Upstream has released version 24.2 today (December 10) fixing several security issues: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA3TOO
rootcerts and nss packages are built (solving MFSA 2013-117), as are firefox and firefox-l10n. Now we just need thunderbird and thunderbird-l10n. Packages built so far: rootcerts-20131204.00-1.mga3 rootcerts-java-20131204.00-1.mga3 nss-3.15.3.1-1.mga3 nss-doc-3.15.3.1-1.mga3 libnss3-3.15.3.1-1.mga3 libnss-devel-3.15.3.1-1.mga3 libnss-static-devel-3.15.3.1-1.mga3 firefox-24.2.0-1.mga3 firefox-devel-24.2.0-1.mga3 firefox-af-24.2.0-1.mga3 firefox-ar-24.2.0-1.mga3 firefox-as-24.2.0-1.mga3 firefox-ast-24.2.0-1.mga3 firefox-be-24.2.0-1.mga3 firefox-bg-24.2.0-1.mga3 firefox-bn_IN-24.2.0-1.mga3 firefox-bn_BD-24.2.0-1.mga3 firefox-br-24.2.0-1.mga3 firefox-bs-24.2.0-1.mga3 firefox-ca-24.2.0-1.mga3 firefox-cs-24.2.0-1.mga3 firefox-csb-24.2.0-1.mga3 firefox-cy-24.2.0-1.mga3 firefox-da-24.2.0-1.mga3 firefox-de-24.2.0-1.mga3 firefox-el-24.2.0-1.mga3 firefox-en_GB-24.2.0-1.mga3 firefox-en_ZA-24.2.0-1.mga3 firefox-eo-24.2.0-1.mga3 firefox-es_AR-24.2.0-1.mga3 firefox-es_CL-24.2.0-1.mga3 firefox-es_ES-24.2.0-1.mga3 firefox-es_MX-24.2.0-1.mga3 firefox-et-24.2.0-1.mga3 firefox-eu-24.2.0-1.mga3 firefox-fa-24.2.0-1.mga3 firefox-ff-24.2.0-1.mga3 firefox-fi-24.2.0-1.mga3 firefox-fr-24.2.0-1.mga3 firefox-fy-24.2.0-1.mga3 firefox-ga_IE-24.2.0-1.mga3 firefox-gd-24.2.0-1.mga3 firefox-gl-24.2.0-1.mga3 firefox-gu_IN-24.2.0-1.mga3 firefox-he-24.2.0-1.mga3 firefox-hi-24.2.0-1.mga3 firefox-hr-24.2.0-1.mga3 firefox-hu-24.2.0-1.mga3 firefox-hy-24.2.0-1.mga3 firefox-id-24.2.0-1.mga3 firefox-is-24.2.0-1.mga3 firefox-it-24.2.0-1.mga3 firefox-ja-24.2.0-1.mga3 firefox-kk-24.2.0-1.mga3 firefox-ko-24.2.0-1.mga3 firefox-km-24.2.0-1.mga3 firefox-kn-24.2.0-1.mga3 firefox-ku-24.2.0-1.mga3 firefox-lg-24.2.0-1.mga3 firefox-lij-24.2.0-1.mga3 firefox-lt-24.2.0-1.mga3 firefox-lv-24.2.0-1.mga3 firefox-mai-24.2.0-1.mga3 firefox-mk-24.2.0-1.mga3 firefox-ml-24.2.0-1.mga3 firefox-mr-24.2.0-1.mga3 firefox-nb_NO-24.2.0-1.mga3 firefox-nl-24.2.0-1.mga3 firefox-nn_NO-24.2.0-1.mga3 firefox-nso-24.2.0-1.mga3 firefox-or-24.2.0-1.mga3 firefox-pa_IN-24.2.0-1.mga3 firefox-pl-24.2.0-1.mga3 firefox-pt_BR-24.2.0-1.mga3 firefox-pt_PT-24.2.0-1.mga3 firefox-ro-24.2.0-1.mga3 firefox-ru-24.2.0-1.mga3 firefox-si-24.2.0-1.mga3 firefox-sk-24.2.0-1.mga3 firefox-sl-24.2.0-1.mga3 firefox-sq-24.2.0-1.mga3 firefox-sr-24.2.0-1.mga3 firefox-sv_SE-24.2.0-1.mga3 firefox-ta-24.2.0-1.mga3 firefox-ta_LK-24.2.0-1.mga3 firefox-te-24.2.0-1.mga3 firefox-th-24.2.0-1.mga3 firefox-tr-24.2.0-1.mga3 firefox-uk-24.2.0-1.mga3 firefox-vi-24.2.0-1.mga3 firefox-zh_CN-24.2.0-1.mga3 firefox-zh_TW-24.2.0-1.mga3 firefox-zu-24.2.0-1.mga3 from SRPMS: rootcerts-20131204.00-1.mga3.src.rpm nss-3.15.3.1-1.mga3.src.rpm firefox-24.2.0-1.mga3.src.rpm firefox-l10n-24.2.0-1.mga3.src.rpm
rootcerts and nss were also pushed in Cauldron, but firefox still needs to be.
RedHat has issued an advisory for this today (December 11): https://rhn.redhat.com/errata/RHSA-2013-1812.html
URL: (none) => http://lwn.net/Vulnerabilities/576583/
RedHat reference for Thunderbird also: https://rhn.redhat.com/errata/RHSA-2013-1823.html
Blocks: (none) => 11726
thunderbird-24.2.0-1.mga3 + thunderbird-l10n-24.2.0-1.mga3 was just submitted.
CC: (none) => oe
ff + tb 24.2.0 has been committed to subversion for cauldron. needs someone to submit these.
Thanks Oden. CC'ing Olivier Blin, because we'll also need thunderbird-lightning 2.6.4 to go along with the Thunderbird update.
CC: (none) => mageia
Thunderbird packages built so far: thunderbird-24.2.0-1.mga3 thunderbird-enigmail-24.2.0-1.mga3 nsinstall-24.2.0-1.mga3 thunderbird-ar-24.2.0-1.mga3 thunderbird-ast-24.2.0-1.mga3 thunderbird-be-24.2.0-1.mga3 thunderbird-bg-24.2.0-1.mga3 thunderbird-bn_BD-24.2.0-1.mga3 thunderbird-br-24.2.0-1.mga3 thunderbird-ca-24.2.0-1.mga3 thunderbird-cs-24.2.0-1.mga3 thunderbird-da-24.2.0-1.mga3 thunderbird-de-24.2.0-1.mga3 thunderbird-el-24.2.0-1.mga3 thunderbird-en_GB-24.2.0-1.mga3 thunderbird-es_AR-24.2.0-1.mga3 thunderbird-es_ES-24.2.0-1.mga3 thunderbird-et-24.2.0-1.mga3 thunderbird-eu-24.2.0-1.mga3 thunderbird-fi-24.2.0-1.mga3 thunderbird-fr-24.2.0-1.mga3 thunderbird-fy-24.2.0-1.mga3 thunderbird-ga-24.2.0-1.mga3 thunderbird-gd-24.2.0-1.mga3 thunderbird-gl-24.2.0-1.mga3 thunderbird-he-24.2.0-1.mga3 thunderbird-hr-24.2.0-1.mga3 thunderbird-hu-24.2.0-1.mga3 thunderbird-hy-24.2.0-1.mga3 thunderbird-id-24.2.0-1.mga3 thunderbird-is-24.2.0-1.mga3 thunderbird-it-24.2.0-1.mga3 thunderbird-ja-24.2.0-1.mga3 thunderbird-ko-24.2.0-1.mga3 thunderbird-lt-24.2.0-1.mga3 thunderbird-nb_NO-24.2.0-1.mga3 thunderbird-nl-24.2.0-1.mga3 thunderbird-nn_NO-24.2.0-1.mga3 thunderbird-pl-24.2.0-1.mga3 thunderbird-pa_IN-24.2.0-1.mga3 thunderbird-pt_BR-24.2.0-1.mga3 thunderbird-pt_PT-24.2.0-1.mga3 thunderbird-ro-24.2.0-1.mga3 thunderbird-ru-24.2.0-1.mga3 thunderbird-si-24.2.0-1.mga3 thunderbird-sk-24.2.0-1.mga3 thunderbird-sl-24.2.0-1.mga3 thunderbird-sq-24.2.0-1.mga3 thunderbird-sv_SE-24.2.0-1.mga3 thunderbird-ta_LK-24.2.0-1.mga3 thunderbird-tr-24.2.0-1.mga3 thunderbird-uk-24.2.0-1.mga3 thunderbird-vi-24.2.0-1.mga3 thunderbird-zh_CN-24.2.0-1.mga3 thunderbird-zh_TW-24.2.0-1.mga3 from SRPMS: thunderbird-24.2.0-1.mga3.src.rpm thunderbird-l10n-24.2.0-1.mga3.src.rpm
RedHat has issued an advisory for the rootcerts update on December 19: https://rhn.redhat.com/errata/RHSA-2013-1861.html from http://lwn.net/Vulnerabilities/577884/
(In reply to David Walser from comment #9) > RedHat has issued an advisory for the rootcerts update on December 19: > https://rhn.redhat.com/errata/RHSA-2013-1861.html > > from http://lwn.net/Vulnerabilities/577884/ This seems to have been fixed with rootcerts-20131204.00-1.mga3.src.rpm + nss-3.15.3.1-1.mga3.src.rpm in mga3 updates_testing. And fixed in cauldron. Look for Distrust "Distrusted AC DG Tresor SSL" in the certdata-20131204.00.txt file. https://hg.mozilla.org/projects/nss/rev/5a7944776645 But, cauldron also has ca-certificates and its status unknown to me.
(In reply to Oden Eriksson from comment #10) > But, cauldron also has ca-certificates and its status unknown to me. Yes, this issue is unfixed in that package and it needs to be updated and synced with Fedora. It is only currently required by java-1.8.0-openjdk, so it doesn't affect anything important.
CC: (none) => dmorganec
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:301/
Updated packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to terminate unexpectedly or, potentially, execute arbitrary code with the privileges of the user running Firefox or Thunderbird (CVE-2013-5609, CVE-2013-5616, CVE-2013-5618, CVE-2013-6671, CVE-2013-5613). It was found that a subordinate Certificate Authority (CA) mis-issued an intermediate certificate, which could be used to conduct man-in-the-middle attacks. This update renders that particular intermediate certificate as untrusted (MFSA 2013-117). The rootcerts and nss packages have been updated to fix the MFSA 2013-117 issue. The thunderbird-lightning package has been updated to a version that is compatible with the updated thunderbird. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5609 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5616 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5618 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6671 http://www.mozilla.org/security/announce/2013/mfsa2013-104.html http://www.mozilla.org/security/announce/2013/mfsa2013-108.html http://www.mozilla.org/security/announce/2013/mfsa2013-109.html http://www.mozilla.org/security/announce/2013/mfsa2013-111.html http://www.mozilla.org/security/announce/2013/mfsa2013-114.html http://www.mozilla.org/security/announce/2013/mfsa2013-117.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html https://rhn.redhat.com/errata/RHSA-2013-1812.html https://rhn.redhat.com/errata/RHSA-2013-1823.html https://rhn.redhat.com/errata/RHSA-2013-1861.html ======================== Updated packages in core/updates_testing: ======================== rootcerts-20131204.00-1.mga3 rootcerts-java-20131204.00-1.mga3 nss-3.15.3.1-1.mga3 nss-doc-3.15.3.1-1.mga3 libnss3-3.15.3.1-1.mga3 libnss-devel-3.15.3.1-1.mga3 libnss-static-devel-3.15.3.1-1.mga3 firefox-24.2.0-1.mga3 firefox-devel-24.2.0-1.mga3 firefox-af-24.2.0-1.mga3 firefox-ar-24.2.0-1.mga3 firefox-as-24.2.0-1.mga3 firefox-ast-24.2.0-1.mga3 firefox-be-24.2.0-1.mga3 firefox-bg-24.2.0-1.mga3 firefox-bn_IN-24.2.0-1.mga3 firefox-bn_BD-24.2.0-1.mga3 firefox-br-24.2.0-1.mga3 firefox-bs-24.2.0-1.mga3 firefox-ca-24.2.0-1.mga3 firefox-cs-24.2.0-1.mga3 firefox-csb-24.2.0-1.mga3 firefox-cy-24.2.0-1.mga3 firefox-da-24.2.0-1.mga3 firefox-de-24.2.0-1.mga3 firefox-el-24.2.0-1.mga3 firefox-en_GB-24.2.0-1.mga3 firefox-en_ZA-24.2.0-1.mga3 firefox-eo-24.2.0-1.mga3 firefox-es_AR-24.2.0-1.mga3 firefox-es_CL-24.2.0-1.mga3 firefox-es_ES-24.2.0-1.mga3 firefox-es_MX-24.2.0-1.mga3 firefox-et-24.2.0-1.mga3 firefox-eu-24.2.0-1.mga3 firefox-fa-24.2.0-1.mga3 firefox-ff-24.2.0-1.mga3 firefox-fi-24.2.0-1.mga3 firefox-fr-24.2.0-1.mga3 firefox-fy-24.2.0-1.mga3 firefox-ga_IE-24.2.0-1.mga3 firefox-gd-24.2.0-1.mga3 firefox-gl-24.2.0-1.mga3 firefox-gu_IN-24.2.0-1.mga3 firefox-he-24.2.0-1.mga3 firefox-hi-24.2.0-1.mga3 firefox-hr-24.2.0-1.mga3 firefox-hu-24.2.0-1.mga3 firefox-hy-24.2.0-1.mga3 firefox-id-24.2.0-1.mga3 firefox-is-24.2.0-1.mga3 firefox-it-24.2.0-1.mga3 firefox-ja-24.2.0-1.mga3 firefox-kk-24.2.0-1.mga3 firefox-ko-24.2.0-1.mga3 firefox-km-24.2.0-1.mga3 firefox-kn-24.2.0-1.mga3 firefox-ku-24.2.0-1.mga3 firefox-lg-24.2.0-1.mga3 firefox-lij-24.2.0-1.mga3 firefox-lt-24.2.0-1.mga3 firefox-lv-24.2.0-1.mga3 firefox-mai-24.2.0-1.mga3 firefox-mk-24.2.0-1.mga3 firefox-ml-24.2.0-1.mga3 firefox-mr-24.2.0-1.mga3 firefox-nb_NO-24.2.0-1.mga3 firefox-nl-24.2.0-1.mga3 firefox-nn_NO-24.2.0-1.mga3 firefox-nso-24.2.0-1.mga3 firefox-or-24.2.0-1.mga3 firefox-pa_IN-24.2.0-1.mga3 firefox-pl-24.2.0-1.mga3 firefox-pt_BR-24.2.0-1.mga3 firefox-pt_PT-24.2.0-1.mga3 firefox-ro-24.2.0-1.mga3 firefox-ru-24.2.0-1.mga3 firefox-si-24.2.0-1.mga3 firefox-sk-24.2.0-1.mga3 firefox-sl-24.2.0-1.mga3 firefox-sq-24.2.0-1.mga3 firefox-sr-24.2.0-1.mga3 firefox-sv_SE-24.2.0-1.mga3 firefox-ta-24.2.0-1.mga3 firefox-ta_LK-24.2.0-1.mga3 firefox-te-24.2.0-1.mga3 firefox-th-24.2.0-1.mga3 firefox-tr-24.2.0-1.mga3 firefox-uk-24.2.0-1.mga3 firefox-vi-24.2.0-1.mga3 firefox-zh_CN-24.2.0-1.mga3 firefox-zh_TW-24.2.0-1.mga3 firefox-zu-24.2.0-1.mga3 thunderbird-24.2.0-1.mga3 thunderbird-enigmail-24.2.0-1.mga3 nsinstall-24.2.0-1.mga3 thunderbird-ar-24.2.0-1.mga3 thunderbird-ast-24.2.0-1.mga3 thunderbird-be-24.2.0-1.mga3 thunderbird-bg-24.2.0-1.mga3 thunderbird-bn_BD-24.2.0-1.mga3 thunderbird-br-24.2.0-1.mga3 thunderbird-ca-24.2.0-1.mga3 thunderbird-cs-24.2.0-1.mga3 thunderbird-da-24.2.0-1.mga3 thunderbird-de-24.2.0-1.mga3 thunderbird-el-24.2.0-1.mga3 thunderbird-en_GB-24.2.0-1.mga3 thunderbird-es_AR-24.2.0-1.mga3 thunderbird-es_ES-24.2.0-1.mga3 thunderbird-et-24.2.0-1.mga3 thunderbird-eu-24.2.0-1.mga3 thunderbird-fi-24.2.0-1.mga3 thunderbird-fr-24.2.0-1.mga3 thunderbird-fy-24.2.0-1.mga3 thunderbird-ga-24.2.0-1.mga3 thunderbird-gd-24.2.0-1.mga3 thunderbird-gl-24.2.0-1.mga3 thunderbird-he-24.2.0-1.mga3 thunderbird-hr-24.2.0-1.mga3 thunderbird-hu-24.2.0-1.mga3 thunderbird-hy-24.2.0-1.mga3 thunderbird-id-24.2.0-1.mga3 thunderbird-is-24.2.0-1.mga3 thunderbird-it-24.2.0-1.mga3 thunderbird-ja-24.2.0-1.mga3 thunderbird-ko-24.2.0-1.mga3 thunderbird-lt-24.2.0-1.mga3 thunderbird-nb_NO-24.2.0-1.mga3 thunderbird-nl-24.2.0-1.mga3 thunderbird-nn_NO-24.2.0-1.mga3 thunderbird-pl-24.2.0-1.mga3 thunderbird-pa_IN-24.2.0-1.mga3 thunderbird-pt_BR-24.2.0-1.mga3 thunderbird-pt_PT-24.2.0-1.mga3 thunderbird-ro-24.2.0-1.mga3 thunderbird-ru-24.2.0-1.mga3 thunderbird-si-24.2.0-1.mga3 thunderbird-sk-24.2.0-1.mga3 thunderbird-sl-24.2.0-1.mga3 thunderbird-sq-24.2.0-1.mga3 thunderbird-sv_SE-24.2.0-1.mga3 thunderbird-ta_LK-24.2.0-1.mga3 thunderbird-tr-24.2.0-1.mga3 thunderbird-uk-24.2.0-1.mga3 thunderbird-vi-24.2.0-1.mga3 thunderbird-zh_CN-24.2.0-1.mga3 thunderbird-zh_TW-24.2.0-1.mga3 thunderbird-lightning-2.6.4-1.mga3 from SRPMS: rootcerts-20131204.00-1.mga3.src.rpm nss-3.15.3.1-1.mga3.src.rpm firefox-24.2.0-1.mga3.src.rpm firefox-l10n-24.2.0-1.mga3.src.rpm thunderbird-24.2.0-1.mga3.src.rpm thunderbird-l10n-24.2.0-1.mga3.src.rpm thunderbird-lightning-2.6.4-1.mga3.src.rpm
Version: Cauldron => 3Blocks: 11726 => (none)Assignee: bugsquad => qa-bugsSource RPM: firefox, thunderbird => firefox, thunderbird, rootcerts, nss, thunderbird-lightningWhiteboard: MGA3TOO => (none)Severity: normal => critical
No PoCs on SecurityFocus. Tested mga3-64. Firefox: Tested general browsing, sunspider for javascript, youtube for flash, javatester.org for java. All OK. Thunderbird: send/receive/move/delete over SMTP/IMAP. Tested updating a calendar event in lightning, all OK
CC: (none) => wrw105Whiteboard: (none) => mga3-64-ok
Whiteboard: mga3-64-ok => mga3-64-ok mga3-32-ok
Tested mga3-32 as above. All OK. If anyone can test other languages, that would be good, and we still need the advisory uploaded to svn.
Advisory uploaded to svn. Validating the update. Someone from the sysadmin team please push 11945.adv to updates.
Keywords: (none) => validated_updateWhiteboard: mga3-64-ok mga3-32-ok => mga3-64-ok mga3-32-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0006.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED