Bug 11370 - firefox update to 24esr (24.1.0) for stable
: firefox update to 24esr (24.1.0) for stable
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/572275/
: MGA2TOO mga2-32-ok mga2-64-ok advisor...
: validated_update
:
: 10707 11512 11562
  Show dependency treegraph
 
Reported: 2013-10-03 17:05 CEST by Alejandro Cobo
Modified: 2013-11-13 08:52 CET (History)
13 users (show)

See Also:
Source RPM: firefox, firefox-l10n, sqlite3, rootcerts, nss, nspr
CVE:


Attachments

Description Alejandro Cobo 2013-10-03 17:05:22 CEST
Description of problem:

Mozilla Firefox and Thunderbird ESR 17 EOL is near. In december there will be no more security updates for this version.

Reproducible: 

Steps to Reproduce:
Comment 1 Manuel Hiebel 2013-10-03 18:02:33 CEST
we know, firefox 21 esr is coming soon
Comment 2 David Walser 2013-10-11 20:16:05 CEST
The next ESR is 24 actually.  We won't need to update Mageia 2 to 24 due to its own EOL date.  Along with Firefox itself, rootcerts, nspr, and nss will need to be updated as well.  Those latter three should also be updated on Mageia 2, as the nss update to 3.15.2 fixes a security bug:
http://lwn.net/Vulnerabilities/570149/
Comment 3 Oden Eriksson 2013-10-12 12:22:54 CEST
nspr-4.10.1-1.mga2, nss-3.15.2-1.mga2, nspr-4.10.1-1.mga3 and nss-3.15.2-1.mga3 has been submitted.

rootcerts-20130411.00-1.mga2 and rootcerts-20130411.00-1.mga3 was submitted to updates_testing by me Fri 04 Oct 2013.
Comment 4 Oden Eriksson 2013-10-12 12:36:14 CEST
Some headsup.

I will upgrade to 24 ESR for mga2 as the update for mes5 is based on the mga2 one if that's OK? Will start with this soon'ish. For mga3 it shouldn't pose much extra work, so I will fix it there too.
Comment 5 Manuel Hiebel 2013-10-12 12:54:13 CEST
yep it will be great to make it before 22 november
Comment 6 Oden Eriksson 2013-10-14 13:56:25 CEST
ff 24 was submitted to mga3, please test.
Comment 7 Manuel Hiebel 2013-10-14 15:12:39 CEST
urpmi firefox-fr which install:

  firefox                        24.0         1.mga3        x86_64  
  firefox-fr                     24.0         1.mga3        noarch  
  lib64nspr4                     4.10.1       1.mga3        x86_64  
  lib64nss3                      3.15.2       1.1.mga3      x86_64  
  lib64sqlite3_0                 3.7.17       1.mga3        x86_64

No issue for me
Comment 8 Oden Eriksson 2013-10-14 16:45:32 CEST
ff 24 was submitted to mga2, please test.
Comment 9 David Walser 2013-10-14 17:31:51 CEST
CC'ing the QA team for early testing.  We don't need to push the FF 24 update as it doesn't fix anything beyond what we've already fixed in 17.0.9, but it'd be good to start testing it so if there are any issues, they can be corrected before we need to push the next security update, which will be 24.0.1 or 24.0.2.

BTW, Oden, if you wouldn't mind, it'd be good to have Thunderbird in testing too.

The next FF update will also include the updated rootcerts, nspr, and nss packages (also already in updates_testing).  Full package list to come.
Comment 10 David Walser 2013-10-14 17:32:49 CEST
Oh, sqlite3 is also being updated along with this, as it usually is when we switch to a new ESR branch.  It's also in updates_testing as Manuel noted.
Comment 11 Oden Eriksson 2013-10-14 17:43:14 CEST
There wasn't that much work making the cauldron ff backport.

http://svnweb.mageia.org/packages/cauldron/firefox/current/SPECS/firefox.spec?r1=492484&r2=497301
Comment 12 David Walser 2013-10-15 03:09:25 CEST
Packages in updates_testing:
libsqlite3-devel-3.7.17-1.mga2
libsqlite3-static-devel-3.7.17-1.mga2
libsqlite3_0-3.7.17-1.mga2
sqlite3-tcl-3.7.17-1.mga2
sqlite3-tools-3.7.17-1.mga2
lemon-3.7.17-1.mga2
rootcerts-20130411.00-1.mga2
rootcerts-java-20130411.00-1.mga2
libnspr-devel-4.10.1-1.mga2
libnspr4-4.10.1-1.mga2
libnss-devel-3.15.2-1.1.mga2
libnss-static-devel-3.15.2-1.1.mga2
libnss3-3.15.2-1.1.mga2
nss-3.15.2-1.1.mga2
nss-doc-3.15.2-1.1.mga2
firefox-24.0-1.mga2
firefox-af-24.0-1.mga2
firefox-ar-24.0-1.mga2
firefox-as-24.0-1.mga2
firefox-ast-24.0-1.mga2
firefox-be-24.0-1.mga2
firefox-bg-24.0-1.mga2
firefox-bn_BD-24.0-1.mga2
firefox-bn_IN-24.0-1.mga2
firefox-br-24.0-1.mga2
firefox-bs-24.0-1.mga2
firefox-ca-24.0-1.mga2
firefox-cs-24.0-1.mga2
firefox-csb-24.0-1.mga2
firefox-cy-24.0-1.mga2
firefox-da-24.0-1.mga2
firefox-de-24.0-1.mga2
firefox-devel-24.0-1.mga2
firefox-el-24.0-1.mga2
firefox-en_GB-24.0-1.mga2
firefox-en_ZA-24.0-1.mga2
firefox-eo-24.0-1.mga2
firefox-es_AR-24.0-1.mga2
firefox-es_CL-24.0-1.mga2
firefox-es_ES-24.0-1.mga2
firefox-es_MX-24.0-1.mga2
firefox-et-24.0-1.mga2
firefox-eu-24.0-1.mga2
firefox-fa-24.0-1.mga2
firefox-ff-24.0-1.mga2
firefox-fi-24.0-1.mga2
firefox-fr-24.0-1.mga2
firefox-fy-24.0-1.mga2
firefox-ga_IE-24.0-1.mga2
firefox-gd-24.0-1.mga2
firefox-gl-24.0-1.mga2
firefox-gu_IN-24.0-1.mga2
firefox-he-24.0-1.mga2
firefox-hi-24.0-1.mga2
firefox-hr-24.0-1.mga2
firefox-hu-24.0-1.mga2
firefox-hy-24.0-1.mga2
firefox-id-24.0-1.mga2
firefox-is-24.0-1.mga2
firefox-it-24.0-1.mga2
firefox-ja-24.0-1.mga2
firefox-kk-24.0-1.mga2
firefox-km-24.0-1.mga2
firefox-kn-24.0-1.mga2
firefox-ko-24.0-1.mga2
firefox-ku-24.0-1.mga2
firefox-lg-24.0-1.mga2
firefox-lij-24.0-1.mga2
firefox-lt-24.0-1.mga2
firefox-lv-24.0-1.mga2
firefox-mai-24.0-1.mga2
firefox-mk-24.0-1.mga2
firefox-ml-24.0-1.mga2
firefox-mr-24.0-1.mga2
firefox-nb_NO-24.0-1.mga2
firefox-nl-24.0-1.mga2
firefox-nn_NO-24.0-1.mga2
firefox-nso-24.0-1.mga2
firefox-or-24.0-1.mga2
firefox-pa_IN-24.0-1.mga2
firefox-pl-24.0-1.mga2
firefox-pt_BR-24.0-1.mga2
firefox-pt_PT-24.0-1.mga2
firefox-ro-24.0-1.mga2
firefox-ru-24.0-1.mga2
firefox-si-24.0-1.mga2
firefox-sk-24.0-1.mga2
firefox-sl-24.0-1.mga2
firefox-sq-24.0-1.mga2
firefox-sr-24.0-1.mga2
firefox-sv_SE-24.0-1.mga2
firefox-ta-24.0-1.mga2
firefox-ta_LK-24.0-1.mga2
firefox-te-24.0-1.mga2
firefox-th-24.0-1.mga2
firefox-tr-24.0-1.mga2
firefox-uk-24.0-1.mga2
firefox-vi-24.0-1.mga2
firefox-zh_CN-24.0-1.mga2
firefox-zh_TW-24.0-1.mga2
firefox-zu-24.0-1.mga2
libsqlite3-devel-3.7.17-1.mga3
libsqlite3-static-devel-3.7.17-1.mga3
libsqlite3_0-3.7.17-1.mga3
sqlite3-tcl-3.7.17-1.mga3
sqlite3-tools-3.7.17-1.mga3
lemon-3.7.17-1.mga3
rootcerts-20130411.00-1.mga3
rootcerts-java-20130411.00-1.mga3
libnspr-devel-4.10.1-1.mga3
libnspr4-4.10.1-1.mga3
libnss-devel-3.15.2-1.1.mga3
libnss-static-devel-3.15.2-1.1.mga3
libnss3-3.15.2-1.1.mga3
nss-3.15.2-1.1.mga3
nss-doc-3.15.2-1.1.mga3
firefox-24.0-1.mga3
firefox-af-24.0-1.mga3
firefox-ar-24.0-1.mga3
firefox-as-24.0-1.mga3
firefox-ast-24.0-1.mga3
firefox-be-24.0-1.mga3
firefox-bg-24.0-1.mga3
firefox-bn_BD-24.0-1.mga3
firefox-bn_IN-24.0-1.mga3
firefox-br-24.0-1.mga3
firefox-bs-24.0-1.mga3
firefox-ca-24.0-1.mga3
firefox-cs-24.0-1.mga3
firefox-csb-24.0-1.mga3
firefox-cy-24.0-1.mga3
firefox-da-24.0-1.mga3
firefox-de-24.0-1.mga3
firefox-devel-24.0-1.mga3
firefox-el-24.0-1.mga3
firefox-en_GB-24.0-1.mga3
firefox-en_ZA-24.0-1.mga3
firefox-eo-24.0-1.mga3
firefox-es_AR-24.0-1.mga3
firefox-es_CL-24.0-1.mga3
firefox-es_ES-24.0-1.mga3
firefox-es_MX-24.0-1.mga3
firefox-et-24.0-1.mga3
firefox-eu-24.0-1.mga3
firefox-fa-24.0-1.mga3
firefox-ff-24.0-1.mga3
firefox-fi-24.0-1.mga3
firefox-fr-24.0-1.mga3
firefox-fy-24.0-1.mga3
firefox-ga_IE-24.0-1.mga3
firefox-gd-24.0-1.mga3
firefox-gl-24.0-1.mga3
firefox-gu_IN-24.0-1.mga3
firefox-he-24.0-1.mga3
firefox-hi-24.0-1.mga3
firefox-hr-24.0-1.mga3
firefox-hu-24.0-1.mga3
firefox-hy-24.0-1.mga3
firefox-id-24.0-1.mga3
firefox-is-24.0-1.mga3
firefox-it-24.0-1.mga3
firefox-ja-24.0-1.mga3
firefox-kk-24.0-1.mga3
firefox-km-24.0-1.mga3
firefox-kn-24.0-1.mga3
firefox-ko-24.0-1.mga3
firefox-ku-24.0-1.mga3
firefox-lg-24.0-1.mga3
firefox-lij-24.0-1.mga3
firefox-lt-24.0-1.mga3
firefox-lv-24.0-1.mga3
firefox-mai-24.0-1.mga3
firefox-mk-24.0-1.mga3
firefox-ml-24.0-1.mga3
firefox-mr-24.0-1.mga3
firefox-nb_NO-24.0-1.mga3
firefox-nl-24.0-1.mga3
firefox-nn_NO-24.0-1.mga3
firefox-nso-24.0-1.mga3
firefox-or-24.0-1.mga3
firefox-pa_IN-24.0-1.mga3
firefox-pl-24.0-1.mga3
firefox-pt_BR-24.0-1.mga3
firefox-pt_PT-24.0-1.mga3
firefox-ro-24.0-1.mga3
firefox-ru-24.0-1.mga3
firefox-si-24.0-1.mga3
firefox-sk-24.0-1.mga3
firefox-sl-24.0-1.mga3
firefox-sq-24.0-1.mga3
firefox-sr-24.0-1.mga3
firefox-sv_SE-24.0-1.mga3
firefox-ta-24.0-1.mga3
firefox-ta_LK-24.0-1.mga3
firefox-te-24.0-1.mga3
firefox-th-24.0-1.mga3
firefox-tr-24.0-1.mga3
firefox-uk-24.0-1.mga3
firefox-vi-24.0-1.mga3
firefox-zh_CN-24.0-1.mga3
firefox-zh_TW-24.0-1.mga3
firefox-zu-24.0-1.mga3

from SRPMS:
sqlite3-3.7.17-1.mga2.src.rpm
rootcerts-20130411.00-1.mga2.src.rpm
nspr-4.10.1-1.mga2.src.rpm
nss-3.15.2-1.1.mga2.src.rpm
firefox-24.0-1.mga2.src.rpm
firefox-l10n-24.0-1.mga2.src.rpm
sqlite3-3.7.17-1.mga3.src.rpm
rootcerts-20130411.00-1.mga3.src.rpm
nspr-4.10.1-1.mga3.src.rpm
nss-3.15.2-1.1.mga3.src.rpm
firefox-24.0-1.mga3.src.rpm
firefox-l10n-24.0-1.mga3.src.rpm
Comment 13 Oden Eriksson 2013-10-15 11:30:13 CEST
tb 24 has been submitted to mga 2 and 3.
Comment 14 David Walser 2013-10-15 16:09:33 CEST
Thanks Oden!

Thunderbird packages in updates_testing:
thunderbird-24.0.1-1.mga2
thunderbird-enigmail-24.0.1-1.mga2
nsinstall-24.0.1-1.mga2
thunderbird-ar-24.0.1-1.mga2
thunderbird-ast-24.0.1-1.mga2
thunderbird-be-24.0.1-1.mga2
thunderbird-bg-24.0.1-1.mga2
thunderbird-bn_BD-24.0.1-1.mga2
thunderbird-br-24.0.1-1.mga2
thunderbird-ca-24.0.1-1.mga2
thunderbird-cs-24.0.1-1.mga2
thunderbird-da-24.0.1-1.mga2
thunderbird-de-24.0.1-1.mga2
thunderbird-el-24.0.1-1.mga2
thunderbird-en_GB-24.0.1-1.mga2
thunderbird-es_AR-24.0.1-1.mga2
thunderbird-es_ES-24.0.1-1.mga2
thunderbird-et-24.0.1-1.mga2
thunderbird-eu-24.0.1-1.mga2
thunderbird-fi-24.0.1-1.mga2
thunderbird-fr-24.0.1-1.mga2
thunderbird-fy-24.0.1-1.mga2
thunderbird-ga-24.0.1-1.mga2
thunderbird-gd-24.0.1-1.mga2
thunderbird-gl-24.0.1-1.mga2
thunderbird-he-24.0.1-1.mga2
thunderbird-hr-24.0.1-1.mga2
thunderbird-hu-24.0.1-1.mga2
thunderbird-hy-24.0.1-1.mga2
thunderbird-id-24.0.1-1.mga2
thunderbird-is-24.0.1-1.mga2
thunderbird-it-24.0.1-1.mga2
thunderbird-ja-24.0.1-1.mga2
thunderbird-ko-24.0.1-1.mga2
thunderbird-lt-24.0.1-1.mga2
thunderbird-nb_NO-24.0.1-1.mga2
thunderbird-nl-24.0.1-1.mga2
thunderbird-nn_NO-24.0.1-1.mga2
thunderbird-pl-24.0.1-1.mga2
thunderbird-pa_IN-24.0.1-1.mga2
thunderbird-pt_BR-24.0.1-1.mga2
thunderbird-pt_PT-24.0.1-1.mga2
thunderbird-ro-24.0.1-1.mga2
thunderbird-ru-24.0.1-1.mga2
thunderbird-si-24.0.1-1.mga2
thunderbird-sk-24.0.1-1.mga2
thunderbird-sl-24.0.1-1.mga2
thunderbird-sq-24.0.1-1.mga2
thunderbird-sv_SE-24.0.1-1.mga2
thunderbird-ta_LK-24.0.1-1.mga2
thunderbird-tr-24.0.1-1.mga2
thunderbird-uk-24.0.1-1.mga2
thunderbird-vi-24.0.1-1.mga2
thunderbird-zh_CN-24.0.1-1.mga2
thunderbird-zh_TW-24.0.1-1.mga2
thunderbird-24.0.1-1.mga3
thunderbird-enigmail-24.0.1-1.mga3
nsinstall-24.0.1-1.mga3
thunderbird-ar-24.0.1-1.mga3
thunderbird-ast-24.0.1-1.mga3
thunderbird-be-24.0.1-1.mga3
thunderbird-bg-24.0.1-1.mga3
thunderbird-bn_BD-24.0.1-1.mga3
thunderbird-br-24.0.1-1.mga3
thunderbird-ca-24.0.1-1.mga3
thunderbird-cs-24.0.1-1.mga3
thunderbird-da-24.0.1-1.mga3
thunderbird-de-24.0.1-1.mga3
thunderbird-el-24.0.1-1.mga3
thunderbird-en_GB-24.0.1-1.mga3
thunderbird-es_AR-24.0.1-1.mga3
thunderbird-es_ES-24.0.1-1.mga3
thunderbird-et-24.0.1-1.mga3
thunderbird-eu-24.0.1-1.mga3
thunderbird-fi-24.0.1-1.mga3
thunderbird-fr-24.0.1-1.mga3
thunderbird-fy-24.0.1-1.mga3
thunderbird-ga-24.0.1-1.mga3
thunderbird-gd-24.0.1-1.mga3
thunderbird-gl-24.0.1-1.mga3
thunderbird-he-24.0.1-1.mga3
thunderbird-hr-24.0.1-1.mga3
thunderbird-hu-24.0.1-1.mga3
thunderbird-hy-24.0.1-1.mga3
thunderbird-id-24.0.1-1.mga3
thunderbird-is-24.0.1-1.mga3
thunderbird-it-24.0.1-1.mga3
thunderbird-ja-24.0.1-1.mga3
thunderbird-ko-24.0.1-1.mga3
thunderbird-lt-24.0.1-1.mga3
thunderbird-nb_NO-24.0.1-1.mga3
thunderbird-nl-24.0.1-1.mga3
thunderbird-nn_NO-24.0.1-1.mga3
thunderbird-pl-24.0.1-1.mga3
thunderbird-pa_IN-24.0.1-1.mga3
thunderbird-pt_BR-24.0.1-1.mga3
thunderbird-pt_PT-24.0.1-1.mga3
thunderbird-ro-24.0.1-1.mga3
thunderbird-ru-24.0.1-1.mga3
thunderbird-si-24.0.1-1.mga3
thunderbird-sk-24.0.1-1.mga3
thunderbird-sl-24.0.1-1.mga3
thunderbird-sq-24.0.1-1.mga3
thunderbird-sv_SE-24.0.1-1.mga3
thunderbird-ta_LK-24.0.1-1.mga3
thunderbird-tr-24.0.1-1.mga3
thunderbird-uk-24.0.1-1.mga3
thunderbird-vi-24.0.1-1.mga3
thunderbird-zh_CN-24.0.1-1.mga3
thunderbird-zh_TW-24.0.1-1.mga3

from SRPMS:
thunderbird-24.0.1-1.mga2.src.rpm
thunderbird-l10n-24.0.1-1.mga2.src.rpm
thunderbird-24.0.1-1.mga3.src.rpm
thunderbird-l10n-24.0.1-1.mga3.src.rpm
Comment 15 Olivier Delaune 2013-10-15 21:07:22 CEST
Firefox 24 tested on Mageia 3 64-bits. Everything works fine until now.
Comment 16 Henrik Christiansen 2013-10-18 08:51:03 CEST
Firefox and Thunderbird 24 mga3 32bit. Everything seems to work until now.
Comment 17 Bill Wilkinson 2013-10-22 15:54:22 CEST
Although not using the packaged version of lightning, the package will also have to be updated to lightning 2.6.
Comment 18 Bill Wilkinson 2013-10-24 02:44:37 CEST
Firefox extensions in the repositories all install and run under mga3-64
Comment 19 David Walser 2013-10-30 15:16:15 CET
Since Thunderbird 24 is causing issues for some people in Cauldron (at least with lightning) we'll handle the Thunderbird update separately later in Bug 11562.

Firefox has been updated to 24.1.0 in updates_testing, and it should be ready to test, and we should be able to push it once it has also been updated in Cauldron.  I haven't seen a freeze push request for it there yet.

Advisory to come soon.
Comment 20 David Walser 2013-10-30 15:37:19 CET
RedHat has issued an advisory on October 29:
https://rhn.redhat.com/errata/RHSA-2013-1476.html

They have updated to 17.0.10 but we are updating to 24.1.0.

Updated packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger a decryption failure
(CVE-2013-1739).

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to terminate
unexpectedly or, potentially, execute arbitrary code with the privileges of
the user running Firefox (CVE-2013-5590, CVE-2013-5597, CVE-2013-5599,
CVE-2013-5600, CVE-2013-5601, CVE-2013-5602).

It was found that the Firefox JavaScript engine incorrectly allocated
memory for certain functions. An attacker could combine this flaw with
other vulnerabilities to execute arbitrary code with the privileges of the
user running Firefox (CVE-2013-5595).

A flaw was found in the way Firefox handled certain Extensible Stylesheet
Language Transformations (XSLT) files. An attacker could combine this flaw
with other vulnerabilities to execute arbitrary code with the privileges of
the user running Firefox (CVE-2013-5604).

Additionally, the rootcerts, nspr, nss, and sqlite3 packages have been updated
to newer versions required by this update.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5604
http://www.mozilla.org/security/announce/2013/mfsa2013-93.html
http://www.mozilla.org/security/announce/2013/mfsa2013-95.html
http://www.mozilla.org/security/announce/2013/mfsa2013-96.html
http://www.mozilla.org/security/announce/2013/mfsa2013-98.html
http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
http://www.mozilla.org/security/announce/2013/mfsa2013-101.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:257/
https://rhn.redhat.com/errata/RHSA-2013-1476.html
========================

Updated packages in core/updates_testing:
========================
libsqlite3-devel-3.7.17-1.mga2
libsqlite3-static-devel-3.7.17-1.mga2
libsqlite3_0-3.7.17-1.mga2
sqlite3-tcl-3.7.17-1.mga2
sqlite3-tools-3.7.17-1.mga2
lemon-3.7.17-1.mga2
rootcerts-20130411.00-1.mga2
rootcerts-java-20130411.00-1.mga2
libnspr-devel-4.10.1-1.mga2
libnspr4-4.10.1-1.mga2
libnss-devel-3.15.2-1.1.mga2
libnss-static-devel-3.15.2-1.1.mga2
libnss3-3.15.2-1.1.mga2
nss-3.15.2-1.1.mga2
nss-doc-3.15.2-1.1.mga2
firefox-24.1.0-1.mga2
firefox-devel-24.1.0-1.mga2
firefox-af-24.1.0-1.mga2
firefox-ar-24.1.0-1.mga2
firefox-as-24.1.0-1.mga2
firefox-ast-24.1.0-1.mga2
firefox-be-24.1.0-1.mga2
firefox-bg-24.1.0-1.mga2
firefox-bn_IN-24.1.0-1.mga2
firefox-bn_BD-24.1.0-1.mga2
firefox-br-24.1.0-1.mga2
firefox-bs-24.1.0-1.mga2
firefox-ca-24.1.0-1.mga2
firefox-cs-24.1.0-1.mga2
firefox-csb-24.1.0-1.mga2
firefox-cy-24.1.0-1.mga2
firefox-da-24.1.0-1.mga2
firefox-de-24.1.0-1.mga2
firefox-el-24.1.0-1.mga2
firefox-en_GB-24.1.0-1.mga2
firefox-en_ZA-24.1.0-1.mga2
firefox-eo-24.1.0-1.mga2
firefox-es_AR-24.1.0-1.mga2
firefox-es_CL-24.1.0-1.mga2
firefox-es_ES-24.1.0-1.mga2
firefox-es_MX-24.1.0-1.mga2
firefox-et-24.1.0-1.mga2
firefox-eu-24.1.0-1.mga2
firefox-fa-24.1.0-1.mga2
firefox-ff-24.1.0-1.mga2
firefox-fi-24.1.0-1.mga2
firefox-fr-24.1.0-1.mga2
firefox-fy-24.1.0-1.mga2
firefox-ga_IE-24.1.0-1.mga2
firefox-gd-24.1.0-1.mga2
firefox-gl-24.1.0-1.mga2
firefox-gu_IN-24.1.0-1.mga2
firefox-he-24.1.0-1.mga2
firefox-hi-24.1.0-1.mga2
firefox-hr-24.1.0-1.mga2
firefox-hu-24.1.0-1.mga2
firefox-hy-24.1.0-1.mga2
firefox-id-24.1.0-1.mga2
firefox-is-24.1.0-1.mga2
firefox-it-24.1.0-1.mga2
firefox-ja-24.1.0-1.mga2
firefox-kk-24.1.0-1.mga2
firefox-ko-24.1.0-1.mga2
firefox-km-24.1.0-1.mga2
firefox-kn-24.1.0-1.mga2
firefox-ku-24.1.0-1.mga2
firefox-lg-24.1.0-1.mga2
firefox-lij-24.1.0-1.mga2
firefox-lt-24.1.0-1.mga2
firefox-lv-24.1.0-1.mga2
firefox-mai-24.1.0-1.mga2
firefox-mk-24.1.0-1.mga2
firefox-ml-24.1.0-1.mga2
firefox-mr-24.1.0-1.mga2
firefox-nb_NO-24.1.0-1.mga2
firefox-nl-24.1.0-1.mga2
firefox-nn_NO-24.1.0-1.mga2
firefox-nso-24.1.0-1.mga2
firefox-or-24.1.0-1.mga2
firefox-pa_IN-24.1.0-1.mga2
firefox-pl-24.1.0-1.mga2
firefox-pt_BR-24.1.0-1.mga2
firefox-pt_PT-24.1.0-1.mga2
firefox-ro-24.1.0-1.mga2
firefox-ru-24.1.0-1.mga2
firefox-si-24.1.0-1.mga2
firefox-sk-24.1.0-1.mga2
firefox-sl-24.1.0-1.mga2
firefox-sq-24.1.0-1.mga2
firefox-sr-24.1.0-1.mga2
firefox-sv_SE-24.1.0-1.mga2
firefox-ta-24.1.0-1.mga2
firefox-ta_LK-24.1.0-1.mga2
firefox-te-24.1.0-1.mga2
firefox-th-24.1.0-1.mga2
firefox-tr-24.1.0-1.mga2
firefox-uk-24.1.0-1.mga2
firefox-vi-24.1.0-1.mga2
firefox-zh_CN-24.1.0-1.mga2
firefox-zh_TW-24.1.0-1.mga2
firefox-zu-24.1.0-1.mga2
libsqlite3-devel-3.7.17-1.mga3
libsqlite3-static-devel-3.7.17-1.mga3
libsqlite3_0-3.7.17-1.mga3
sqlite3-tcl-3.7.17-1.mga3
sqlite3-tools-3.7.17-1.mga3
lemon-3.7.17-1.mga3
rootcerts-20130411.00-1.mga3
rootcerts-java-20130411.00-1.mga3
libnspr-devel-4.10.1-1.mga3
libnspr4-4.10.1-1.mga3
libnss-devel-3.15.2-1.1.mga3
libnss-static-devel-3.15.2-1.1.mga3
libnss3-3.15.2-1.1.mga3
nss-3.15.2-1.1.mga3
nss-doc-3.15.2-1.1.mga3
firefox-24.1.0-1.mga3
firefox-devel-24.1.0-1.mga3
firefox-af-24.1.0-1.mga3
firefox-ar-24.1.0-1.mga3
firefox-as-24.1.0-1.mga3
firefox-ast-24.1.0-1.mga3
firefox-be-24.1.0-1.mga3
firefox-bg-24.1.0-1.mga3
firefox-bn_IN-24.1.0-1.mga3
firefox-bn_BD-24.1.0-1.mga3
firefox-br-24.1.0-1.mga3
firefox-bs-24.1.0-1.mga3
firefox-ca-24.1.0-1.mga3
firefox-cs-24.1.0-1.mga3
firefox-csb-24.1.0-1.mga3
firefox-cy-24.1.0-1.mga3
firefox-da-24.1.0-1.mga3
firefox-de-24.1.0-1.mga3
firefox-el-24.1.0-1.mga3
firefox-en_GB-24.1.0-1.mga3
firefox-en_ZA-24.1.0-1.mga3
firefox-eo-24.1.0-1.mga3
firefox-es_AR-24.1.0-1.mga3
firefox-es_CL-24.1.0-1.mga3
firefox-es_ES-24.1.0-1.mga3
firefox-es_MX-24.1.0-1.mga3
firefox-et-24.1.0-1.mga3
firefox-eu-24.1.0-1.mga3
firefox-fa-24.1.0-1.mga3
firefox-ff-24.1.0-1.mga3
firefox-fi-24.1.0-1.mga3
firefox-fr-24.1.0-1.mga3
firefox-fy-24.1.0-1.mga3
firefox-ga_IE-24.1.0-1.mga3
firefox-gd-24.1.0-1.mga3
firefox-gl-24.1.0-1.mga3
firefox-gu_IN-24.1.0-1.mga3
firefox-he-24.1.0-1.mga3
firefox-hi-24.1.0-1.mga3
firefox-hr-24.1.0-1.mga3
firefox-hu-24.1.0-1.mga3
firefox-hy-24.1.0-1.mga3
firefox-id-24.1.0-1.mga3
firefox-is-24.1.0-1.mga3
firefox-it-24.1.0-1.mga3
firefox-ja-24.1.0-1.mga3
firefox-kk-24.1.0-1.mga3
firefox-ko-24.1.0-1.mga3
firefox-km-24.1.0-1.mga3
firefox-kn-24.1.0-1.mga3
firefox-ku-24.1.0-1.mga3
firefox-lg-24.1.0-1.mga3
firefox-lij-24.1.0-1.mga3
firefox-lt-24.1.0-1.mga3
firefox-lv-24.1.0-1.mga3
firefox-mai-24.1.0-1.mga3
firefox-mk-24.1.0-1.mga3
firefox-ml-24.1.0-1.mga3
firefox-mr-24.1.0-1.mga3
firefox-nb_NO-24.1.0-1.mga3
firefox-nl-24.1.0-1.mga3
firefox-nn_NO-24.1.0-1.mga3
firefox-nso-24.1.0-1.mga3
firefox-or-24.1.0-1.mga3
firefox-pa_IN-24.1.0-1.mga3
firefox-pl-24.1.0-1.mga3
firefox-pt_BR-24.1.0-1.mga3
firefox-pt_PT-24.1.0-1.mga3
firefox-ro-24.1.0-1.mga3
firefox-ru-24.1.0-1.mga3
firefox-si-24.1.0-1.mga3
firefox-sk-24.1.0-1.mga3
firefox-sl-24.1.0-1.mga3
firefox-sq-24.1.0-1.mga3
firefox-sr-24.1.0-1.mga3
firefox-sv_SE-24.1.0-1.mga3
firefox-ta-24.1.0-1.mga3
firefox-ta_LK-24.1.0-1.mga3
firefox-te-24.1.0-1.mga3
firefox-th-24.1.0-1.mga3
firefox-tr-24.1.0-1.mga3
firefox-uk-24.1.0-1.mga3
firefox-vi-24.1.0-1.mga3
firefox-zh_CN-24.1.0-1.mga3
firefox-zh_TW-24.1.0-1.mga3
firefox-zu-24.1.0-1.mga3

from SRPMS:
sqlite3-3.7.17-1.mga2.src.rpm
rootcerts-20130411.00-1.mga2.src.rpm
nspr-4.10.1-1.mga2.src.rpm
nss-3.15.2-1.1.mga2.src.rpm
firefox-24.1.0-1.mga2.src.rpm
firefox-l10n-24.1.0-1.mga2.src.rpm
sqlite3-3.7.17-1.mga3.src.rpm
rootcerts-20130411.00-1.mga3.src.rpm
nspr-4.10.1-1.mga3.src.rpm
nss-3.15.2-1.1.mga3.src.rpm
firefox-24.1.0-1.mga3.src.rpm
firefox-l10n-24.1.0-1.mga3.src.rpm
Comment 21 Oden Eriksson 2013-10-30 17:18:42 CET
tb 24.1.0 has also been submitted.
Comment 22 David Walser 2013-10-30 17:49:18 CET
(In reply to Oden Eriksson from comment #21)
> tb 24.1.0 has also been submitted.

Thanks.  I've posted updated information for this in Bug 11562.
Comment 23 William Kenney 2013-10-30 17:56:27 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
firefox

[root@localhost wilcal]# uname -a
Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 14:04:55 UTC 2013 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-17.0.9-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-17.0.9-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-17.0.9-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.17-5.mga3.i586 is already installed

Browser working normally

Install firefox updates from core updates_testing.

The following 10 packages are going to be installed:

- firefox-24.0-1.mga3.i586
- firefox-en_GB-24.0-1.mga3.noarch
- firefox-en_ZA-24.0-1.mga3.noarch
- glibc-2.17-7.2.mga3.i586
- glibc-devel-2.17-7.2.mga3.i586
- libnspr4-4.10.1-1.mga3.i586
- libnss3-3.15.2-1.1.mga3.i586
- libsqlite3_0-3.7.17-1.mga3.i586
- meta-task-3-43.mga3.noarch
- sqlite3-tools-3.7.17-1.mga3.i586

Reboot system for glibc

[root@localhost wilcal]# uname -a
Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 14:04:55 UTC 2013 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-24.0-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-24.0-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-24.0-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.17-7.2.mga3.i586 is already installed

Browser working normally

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 24 William Kenney 2013-10-30 17:56:56 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
firefox

[root@localhost wilcal]# uname -a
Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 13:56:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-17.0.9-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-17.0.9-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-17.0.9-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.17-5.mga3.x86_64 is already installed

Browser working normally

Install firefox updates from core updates_testing.

The following 10 packages are going to be installed:

- firefox-24.0-1.mga3.x86_64
- firefox-en_GB-24.0-1.mga3.noarch
- firefox-en_ZA-24.0-1.mga3.noarch
- glibc-2.17-7.2.mga3.x86_64
- glibc-devel-2.17-7.2.mga3.x86_64
- lib64nspr4-4.10.1-1.mga3.x86_64
- lib64nss3-3.15.2-1.1.mga3.x86_64
- lib64sqlite3_0-3.7.17-1.mga3.x86_64
- meta-task-3-43.mga3.noarch
- sqlite3-tools-3.7.17-1.mga3.x86_64

Reboot system for glibc

[root@localhost wilcal]# uname -a
Linux localhost 3.8.13.4-desktop-1.mga3 #1 SMP Thu Jul 4 13:56:21 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-24.0-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-24.0-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-24.0-1.mga3.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.17-7.2.mga3.x86_64 is already installed

Browser working normally

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 25 William Kenney 2013-10-30 17:57:21 CET
In VirtualBox, M2, KDE, 32-bit

Package(s) under test:
firefox

[root@localhost wilcal]# uname -a
Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:31:09 UTC 2013 i686 i686 i386 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-17.0.9-1.mga2.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-17.0.9-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-17.0.9-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.14.1-10.mga2.i586 is already installed

Browser working normally

Install firefox updates from core updates_testing.

The following 9 packages are going to be installed:

- firefox-24.0-1.mga2.i586
- firefox-en_GB-24.0-1.mga2.noarch
- firefox-en_ZA-24.0-1.mga2.noarch
- glibc-2.14.1-11.2.mga2.i586
- libnspr4-4.10.1-1.mga2.i586
- libnss3-3.15.2-1.1.mga2.i586
- libsqlite3_0-3.7.17-1.mga2.i586
- rpmdrake-5.34.1-1.mga2.noarch
- sqlite3-tools-3.7.17-1.mga2.i586

Reboot system for glibc

root@localhost wilcal]# uname -a
Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:31:09 UTC 2013 i686 i686 i386 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-24.0-1.mga2.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-24.0-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-24.0-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.14.1-11.2.mga2.i586 is already installed

Browser working normally

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 26 William Kenney 2013-10-30 17:57:45 CET
In VirtualBox, M2, KDE, 64-bit

Package(s) under test:
firefox

[root@localhost wilcal]# uname -a
Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:23:54 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-17.0.9-1.mga2.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-17.0.9-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-17.0.9-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.14.1-10.mga2.x86_64 is already installed

Browser working normally

Install firefox updates from core updates_testing.

The following 8 packages are going to be installed:

- firefox-24.0-1.mga2.x86_64
- firefox-en_GB-24.0-1.mga2.noarch
- firefox-en_ZA-24.0-1.mga2.noarch
- glibc-2.14.1-11.2.mga2.x86_64
- lib64nspr4-4.10.1-1.mga2.x86_64
- lib64nss3-3.15.2-1.1.mga2.x86_64
- lib64sqlite3_0-3.7.17-1.mga2.x86_64
- sqlite3-tools-3.7.17-1.mga2.x86_64

[root@localhost wilcal]# uname -a
Linux localhost 3.4.52-desktop-1.mga2 #1 SMP Thu Jul 4 07:23:54 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi firefox
Package firefox-24.0-1.mga2.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-24.0-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_ZA
Package firefox-en_ZA-24.0-1.mga2.noarch is already installed
[root@localhost wilcal]# urpmi glibc
Package glibc-2.14.1-11.2.mga2.x86_64 is already installed

Browser working normally

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 27 William Kenney 2013-10-30 17:59:55 CET
glibc is very dynamic right now. Is this testing going to have
to be repeated as the new glib version(s) is/are released?
Comment 28 David Walser 2013-10-30 18:10:36 CET
(In reply to William Kenney from comment #27)
> glibc is very dynamic right now. Is this testing going to have
> to be repeated as the new glib version(s) is/are released?

Please note that glibc and glib are two different things, I've seen a couple of people confusing these on IRC.

The glibc update has nothing to do with the Firefox update.  It shouldn't have any effect on it either way, so it should be OK if you have it installed while testing this.  If you're using mgaapplet to test installing updates, it'll force you to install the glibc update since it's a priority update package.  Perhaps adding it to skip.list would allow avoiding this, but it shouldn't be a big deal.
Comment 29 William Kenney 2013-10-31 03:52:27 CET
On real hardware, M3, KDE, 64-bit

Package(s) under test:
firefox

Same results as in Comment 24

Update to Firefox 24 then reboot
Browser working normally

Test platform:
Dell Vostro 1015 Laptop
-----------------------
Celeron  925  2.3Ghz  64-bit  1MB L2 cache  800Mhz FSB  45nm
RTL8111/8168B PCI Express 1Gbit Ethernet
Atheros AR9285 WiFi adapter
Comment 30 Oden Eriksson 2013-10-31 09:01:52 CET
======================================================
Name: CVE-2013-5590
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5590
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-93.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=860123
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=893572

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before
24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10,
and SeaMonkey before 2.22 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.



======================================================
Name: CVE-2013-5591
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5591
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-93.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=859892

Unspecified vulnerability in the browser engine in Mozilla Firefox
before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1,
and SeaMonkey before 2.22 allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.



======================================================
Name: CVE-2013-5592
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5592
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-93.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=880544
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=886102
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=887921
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=912534

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 25.0 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors.



======================================================
Name: CVE-2013-5593
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5593
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-94.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=868327

The SELECT element implementation in Mozilla Firefox before 25.0,
Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey
before 2.22 does not properly restrict the nature or placement of HTML
within a dropdown menu, which allows remote attackers to spoof the
address bar or conduct clickjacking attacks via vectors that trigger
navigation off of a page containing this element.



======================================================
Name: CVE-2013-5595
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5595
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-96.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916580

The JavaScript engine in Mozilla Firefox before 25.0, Firefox ESR 17.x
before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1,
Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does
not properly allocate memory for unspecified functions, which allows
remote attackers to conduct buffer overflow attacks via a crafted web
page.



======================================================
Name: CVE-2013-5596
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5596
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-97.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=910881

The cycle collection (CC) implementation in Mozilla Firefox before
25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and
SeaMonkey before 2.22 does not properly determine the thread for
release of an image object, which allows remote attackers to execute
arbitrary code or cause a denial of service (race condition and
application crash) via a large HTML document containing IMG elements,
as demonstrated by the Never-Ending Reddit on reddit.com.



======================================================
Name: CVE-2013-5597
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5597
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-98.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=918864

Use-after-free vulnerability in the nsDocLoader::doStopDocumentLoad
function in Mozilla Firefox before 25.0, Firefox ESR 17.x before
17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR
17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers
to execute arbitrary code or cause a denial of service (heap memory
corruption) via vectors involving a state-change event during an
update of the offline cache.



======================================================
Name: CVE-2013-5598
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5598
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-99.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=920515

PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1
does not properly handle the appending of an IFRAME element, which
allows remote attackers to read arbitrary files or execute arbitrary
JavaScript code with chrome privileges by using this element within an
embedded PDF object.



======================================================
Name: CVE-2013-5599
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5599
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=915210

Use-after-free vulnerability in the nsIPresShell::GetPresContext
function in the PresShell (aka presentation shell) implementation in
Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x
before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before
17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory corruption
and application crash) via vectors involving a CANVAS element, a
mozTextStyle attribute, and an onresize event.



======================================================
Name: CVE-2013-5600
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5600
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916576

Use-after-free vulnerability in the
nsIOService::NewChannelFromURIWithProxyFlags function in Mozilla
Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before
24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10,
and SeaMonkey before 2.22 allows remote attackers to execute arbitrary
code via vectors involving a blob: URL.



======================================================
Name: CVE-2013-5601
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5601
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916685

Use-after-free vulnerability in the
nsEventListenerManager::SetEventHandler function in Mozilla Firefox
before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and
SeaMonkey before 2.22 allows remote attackers to execute arbitrary
code via vectors related to a memory allocation through the garbage
collection (GC) API.



======================================================
Name: CVE-2013-5602
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5602
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-101.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=897678

The Worker::SetEventListener function in the Web workers
implementation in Mozilla Firefox before 25.0, Firefox ESR 17.x before
17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR
17.x before 17.0.10, and SeaMonkey before 2.22 allows remote attackers
to execute arbitrary code or cause a denial of service (memory
corruption) via vectors related to direct proxies.



======================================================
Name: CVE-2013-5603
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5603
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-102.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=916404

Use-after-free vulnerability in the
nsContentUtils::ContentIsHostIncludingDescendantOf function in Mozilla
Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before
24.1, and SeaMonkey before 2.22 allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory corruption)
via vectors involving HTML document templates.



======================================================
Name: CVE-2013-5604
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5604
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130826
Category: 
Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-95.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=914017

The txXPathNodeUtils::getBaseURI function in the XSLT processor in
Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x
before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before
17.0.10, and SeaMonkey before 2.22 does not properly initialize data,
which allows remote attackers to execute arbitrary code or cause a
denial of service (stack-based buffer overflow and application crash)
via crafted documents.
Comment 31 claire robinson 2013-10-31 14:50:39 CET
Testing mga2 32

Nothing notable to report, tested everything I can think of.
Comment 32 Bill Wilkinson 2013-10-31 14:56:20 CET
mga3-64 does well in the usual (java, js, youtube, general browsing) categories for me.
Comment 33 David Walser 2013-10-31 17:38:44 CET
Firefox 24.1.0 is now uploaded in Cauldron.
Comment 34 William Kenney 2013-10-31 17:41:20 CET
I wanted to mention that one of the big differences between FF17 & FF24
is that 24 uses native hardware acceleration for video. Or it says it does.
So you should see an improvement in things like flash videos.
Comment 35 Samuel Verschelde 2013-11-04 14:57:44 CET
Testing general use on mga2-64. No problem so far.
Comment 36 Shlomi Fish 2013-11-04 18:54:46 CET
mga3-64 appears to work in a VirtualBox VM.
Comment 37 Claus Reheis 2013-11-04 22:25:49 CET
Testing general use on mga3-64. No problem so far.
Comment 38 claire robinson 2013-11-05 08:28:25 CET
Holding validation as a potential issue has been reported in bug 11597.
Comment 39 Samuel Verschelde 2013-11-05 10:36:42 CET
Little issues: i18n regressions in French. There are untranslated strings. Maybe they changed them and didn't update in time.

Right click on a tab and see:
- Pin Tab
- Close Tabs To The Right

Also, in the Préférences dialog, most recent additions are still untranslated. 

This is an upstream bug, but not very good for people who don't understand english. This ESR edition looks like an unfinished product.
Comment 40 Samuel Verschelde 2013-11-06 18:20:54 CET
Whereas in firefox 17 it would offer to open .urpmi files with Gurpmi, firefox 24 from updates_testing doesn't offer that anymore. Which makes the "install" buttons in Mageia App Db useless.
Comment 41 Samuel Verschelde 2013-11-06 19:15:35 CET
(In reply to Samuel VERSCHELDE from comment #40)
> Whereas in firefox 17 it would offer to open .urpmi files with Gurpmi,
> firefox 24 from updates_testing doesn't offer that anymore. Which makes the
> "install" buttons in Mageia App Db useless.

napcok helped me to find the cause for this one. Adding a HTTP header to the generated .urpmi file solves the problem.
Comment 42 claire robinson 2013-11-06 19:54:51 CET
Can anybody reproduce the graphical corruption in bug 11597?

It could be a driver issue perhaps.

We can't hold this one for long as it is a security update on widely used software.
Comment 43 David Walser 2013-11-06 20:42:51 CET
It would be a royal pain, but the other possible option would be issuing 17.0.10 as the update instead of 24.1.0, but we'd still have to deal with 24 for the next update.
Comment 44 Shlomi Fish 2013-11-07 07:09:40 CET
Hi Claire,

(In reply to claire robinson from comment #42)
> Can anybody reproduce the graphical corruption in bug 11597?
> 

I cannot reproduce it here inside a VirtualBox VM, running on this computer:

«
 My primary machine is a desktop machine with a:

    An Intel Core i3 CPU (x86-64).
    8 GB of RAM.
    Intel Corporation Sandy Bridge Integrated Graphics Controller (rev 09)
    A 2 TB hard-disk.
    A 21״ Wide LCD Screen by LG.
    Intel Corporation Cougar Point High Definition Audio Controller.
    Intel Corporation 82579V Gigabit Network Connection.
»

> It could be a driver issue perhaps.

Yes, please ask the reporter what are his drivers and if he can try switching to VESA and/or a different driver.

Regards,

-- Shlomi Fish

> 
> We can't hold this one for long as it is a security update on widely used
> software.
Comment 45 claire robinson 2013-11-09 10:39:47 CET
Bug 11597 has been closed as invalid. Also, nobody has so far been able to reproduce the issue mentioned there.

Validating the update. Advisory uploaded previously. Please note also a new 'advisory' tag in the whiteboard we will use when the advisory has been uploaded which is displayed on QA list as a * in the first column. Thankyou to Stormi for this. http://mageia.madb.org/tools/updates

Thankyou everybody for getting involved in testing this update.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 46 Thomas Backlund 2013-11-09 20:18:15 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0320.html
Comment 47 Daniel Kjellin 2013-11-12 09:53:30 CET
My guess is that the update of sqlite3 broke Evolution under Mageia 2. I posted to the discuss list with the following information:

I installed updates last night and today Evolution does not start. I
tried running it from the console to see if I could get any more
information this is what I saw:
$evolution

(evolution:16516): evolution-spamassassin-WARNING **: Failed to spawn
SpamAssassin (/usr/bin/spamc --no-safe-fallback --socket ): Failed to
execute child process "/usr/bin/spamc" (No such file or directory)

(evolution:16516): evolution-spamassassin-WARNING **: Failed to spawn
SpamAssassin (/usr/bin/spamd --socketpath /home/daniel/.cache/evolution/
tmp/spamd-socket-path-6RWH6W --local --max-children=1 --pidfile /home/
daniel/.cache/evolution/tmp/spamd-pid-file-9QWH6W): Failed to execute
child process "/usr/bin/spamd" (No such file or directory)

(evolution:16516): evolution-spamassassin-WARNING **: Failed to spawn
SpamAssassin (/usr/bin/spamc --learntype=forget): Failed to execute child
process "/usr/bin/spamc" (No such file or directory)
(and the process hangs, but no UI visible)

So perhaps spam assassin was the problem then, I thought, so I removed
spam assassin
$ evolution

(evolution:16675): evolution-spamassassin-WARNING **: Failed to spawn
SpamAssassin (/usr/bin/sa-learn --version): Failed to execute child
process "/usr/bin/sa-learn" (No such file or directory)

Still not starting. I installed spam assassin again, but it did not help
at all.

Looking at dependencies and at the advisory website, my guess would be that
the update to sqlite3 broke Evolution. I don't know if it needs to be re-built
against the new version or not, but that is my guess. Perhaps someone with a
bit more know-how can advice.

I will raise a separate ticket for Evolution not starting.
Comment 48 claire robinson 2013-11-13 08:16:42 CET
Also reported in bug 11660 with possible fix so this round of updates has caused a regression in evolution in mga2. No problems in mga3 that I've noticed.
Comment 49 claire robinson 2013-11-13 08:17:44 CET
Daniel created bug 11654
Comment 50 claire robinson 2013-11-13 08:19:40 CET
Other packages updated were chromium-browser-stable, timezone & squidguard
Comment 51 claire robinson 2013-11-13 08:38:53 CET
Could be a timezone issue actually. Running under strace and killing with ctrl-c after a while shows it stops here..

open("/usr/share/zoneinfo/Cuba", O_RDONLY) = -1 ENOENT (No such file or directory)
futex(0xb766cbac, FUTEX_WAIT_PRIVATE, 2, NULL) = ? ERESTARTSYS (To be restarted)
--- {si_signo=SIGINT, si_code=SI_KERNEL} (Interrupt) ---
+++ killed by SIGINT +++


$ ls /usr/share/zoneinfo/
Africa/   Antarctica/  Asia/      Australia/  Canada/  Etc/     Indian/      Mexico/   Pacific/  posixrules  US/
America/  Arctic/      Atlantic/  Brazil/     Chile/   Europe/  iso3166.tab  Mideast/  posix@    right/      zone.tab


No errors are shown on cli.
Comment 52 claire robinson 2013-11-13 08:45:34 CET
$ find /usr/share/zoneinfo/ -name Cuba
/usr/share/zoneinfo/right/Cuba
Comment 53 claire robinson 2013-11-13 08:52:30 CET
# ln -s /usr/share/zoneinfo/right/Cuba /usr/share/zoneinfo/Cuba

It then stops at the next one, Egypt.

I think timezone has caused the regression rather than sqlite so moving to the timezone bug 11559

Note You need to log in before you can comment on or make changes to this bug.