 thunderbird-nb_NO-24.0.1-1.mga3 thunderbird-nl-24.0.1-1.mga3 thunderbird-nn_NO-24.0.1-1.mga3 thunderbird-pl-24.0.1-1.mga3 thunderbird-pa_IN-24.0.1-1.mga3 thunderbird-pt_BR-24.0.1-1.mga3 thunderbird-pt_PT-24.0.1-1.mga3 thunderbird-ro-24.0.1-1.mga3 thunderbird-ru-24.0.1-1.mga3 thunderbird-si-24.0.1-1.mga3 thunderbird-sk-24.0.1-1.mga3 thunderbird-sl-24.0.1-1.mga3 thunderbird-sq-24.0.1-1.mga3 thunderbird-sv_SE-24.0.1-1.mga3 thunderbird-ta_LK-24.0.1-1.mga3 thunderbird-tr-24.0.1-1.mga3 thunderbird-uk-24.0.1-1.mga3 thunderbird-vi-24.0.1-1.mga3 thunderbird-zh_CN-24.0.1-1.mga3 thunderbird-zh_TW-24.0.1-1.mga3 from SRPMS: thunderbird-24.0.1-1.mga2.src.rpm thunderbird-l10n-24.0.1-1.mga2.src.rpm thunderbird-24.0.1-1.mga3.src.rpm thunderbird-l10n-24.0.1-1.mga3.src.rpm
Firefox 24 tested on Mageia 3 64-bits. Everything works fine until now.
CC: (none) => olivier.delaune
Firefox and Thunderbird 24 mga3 32bit. Everything seems to work until now.
CC: (none) => hc
Although not using the packaged version of lightning, the package will also have to be updated to lightning 2.6.
CC: (none) => wrw105
Blocks: (none) => 11512
Firefox extensions in the repositories all install and run under mga3-64
Blocks: (none) => 11562
Since Thunderbird 24 is causing issues for some people in Cauldron (at least with lightning) we'll handle the Thunderbird update separately later in Bug 11562. Firefox has been updated to 24.1.0 in updates_testing, and it should be ready to test, and we should be able to push it once it has also been updated in Cauldron. I haven't seen a freeze push request for it there yet. Advisory to come soon.
RedHat has issued an advisory on October 29: https://rhn.redhat.com/errata/RHSA-2013-1476.html They have updated to 17.0.10 but we are updating to 24.1.0. Updated packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated firefox packages fix security vulnerabilities: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure (CVE-2013-1739). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to terminate unexpectedly or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2013-5590, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602). It was found that the Firefox JavaScript engine incorrectly allocated memory for certain functions. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox (CVE-2013-5595). A flaw was found in the way Firefox handled certain Extensible Stylesheet Language Transformations (XSLT) files. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox (CVE-2013-5604). Additionally, the rootcerts, nspr, nss, and sqlite3 packages have been updated to newer versions required by this update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5595 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5602 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5604 http://www.mozilla.org/security/announce/2013/mfsa2013-93.html http://www.mozilla.org/security/announce/2013/mfsa2013-95.html http://www.mozilla.org/security/announce/2013/mfsa2013-96.html http://www.mozilla.org/security/announce/2013/mfsa2013-98.html http://www.mozilla.org/security/announce/2013/mfsa2013-100.html http://www.mozilla.org/security/announce/2013/mfsa2013-101.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:257/ https://rhn.redhat.com/errata/RHSA-2013-1476.html ======================== Updated packages in core/updates_testing: ======================== libsqlite3-devel-3.7.17-1.mga2 libsqlite3-static-devel-3.7.17-1.mga2 libsqlite3_0-3.7.17-1.mga2 sqlite3-tcl-3.7.17-1.mga2 sqlite3-tools-3.7.17-1.mga2 lemon-3.7.17-1.mga2 rootcerts-20130411.00-1.mga2 rootcerts-java-20130411.00-1.mga2 libnspr-devel-4.10.1-1.mga2 libnspr4-4.10.1-1.mga2 libnss-devel-3.15.2-1.1.mga2 libnss-static-devel-3.15.2-1.1.mga2 libnss3-3.15.2-1.1.mga2 nss-3.15.2-1.1.mga2 nss-doc-3.15.2-1.1.mga2 firefox-24.1.0-1.mga2 firefox-devel-24.1.0-1.mga2 firefox-af-24.1.0-1.mga2 firefox-ar-24.1.0-1.mga2 firefox-as-24.1.0-1.mga2 firefox-ast-24.1.0-1.mga2 firefox-be-24.1.0-1.mga2 firefox-bg-24.1.0-1.mga2 firefox-bn_IN-24.1.0-1.mga2 firefox-bn_BD-24.1.0-1.mga2 firefox-br-24.1.0-1.mga2 firefox-bs-24.1.0-1.mga2 firefox-ca-24.1.0-1.mga2 firefox-cs-24.1.0-1.mga2 firefox-csb-24.1.0-1.mga2 firefox-cy-24.1.0-1.mga2 firefox-da-24.1.0-1.mga2 firefox-de-24.1.0-1.mga2 firefox-el-24.1.0-1.mga2 firefox-en_GB-24.1.0-1.mga2 firefox-en_ZA-24.1.0-1.mga2 firefox-eo-24.1.0-1.mga2 firefox-es_AR-24.1.0-1.mga2 firefox-es_CL-24.1.0-1.mga2 firefox-es_ES-24.1.0-1.mga2 firefox-es_MX-24.1.0-1.mga2 firefox-et-24.1.0-1.mga2 firefox-eu-24.1.0-1.mga2 firefox-fa-24.1.0-1.mga2 firefox-ff-24.1.0-1.mga2 firefox-fi-24.1.0-1.mga2 firefox-fr-24.1.0-1.mga2 firefox-fy-24.1.0-1.mga2 firefox-ga_IE-24.1.0-1.mga2 firefox-gd-24.1.0-1.mga2 firefox-gl-24.1.0-1.mga2 firefox-gu_IN-24.1.0-1.mga2 firefox-he-24.1.0-1.mga2 firefox-hi-24.1.0-1.mga2 firefox-hr-24.1.0-1.mga2 firefox-hu-24.1.0-1.mga2 firefox-hy-24.1.0-1.mga2 firefox-id-24.1.0-1.mga2 firefox-is-24.1.0-1.mga2 firefox-it-24.1.0-1.mga2 firefox-ja-24.1.0-1.mga2 firefox-kk-24.1.0-1.mga2 firefox-ko-24.1.0-1.mga2 firefox-km-24.1.0-1.mga2 firefox-kn-24.1.0-1.mga2 firefox-ku-24.1.0-1.mga2 firefox-lg-24.1.0-1.mga2 firefox-lij-24.1.0-1.mga2 firefox-lt-24.1.0-1.mga2 firefox-lv-24.1.0-1.mga2 firefox-mai-24.1.0-1.mga2 firefox-mk-24.1.0-1.mga2 firefox-ml-24.1.0-1.mga2 firefox-mr-24.1.0-1.mga2 firefox-nb_NO-24.1.0-1.mga2 firefox-nl-24.1.0-1.mga2 firefox-nn_NO-24.1.0-1.mga2 firefox-nso-24.1.0-1.mga2 firefox-or-24.1.0-1.mga2 firefox-pa_IN-24.1.0-1.mga2 firefox-pl-24.1.0-1.mga2 firefox-pt_BR-24.1.0-1.mga2 firefox-pt_PT-24.1.0-1.mga2 firefox-ro-24.1.0-1.mga2 firefox-ru-24.1.0-1.mga2 firefox-si-24.1.0-1.mga2 firefox-sk-24.1.0-1.mga2 firefox-sl-24.1.0-1.mga2 firefox-sq-24.1.0-1.mga2 firefox-sr-24.1.0-1.mga2 firefox-sv_SE-24.1.0-1.mga2 firefox-ta-24.1.0-1.mga2 firefox-ta_LK-24.1.0-1.mga2 firefox-te-24.1.0-1.mga2 firefox-th-24.1.0-1.mga2 firefox-tr-24.1.0-1.mga2 firefox-uk-24.1.0-1.mga2 firefox-vi-24.1.0-1.mga2 firefox-zh_CN-24.1.0-1.mga2 firefox-zh_TW-24.1.0-1.mga2 firefox-zu-24.1.0-1.mga2 libsqlite3-devel-3.7.17-1.mga3 libsqlite3-static-devel-3.7.17-1.mga3 libsqlite3_0-3.7.17-1.mga3 sqlite3-tcl-3.7.17-1.mga3 sqlite3-tools-3.7.17-1.mga3 lemon-3.7.17-1.mga3 rootcerts-20130411.00-1.mga3 rootcerts-java-20130411.00-1.mga3 libnspr-devel-4.10.1-1.mga3 libnspr4-4.10.1-1.mga3 libnss-devel-3.15.2-1.1.mga3 libnss-static-devel-3.15.2-1.1.mga3 libnss3-3.15.2-1.1.mga3 nss-3.15.2-1.1.mga3 nss-doc-3.15.2-1.1.mga3 firefox-24.1.0-1.mga3 firefox-devel-24.1.0-1.mga3 firefox-af-24.1.0-1.mga3 firefox-ar-24.1.0-1.mga3 firefox-as-24.1.0-1.mga3 firefox-ast-24.1.0-1.mga3 firefox-be-24.1.0-1.mga3 firefox-bg-24.1.0-1.mga3 firefox-bn_IN-24.1.0-1.mga3 firefox-bn_BD-24.1.0-1.mga3 firefox-br-24.1.0-1.mga3 firefox-bs-24.1.0-1.mga3 firefox-ca-24.1.0-1.mga3 firefox-cs-24.1.0-1.mga3 firefox-csb-24.1.0-1.mga3 firefox-cy-24.1.0-1.mga3 firefox-da-24.1.0-1.mga3 firefox-de-24.1.0-1.mga3 firefox-el-24.1.0-1.mga3 firefox-en_GB-24.1.0-1.mga3 firefox-en_ZA-24.1.0-1.mga3 firefox-eo-24.1.0-1.mga3 firefox-es_AR-24.1.0-1.mga3 firefox-es_CL-24.1.0-1.mga3 firefox-es_ES-24.1.0-1.mga3 firefox-es_MX-24.1.0-1.mga3 firefox-et-24.1.0-1.mga3 firefox-eu-24.1.0-1.mga3 firefox-fa-24.1.0-1.mga3 firefox-ff-24.1.0-1.mga3 firefox-fi-24.1.0-1.mga3 firefox-fr-24.1.0-1.mga3 firefox-fy-24.1.0-1.mga3 firefox-ga_IE-24.1.0-1.mga3 firefox-gd-24.1.0-1.mga3 firefox-gl-24.1.0-1.mga3 firefox-gu_IN-24.1.0-1.mga3 firefox-he-24.1.0-1.mga3 firefox-hi-24.1.0-1.mga3 firefox-hr-24.1.0-1.mga3 firefox-hu-24.1.0-1.mga3 firefox-hy-24.1.0-1.mga3 firefox-id-24.1.0-1.mga3 firefox-is-24.1.0-1.mga3 firefox-it-24.1.0-1.mga3 firefox-ja-24.1.0-1.mga3 firefox-kk-24.1.0-1.mga3 firefox-ko-24.1.0-1.mga3 firefox-km-24.1.0-1.mga3 firefox-kn-24.1.0-1.mga3 firefox-ku-24.1.0-1.mga3 firefox-lg-24.1.0-1.mga3 firefox-lij-24.1.0-1.mga3 firefox-lt-24.1.0-1.mga3 firefox-lv-24.1.0-1.mga3 firefox-mai-24.1.0-1.mga3 firefox-mk-24.1.0-1.mga3 firefox-ml-24.1.0-1.mga3 firefox-mr-24.1.0-1.mga3 firefox-nb_NO-24.1.0-1.mga3 firefox-nl-24.1.0-1.mga3 firefox-nn_NO-24.1.0-1.mga3 firefox-nso-24.1.0-1.mga3 firefox-or-24.1.0-1.mga3 firefox-pa_IN-24.1.0-1.mga3 firefox-pl-24.1.0-1.mga3 firefox-pt_BR-24.1.0-1.mga3 firefox-pt_PT-24.1.0-1.mga3 firefox-ro-24.1.0-1.mga3 firefox-ru-24.1.0-1.mga3 firefox-si-24.1.0-1.mga3 firefox-sk-24.1.0-1.mga3 firefox-sl-24.1.0-1.mga3 firefox-sq-24.1.0-1.mga3 firefox-sr-24.1.0-1.mga3 firefox-sv_SE-24.1.0-1.mga3 firefox-ta-24.1.0-1.mga3 firefox-ta_LK-24.1.0-1.mga3 firefox-te-24.1.0-1.mga3 firefox-th-24.1.0-1.mga3 firefox-tr-24.1.0-1.mga3 firefox-uk-24.1.0-1.mga3 firefox-vi-24.1.0-1.mga3 firefox-zh_CN-24.1.0-1.mga3 firefox-zh_TW-24.1.0-1.mga3 firefox-zu-24.1.0-1.mga3 from SRPMS: sqlite3-3.7.17-1.mga2.src.rpm rootcerts-20130411.00-1.mga2.src.rpm nspr-4.10.1-1.mga2.src.rpm nss-3.15.2-1.1.mga2.src.rpm firefox-24.1.0-1.mga2.src.rpm firefox-l10n-24.1.0-1.mga2.src.rpm sqlite3-3.7.17-1.mga3.src.rpm rootcerts-20130411.00-1.mga3.src.rpm nspr-4.10.1-1.mga3.src.rpm nss-3.15.2-1.1.mga3.src.rpm firefox-24.1.0-1.mga3.src.rpm firefox-l10n-24.1.0-1.mga3.src.rpm
Assignee: bugsquad => qa-bugsSeverity: normal => critical
Summary: Firefox ESR 17 EOL => firefox update to 24esr (24.1.0) for stableSource RPM: (none) => firefox, firefox-l10n, sqlite3, rootcerts, nss, nspr
Blocks: (none) => 10707
tb 24.1.0 has also been submitted.
(In reply to Oden Eriksson from comment #21) > tb 24.1.0 has also been submitted. Thanks. I've posted updated information for this in Bug 11562.
In VirtualBox, M3, KDE, 32-bit Package(s) under test: firefox [root@localhost wilcal]# uname -a Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 14:04:55 UTC 2013 i686 i686 i686 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-17.0.9-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-17.0.9-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-17.0.9-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.17-5.mga3.i586 is already installed Browser working normally Install firefox updates from core updates_testing. The following 10 packages are going to be installed: - firefox-24.0-1.mga3.i586 - firefox-en_GB-24.0-1.mga3.noarch - firefox-en_ZA-24.0-1.mga3.noarch - glibc-2.17-7.2.mga3.i586 - glibc-devel-2.17-7.2.mga3.i586 - libnspr4-4.10.1-1.mga3.i586 - libnss3-3.15.2-1.1.mga3.i586 - libsqlite3_0-3.7.17-1.mga3.i586 - meta-task-3-43.mga3.noarch - sqlite3-tools-3.7.17-1.mga3.i586 Reboot system for glibc [root@localhost wilcal]# uname -a Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 14:04:55 UTC 2013 i686 i686 i686 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-24.0-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-24.0-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-24.0-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.17-7.2.mga3.i586 is already installed Browser working normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: firefox [root@localhost wilcal]# uname -a Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 13:56:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-17.0.9-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-17.0.9-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-17.0.9-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.17-5.mga3.x86_64 is already installed Browser working normally Install firefox updates from core updates_testing. The following 10 packages are going to be installed: - firefox-24.0-1.mga3.x86_64 - firefox-en_GB-24.0-1.mga3.noarch - firefox-en_ZA-24.0-1.mga3.noarch - glibc-2.17-7.2.mga3.x86_64 - glibc-devel-2.17-7.2.mga3.x86_64 - lib64nspr4-4.10.1-1.mga3.x86_64 - lib64nss3-3.15.2-1.1.mga3.x86_64 - lib64sqlite3_0-3.7.17-1.mga3.x86_64 - meta-task-3-43.mga3.noarch - sqlite3-tools-3.7.17-1.mga3.x86_64 Reboot system for glibc [root@localhost wilcal]# uname -a Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 13:56:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-24.0-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-24.0-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-24.0-1.mga3.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.17-7.2.mga3.x86_64 is already installed Browser working normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
In VirtualBox, M2, KDE, 32-bit Package(s) under test: firefox [root@localhost wilcal]# uname -a Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:31:09 UTC 2013 i686 i686 i386 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-17.0.9-1.mga2.i586 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-17.0.9-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-17.0.9-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.14.1-10.mga2.i586 is already installed Browser working normally Install firefox updates from core updates_testing. The following 9 packages are going to be installed: - firefox-24.0-1.mga2.i586 - firefox-en_GB-24.0-1.mga2.noarch - firefox-en_ZA-24.0-1.mga2.noarch - glibc-2.14.1-11.2.mga2.i586 - libnspr4-4.10.1-1.mga2.i586 - libnss3-3.15.2-1.1.mga2.i586 - libsqlite3_0-3.7.17-1.mga2.i586 - rpmdrake-5.34.1-1.mga2.noarch - sqlite3-tools-3.7.17-1.mga2.i586 Reboot system for glibc root@localhost wilcal]# uname -a Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:31:09 UTC 2013 i686 i686 i386 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-24.0-1.mga2.i586 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-24.0-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-24.0-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.14.1-11.2.mga2.i586 is already installed Browser working normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
In VirtualBox, M2, KDE, 64-bit Package(s) under test: firefox [root@localhost wilcal]# uname -a Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:23:54 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-17.0.9-1.mga2.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-17.0.9-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-17.0.9-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.14.1-10.mga2.x86_64 is already installed Browser working normally Install firefox updates from core updates_testing. The following 8 packages are going to be installed: - firefox-24.0-1.mga2.x86_64 - firefox-en_GB-24.0-1.mga2.noarch - firefox-en_ZA-24.0-1.mga2.noarch - glibc-2.14.1-11.2.mga2.x86_64 - lib64nspr4-4.10.1-1.mga2.x86_64 - lib64nss3-3.15.2-1.1.mga2.x86_64 - lib64sqlite3_0-3.7.17-1.mga2.x86_64 - sqlite3-tools-3.7.17-1.mga2.x86_64 [root@localhost wilcal]# uname -a Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:23:54 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi firefox Package firefox-24.0-1.mga2.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-24.0-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_ZA Package firefox-en_ZA-24.0-1.mga2.noarch is already installed [root@localhost wilcal]# urpmi glibc Package glibc-2.14.1-11.2.mga2.x86_64 is already installed Browser working normally Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
glibc is very dynamic right now. Is this testing going to have to be repeated as the new glib version(s) is/are released?
(In reply to William Kenney from comment #27) > glibc is very dynamic right now. Is this testing going to have > to be repeated as the new glib version(s) is/are released? Please note that glibc and glib are two different things, I've seen a couple of people confusing these on IRC. The glibc update has nothing to do with the Firefox update. It shouldn't have any effect on it either way, so it should be OK if you have it installed while testing this. If you're using mgaapplet to test installing updates, it'll force you to install the glibc update since it's a priority update package. Perhaps adding it to skip.list would allow avoiding this, but it shouldn't be a big deal.
URL: (none) => http://lwn.net/Vulnerabilities/572275/
On real hardware, M3, KDE, 64-bit Package(s) under test: firefox Same results as in Comment 24 Update to Firefox 24 then reboot Browser working normally Test platform: Dell Vostro 1015 Laptop ----------------------- Celeron 925 2.3Ghz 64-bit 1MB L2 cache 800Mhz FSB 45nm RTL8111/8168B PCI Express 1Gbit Ethernet Atheros AR9285 WiFi adapter
====================================================== Name: CVE-2013-5590 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5590 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-93.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=860123 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=893572 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. ====================================================== Name: CVE-2013-5591 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5591 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-93.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=859892 Unspecified vulnerability in the browser engine in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. ====================================================== Name: CVE-2013-5592 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5592 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-93.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=880544 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=886102 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=887921 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=912534 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 25.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. ====================================================== Name: CVE-2013-5593 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5593 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-94.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=868327 The SELECT element implementation in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 does not properly restrict the nature or placement of HTML within a dropdown menu, which allows remote attackers to spoof the address bar or conduct clickjacking attacks via vectors that trigger navigation off of a page containing this element. ====================================================== Name: CVE-2013-5595 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5595 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-96.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916580 The JavaScript engine in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does not properly allocate memory for unspecified functions, which allows remote attackers to conduct buffer overflow attacks via a crafted web page. ====================================================== Name: CVE-2013-5596 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5596 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-97.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=910881 The cycle collection (CC) implementation in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 does not properly determine the thread for release of an image object, which allows remote attackers to execute arbitrary code or cause a denial of service (race condition and application crash) via a large HTML document containing IMG elements, as demonstrated by the Never-Ending Reddit on reddit.com. ====================================================== Name: CVE-2013-5597 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5597 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-98.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=918864 Use-after-free vulnerability in the nsDocLoader::doStopDocumentLoad function in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving a state-change event during an update of the offline cache. ====================================================== Name: CVE-2013-5598 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5598 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-99.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=920515 PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 does not properly handle the appending of an IFRAME element, which allows remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges by using this element within an embedded PDF object. ====================================================== Name: CVE-2013-5599 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5599 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-100.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=915210 Use-after-free vulnerability in the nsIPresShell::GetPresContext function in the PresShell (aka presentation shell) implementation in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) via vectors involving a CANVAS element, a mozTextStyle attribute, and an onresize event. ====================================================== Name: CVE-2013-5600 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5600 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-100.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916576 Use-after-free vulnerability in the nsIOService::NewChannelFromURIWithProxyFlags function in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code via vectors involving a blob: URL. ====================================================== Name: CVE-2013-5601 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5601 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-100.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916685 Use-after-free vulnerability in the nsEventListenerManager::SetEventHandler function in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code via vectors related to a memory allocation through the garbage collection (GC) API. ====================================================== Name: CVE-2013-5602 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5602 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-101.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=897678 The Worker::SetEventListener function in the Web workers implementation in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to direct proxies. ====================================================== Name: CVE-2013-5603 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5603 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-102.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916404 Use-after-free vulnerability in the nsContentUtils::ContentIsHostIncludingDescendantOf function in Mozilla Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving HTML document templates. ====================================================== Name: CVE-2013-5604 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5604 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130826 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-95.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=914017 The txXPathNodeUtils::getBaseURI function in the XSLT processor in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does not properly initialize data, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via crafted documents.
Testing mga2 32 Nothing notable to report, tested everything I can think of.
Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok
mga3-64 does well in the usual (java, js, youtube, general browsing) categories for me.
Whiteboard: MGA2TOO mga2-32-ok => MGA2TOO mga2-32-ok mga3-64-ok
Firefox 24.1.0 is now uploaded in Cauldron.
I wanted to mention that one of the big differences between FF17 & FF24 is that 24 uses native hardware acceleration for video. Or it says it does. So you should see an improvement in things like flash videos.
Testing general use on mga2-64. No problem so far.
CC: (none) => stormiWhiteboard: MGA2TOO mga2-32-ok mga3-64-ok => MGA2TOO mga2-32-ok mga3-64-ok mga2-64-ok?
mga3-64 appears to work in a VirtualBox VM.
CC: (none) => shlomif
Testing general use on mga3-64. No problem so far.
CC: (none) => rehcla.mailinglistHardware: i586 => x86_64
Hardware: x86_64 => All
Whiteboard: MGA2TOO mga2-32-ok mga3-64-ok mga2-64-ok? => MGA2TOO mga2-32-ok mga3-64-ok mga2-64-ok mga3-32-ok
Holding validation as a potential issue has been reported in bug 11597.
Little issues: i18n regressions in French. There are untranslated strings. Maybe they changed them and didn't update in time. Right click on a tab and see: - Pin Tab - Close Tabs To The Right Also, in the Préférences dialog, most recent additions are still untranslated. This is an upstream bug, but not very good for people who don't understand english. This ESR edition looks like an unfinished product.
Whereas in firefox 17 it would offer to open .urpmi files with Gurpmi, firefox 24 from updates_testing doesn't offer that anymore. Which makes the "install" buttons in Mageia App Db useless.
Whiteboard: MGA2TOO mga2-32-ok mga3-64-ok mga2-64-ok mga3-32-ok => MGA2TOO mga2-32-ok mga3-64-ok mga3-32-ok
(In reply to Samuel VERSCHELDE from comment #40) > Whereas in firefox 17 it would offer to open .urpmi files with Gurpmi, > firefox 24 from updates_testing doesn't offer that anymore. Which makes the > "install" buttons in Mageia App Db useless. napcok helped me to find the cause for this one. Adding a HTTP header to the generated .urpmi file solves the problem.
Can anybody reproduce the graphical corruption in bug 11597? It could be a driver issue perhaps. We can't hold this one for long as it is a security update on widely used software.
It would be a royal pain, but the other possible option would be issuing 17.0.10 as the update instead of 24.1.0, but we'd still have to deal with 24 for the next update.
Hi Claire, (In reply to claire robinson from comment #42) > Can anybody reproduce the graphical corruption in bug 11597? > I cannot reproduce it here inside a VirtualBox VM, running on this computer: « My primary machine is a desktop machine with a: An Intel Core i3 CPU (x86-64). 8 GB of RAM. Intel Corporation Sandy Bridge Integrated Graphics Controller (rev 09) A 2 TB hard-disk. A 21״ Wide LCD Screen by LG. Intel Corporation Cougar Point High Definition Audio Controller. Intel Corporation 82579V Gigabit Network Connection. » > It could be a driver issue perhaps. Yes, please ask the reporter what are his drivers and if he can try switching to VESA and/or a different driver. Regards, -- Shlomi Fish > > We can't hold this one for long as it is a security update on widely used > software.
Whiteboard: MGA2TOO mga2-32-ok mga3-64-ok mga3-32-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-ok
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-ok => advisory MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-ok
Whiteboard: advisory MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-ok => MGA2TOO mga2-32-ok mga2-64-ok advisory mga3-64-ok mga3-32-ok
Bug 11597 has been closed as invalid. Also, nobody has so far been able to reproduce the issue mentioned there. Validating the update. Advisory uploaded previously. Please note also a new 'advisory' tag in the whiteboard we will use when the advisory has been uploaded which is displayed on QA list as a * in the first column. Thankyou to Stormi for this. http://mageia.madb.org/tools/updates Thankyou everybody for getting involved in testing this update. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0320.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
My guess is that the update of sqlite3 broke Evolution under Mageia 2. I posted to the discuss list with the following information: I installed updates last night and today Evolution does not start. I tried running it from the console to see if I could get any more information this is what I saw: $evolution (evolution:16516): evolution-spamassassin-WARNING **: Failed to spawn SpamAssassin (/usr/bin/spamc --no-safe-fallback --socket ): Failed to execute child process "/usr/bin/spamc" (No such file or directory) (evolution:16516): evolution-spamassassin-WARNING **: Failed to spawn SpamAssassin (/usr/bin/spamd --socketpath /home/daniel/.cache/evolution/ tmp/spamd-socket-path-6RWH6W --local --max-children=1 --pidfile /home/ daniel/.cache/evolution/tmp/spamd-pid-file-9QWH6W): Failed to execute child process "/usr/bin/spamd" (No such file or directory) (evolution:16516): evolution-spamassassin-WARNING **: Failed to spawn SpamAssassin (/usr/bin/spamc --learntype=forget): Failed to execute child process "/usr/bin/spamc" (No such file or directory) (and the process hangs, but no UI visible) So perhaps spam assassin was the problem then, I thought, so I removed spam assassin $ evolution (evolution:16675): evolution-spamassassin-WARNING **: Failed to spawn SpamAssassin (/usr/bin/sa-learn --version): Failed to execute child process "/usr/bin/sa-learn" (No such file or directory) Still not starting. I installed spam assassin again, but it did not help at all. Looking at dependencies and at the advisory website, my guess would be that the update to sqlite3 broke Evolution. I don't know if it needs to be re-built against the new version or not, but that is my guess. Perhaps someone with a bit more know-how can advice. I will raise a separate ticket for Evolution not starting.
CC: (none) => mandriva
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=11654
Also reported in bug 11660 with possible fix so this round of updates has caused a regression in evolution in mga2. No problems in mga3 that I've noticed.
Daniel created bug 11654
Other packages updated were chromium-browser-stable, timezone & squidguard
Could be a timezone issue actually. Running under strace and killing with ctrl-c after a while shows it stops here.. open("/usr/share/zoneinfo/Cuba", O_RDONLY) = -1 ENOENT (No such file or directory) futex(0xb766cbac, FUTEX_WAIT_PRIVATE, 2, NULL) = ? ERESTARTSYS (To be restarted) --- {si_signo=SIGINT, si_code=SI_KERNEL} (Interrupt) --- +++ killed by SIGINT +++ $ ls /usr/share/zoneinfo/ Africa/ Antarctica/ Asia/ Australia/ Canada/ Etc/ Indian/ Mexico/ Pacific/ posixrules US/ America/ Arctic/ Atlantic/ Brazil/ Chile/ Europe/ iso3166.tab Mideast/ posix@ right/ zone.tab No errors are shown on cli.
$ find /usr/share/zoneinfo/ -name Cuba /usr/share/zoneinfo/right/Cuba
# ln -s /usr/share/zoneinfo/right/Cuba /usr/share/zoneinfo/Cuba It then stops at the next one, Egypt. I think timezone has caused the regression rather than sqlite so moving to the timezone bug 11559