Bug 12594 - Firefox and Thunderbird 24.3
Summary: Firefox and Thunderbird 24.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/584257/
Whiteboard: MGA3TOO has_procedure advisory MGA4-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-02-04 23:30 CET by David Walser
Modified: 2014-02-06 21:04 CET (History)
5 users (show)

See Also:
Source RPM: firefox, thunderbird
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

David Walser 2014-02-04 23:30:27 CET

CC: (none) => fundawang
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-02-05 18:04:56 CET 
Updated packages uploaded by Funda.  Thanks Funda!

According to upstream, it should no longer be necessary to update thunderbird-lightning with every single Thunderbird update, and version 2.6.4 should still work with Thunderbird 24.3 and future Thunderbird 24 releases.

Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1477, CVE-2014-1482, CVE-2014-1486).

A flaw was found in the way Firefox and Thunderbird handled error messages
related to web workers. An attacker could use this flaw to bypass the
same-origin policy, which could lead to cross-site scripting (XSS) attacks,
or could potentially be used to gather authentication tokens and other data
from third-party websites (CVE-2014-1487).

A flaw was found in the implementation of System Only Wrappers (SOW).
An attacker could use this flaw to crash Firefox or Thunderbird. When
combined with other vulnerabilities, this flaw could have additional
security implications (CVE-2014-1479).

It was found that the Firefox and Thunderbird JavaScript engine incorrectly
handled window objects. A remote attacker could use this flaw to bypass
certain security checks and possibly execute arbitrary code (CVE-2014-1481).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487
http://www.mozilla.org/security/announce/2014/mfsa2014-01.html
http://www.mozilla.org/security/announce/2014/mfsa2014-02.html
http://www.mozilla.org/security/announce/2014/mfsa2014-04.html
http://www.mozilla.org/security/announce/2014/mfsa2014-08.html
http://www.mozilla.org/security/announce/2014/mfsa2014-09.html
http://www.mozilla.org/security/announce/2014/mfsa2014-13.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
https://rhn.redhat.com/errata/RHSA-2014-0132.html
https://rhn.redhat.com/errata/RHSA-2014-0133.html
========================

Updated packages in core/updates_testing:
========================
libnspr4-4.10.3-1.mga3
libnspr-devel-4.10.3-1.mga3
firefox-24.3.0-1.mga3
firefox-devel-24.3.0-1.mga3
firefox-af-24.3.0-1.mga3
firefox-ar-24.3.0-1.mga3
firefox-as-24.3.0-1.mga3
firefox-ast-24.3.0-1.mga3
firefox-be-24.3.0-1.mga3
firefox-bg-24.3.0-1.mga3
firefox-bn_IN-24.3.0-1.mga3
firefox-bn_BD-24.3.0-1.mga3
firefox-br-24.3.0-1.mga3
firefox-bs-24.3.0-1.mga3
firefox-ca-24.3.0-1.mga3
firefox-cs-24.3.0-1.mga3
firefox-csb-24.3.0-1.mga3
firefox-cy-24.3.0-1.mga3
firefox-da-24.3.0-1.mga3
firefox-de-24.3.0-1.mga3
firefox-el-24.3.0-1.mga3
firefox-en_GB-24.3.0-1.mga3
firefox-en_ZA-24.3.0-1.mga3
firefox-eo-24.3.0-1.mga3
firefox-es_AR-24.3.0-1.mga3
firefox-es_CL-24.3.0-1.mga3
firefox-es_ES-24.3.0-1.mga3
firefox-es_MX-24.3.0-1.mga3
firefox-et-24.3.0-1.mga3
firefox-eu-24.3.0-1.mga3
firefox-fa-24.3.0-1.mga3
firefox-ff-24.3.0-1.mga3
firefox-fi-24.3.0-1.mga3
firefox-fr-24.3.0-1.mga3
firefox-fy-24.3.0-1.mga3
firefox-ga_IE-24.3.0-1.mga3
firefox-gd-24.3.0-1.mga3
firefox-gl-24.3.0-1.mga3
firefox-gu_IN-24.3.0-1.mga3
firefox-he-24.3.0-1.mga3
firefox-hi-24.3.0-1.mga3
firefox-hr-24.3.0-1.mga3
firefox-hu-24.3.0-1.mga3
firefox-hy-24.3.0-1.mga3
firefox-id-24.3.0-1.mga3
firefox-is-24.3.0-1.mga3
firefox-it-24.3.0-1.mga3
firefox-ja-24.3.0-1.mga3
firefox-kk-24.3.0-1.mga3
firefox-ko-24.3.0-1.mga3
firefox-km-24.3.0-1.mga3
firefox-kn-24.3.0-1.mga3
firefox-ku-24.3.0-1.mga3
firefox-lg-24.3.0-1.mga3
firefox-lij-24.3.0-1.mga3
firefox-lt-24.3.0-1.mga3
firefox-lv-24.3.0-1.mga3
firefox-mai-24.3.0-1.mga3
firefox-mk-24.3.0-1.mga3
firefox-ml-24.3.0-1.mga3
firefox-mr-24.3.0-1.mga3
firefox-nb_NO-24.3.0-1.mga3
firefox-nl-24.3.0-1.mga3
firefox-nn_NO-24.3.0-1.mga3
firefox-nso-24.3.0-1.mga3
firefox-or-24.3.0-1.mga3
firefox-pa_IN-24.3.0-1.mga3
firefox-pl-24.3.0-1.mga3
firefox-pt_BR-24.3.0-1.mga3
firefox-pt_PT-24.3.0-1.mga3
firefox-ro-24.3.0-1.mga3
firefox-ru-24.3.0-1.mga3
firefox-si-24.3.0-1.mga3
firefox-sk-24.3.0-1.mga3
firefox-sl-24.3.0-1.mga3
firefox-sq-24.3.0-1.mga3
firefox-sr-24.3.0-1.mga3
firefox-sv_SE-24.3.0-1.mga3
firefox-ta-24.3.0-1.mga3
firefox-ta_LK-24.3.0-1.mga3
firefox-te-24.3.0-1.mga3
firefox-th-24.3.0-1.mga3
firefox-tr-24.3.0-1.mga3
firefox-uk-24.3.0-1.mga3
firefox-vi-24.3.0-1.mga3
firefox-zh_CN-24.3.0-1.mga3
firefox-zh_TW-24.3.0-1.mga3
firefox-zu-24.3.0-1.mga3
thunderbird-24.3.0-1.mga3
thunderbird-enigmail-24.3.0-1.mga3
nsinstall-24.3.0-1.mga3
thunderbird-ar-24.3.0-1.mga3
thunderbird-ast-24.3.0-1.mga3
thunderbird-be-24.3.0-1.mga3
thunderbird-bg-24.3.0-1.mga3
thunderbird-bn_BD-24.3.0-1.mga3
thunderbird-br-24.3.0-1.mga3
thunderbird-ca-24.3.0-1.mga3
thunderbird-cs-24.3.0-1.mga3
thunderbird-da-24.3.0-1.mga3
thunderbird-de-24.3.0-1.mga3
thunderbird-el-24.3.0-1.mga3
thunderbird-en_GB-24.3.0-1.mga3
thunderbird-es_AR-24.3.0-1.mga3
thunderbird-es_ES-24.3.0-1.mga3
thunderbird-et-24.3.0-1.mga3
thunderbird-eu-24.3.0-1.mga3
thunderbird-fi-24.3.0-1.mga3
thunderbird-fr-24.3.0-1.mga3
thunderbird-fy-24.3.0-1.mga3
thunderbird-ga-24.3.0-1.mga3
thunderbird-gd-24.3.0-1.mga3
thunderbird-gl-24.3.0-1.mga3
thunderbird-he-24.3.0-1.mga3
thunderbird-hr-24.3.0-1.mga3
thunderbird-hu-24.3.0-1.mga3
thunderbird-hy-24.3.0-1.mga3
thunderbird-id-24.3.0-1.mga3
thunderbird-is-24.3.0-1.mga3
thunderbird-it-24.3.0-1.mga3
thunderbird-ja-24.3.0-1.mga3
thunderbird-ko-24.3.0-1.mga3
thunderbird-lt-24.3.0-1.mga3
thunderbird-nb_NO-24.3.0-1.mga3
thunderbird-nl-24.3.0-1.mga3
thunderbird-nn_NO-24.3.0-1.mga3
thunderbird-pl-24.3.0-1.mga3
thunderbird-pa_IN-24.3.0-1.mga3
thunderbird-pt_BR-24.3.0-1.mga3
thunderbird-pt_PT-24.3.0-1.mga3
thunderbird-ro-24.3.0-1.mga3
thunderbird-ru-24.3.0-1.mga3
thunderbird-si-24.3.0-1.mga3
thunderbird-sk-24.3.0-1.mga3
thunderbird-sl-24.3.0-1.mga3
thunderbird-sq-24.3.0-1.mga3
thunderbird-sv_SE-24.3.0-1.mga3
thunderbird-ta_LK-24.3.0-1.mga3
thunderbird-tr-24.3.0-1.mga3
thunderbird-uk-24.3.0-1.mga3
thunderbird-vi-24.3.0-1.mga3
thunderbird-zh_CN-24.3.0-1.mga3
thunderbird-zh_TW-24.3.0-1.mga3
libnspr4-4.10.3-1.mga4
libnspr-devel-4.10.3-1.mga4
firefox-24.3.0-1.mga4
firefox-devel-24.3.0-1.mga4
firefox-af-24.3.0-1.mga4
firefox-ar-24.3.0-1.mga4
firefox-as-24.3.0-1.mga4
firefox-ast-24.3.0-1.mga4
firefox-be-24.3.0-1.mga4
firefox-bg-24.3.0-1.mga4
firefox-bn_IN-24.3.0-1.mga4
firefox-bn_BD-24.3.0-1.mga4
firefox-br-24.3.0-1.mga4
firefox-bs-24.3.0-1.mga4
firefox-ca-24.3.0-1.mga4
firefox-cs-24.3.0-1.mga4
firefox-csb-24.3.0-1.mga4
firefox-cy-24.3.0-1.mga4
firefox-da-24.3.0-1.mga4
firefox-de-24.3.0-1.mga4
firefox-el-24.3.0-1.mga4
firefox-en_GB-24.3.0-1.mga4
firefox-en_ZA-24.3.0-1.mga4
firefox-eo-24.3.0-1.mga4
firefox-es_AR-24.3.0-1.mga4
firefox-es_CL-24.3.0-1.mga4
firefox-es_ES-24.3.0-1.mga4
firefox-es_MX-24.3.0-1.mga4
firefox-et-24.3.0-1.mga4
firefox-eu-24.3.0-1.mga4
firefox-fa-24.3.0-1.mga4
firefox-ff-24.3.0-1.mga4
firefox-fi-24.3.0-1.mga4
firefox-fr-24.3.0-1.mga4
firefox-fy-24.3.0-1.mga4
firefox-ga_IE-24.3.0-1.mga4
firefox-gd-24.3.0-1.mga4
firefox-gl-24.3.0-1.mga4
firefox-gu_IN-24.3.0-1.mga4
firefox-he-24.3.0-1.mga4
firefox-hi-24.3.0-1.mga4
firefox-hr-24.3.0-1.mga4
firefox-hu-24.3.0-1.mga4
firefox-hy-24.3.0-1.mga4
firefox-id-24.3.0-1.mga4
firefox-is-24.3.0-1.mga4
firefox-it-24.3.0-1.mga4
firefox-ja-24.3.0-1.mga4
firefox-kk-24.3.0-1.mga4
firefox-ko-24.3.0-1.mga4
firefox-km-24.3.0-1.mga4
firefox-kn-24.3.0-1.mga4
firefox-ku-24.3.0-1.mga4
firefox-lg-24.3.0-1.mga4
firefox-lij-24.3.0-1.mga4
firefox-lt-24.3.0-1.mga4
firefox-lv-24.3.0-1.mga4
firefox-mai-24.3.0-1.mga4
firefox-mk-24.3.0-1.mga4
firefox-ml-24.3.0-1.mga4
firefox-mr-24.3.0-1.mga4
firefox-nb_NO-24.3.0-1.mga4
firefox-nl-24.3.0-1.mga4
firefox-nn_NO-24.3.0-1.mga4
firefox-nso-24.3.0-1.mga4
firefox-or-24.3.0-1.mga4
firefox-pa_IN-24.3.0-1.mga4
firefox-pl-24.3.0-1.mga4
firefox-pt_BR-24.3.0-1.mga4
firefox-pt_PT-24.3.0-1.mga4
firefox-ro-24.3.0-1.mga4
firefox-ru-24.3.0-1.mga4
firefox-si-24.3.0-1.mga4
firefox-sk-24.3.0-1.mga4
firefox-sl-24.3.0-1.mga4
firefox-sq-24.3.0-1.mga4
firefox-sr-24.3.0-1.mga4
firefox-sv_SE-24.3.0-1.mga4
firefox-ta-24.3.0-1.mga4
firefox-ta_LK-24.3.0-1.mga4
firefox-te-24.3.0-1.mga4
firefox-th-24.3.0-1.mga4
firefox-tr-24.3.0-1.mga4
firefox-uk-24.3.0-1.mga4
firefox-vi-24.3.0-1.mga4
firefox-zh_CN-24.3.0-1.mga4
firefox-zh_TW-24.3.0-1.mga4
firefox-zu-24.3.0-1.mga4
thunderbird-24.3.0-1.mga4
thunderbird-enigmail-24.3.0-1.mga4
nsinstall-24.3.0-1.mga4
thunderbird-ar-24.3.0-1.mga4
thunderbird-ast-24.3.0-1.mga4
thunderbird-be-24.3.0-1.mga4
thunderbird-bg-24.3.0-1.mga4
thunderbird-bn_BD-24.3.0-1.mga4
thunderbird-br-24.3.0-1.mga4
thunderbird-ca-24.3.0-1.mga4
thunderbird-cs-24.3.0-1.mga4
thunderbird-da-24.3.0-1.mga4
thunderbird-de-24.3.0-1.mga4
thunderbird-el-24.3.0-1.mga4
thunderbird-en_GB-24.3.0-1.mga4
thunderbird-es_AR-24.3.0-1.mga4
thunderbird-es_ES-24.3.0-1.mga4
thunderbird-et-24.3.0-1.mga4
thunderbird-eu-24.3.0-1.mga4
thunderbird-fi-24.3.0-1.mga4
thunderbird-fr-24.3.0-1.mga4
thunderbird-fy-24.3.0-1.mga4
thunderbird-ga-24.3.0-1.mga4
thunderbird-gd-24.3.0-1.mga4
thunderbird-gl-24.3.0-1.mga4
thunderbird-he-24.3.0-1.mga4
thunderbird-hr-24.3.0-1.mga4
thunderbird-hu-24.3.0-1.mga4
thunderbird-hy-24.3.0-1.mga4
thunderbird-id-24.3.0-1.mga4
thunderbird-is-24.3.0-1.mga4
thunderbird-it-24.3.0-1.mga4
thunderbird-ja-24.3.0-1.mga4
thunderbird-ko-24.3.0-1.mga4
thunderbird-lt-24.3.0-1.mga4
thunderbird-nb_NO-24.3.0-1.mga4
thunderbird-nl-24.3.0-1.mga4
thunderbird-nn_NO-24.3.0-1.mga4
thunderbird-pl-24.3.0-1.mga4
thunderbird-pa_IN-24.3.0-1.mga4
thunderbird-pt_BR-24.3.0-1.mga4
thunderbird-pt_PT-24.3.0-1.mga4
thunderbird-ro-24.3.0-1.mga4
thunderbird-ru-24.3.0-1.mga4
thunderbird-si-24.3.0-1.mga4
thunderbird-sk-24.3.0-1.mga4
thunderbird-sl-24.3.0-1.mga4
thunderbird-sq-24.3.0-1.mga4
thunderbird-sv_SE-24.3.0-1.mga4
thunderbird-ta_LK-24.3.0-1.mga4
thunderbird-tr-24.3.0-1.mga4
thunderbird-uk-24.3.0-1.mga4
thunderbird-vi-24.3.0-1.mga4
thunderbird-zh_CN-24.3.0-1.mga4
thunderbird-zh_TW-24.3.0-1.mga4

from SRPMS:
nspr-4.10.3-1.mga3.src.rpm
firefox-24.3.0-1.mga3.src.rpm
firefox-l10n-24.3.0-1.mga3.src.rpm
thunderbird-24.3.0-1.mga3.src.rpm
thunderbird-l10n-24.3.0-1.mga3.src.rpm
nspr-4.10.3-1.mga4.src.rpm
firefox-24.3.0-1.mga4.src.rpm
firefox-l10n-24.3.0-1.mga4.src.rpm
thunderbird-24.3.0-1.mga4.src.rpm
thunderbird-l10n-24.3.0-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

David Walser 2014-02-05 19:27:06 CET

URL: (none) => http://lwn.net/Vulnerabilities/584257/

Comment 2 Samuel Verschelde 2014-02-05 21:59:40 CET 
firefox + firefox-fr working well for now on x86_64 mga4. Will report if I spot any issue.

CC: (none) => stormi

Comment 3 Thomas Backlund 2014-02-06 00:03:03 CET 
mga4 x86_64:

* firefox + fi & sv 
  - browsing normal sites and sites with flash, java  and videos ok

* thunderbird + fi & sv
  - mailing, newsreading, normal use,  adding/removing accounts ok

CC: (none) => tmb
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 4 Bill Wilkinson 2014-02-06 01:33:43 CET 
mga4-32
Firefox:
 general browsing, flash, java, javascript tested, all OK

Thunderbird:
 Sent/received/moved messages, lightning loads calendar properly.

all OK

CC: (none) => wrw105
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK mga4-32-ok

Comment 5 claire robinson 2014-02-06 11:43:08 CET 
Testing complete mga3 32

Whiteboard: MGA3TOO MGA4-64-OK mga4-32-ok => MGA3TOO MGA4-64-OK mga4-32-ok mga3-32-ok

Comment 6 claire robinson 2014-02-06 13:40:14 CET 
Advisory uploaded.

Whiteboard: MGA3TOO MGA4-64-OK mga4-32-ok mga3-32-ok => MGA3TOO has_procedure advisory MGA4-64-OK mga4-32-ok mga3-32-ok

Comment 7 claire robinson 2014-02-06 14:59:22 CET 
Testing complete mga3 64

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK mga4-32-ok mga3-32-ok => MGA3TOO has_procedure advisory MGA4-64-OK mga4-32-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-02-06 21:04:15 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0036.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.