Bug 12594 - Firefox and Thunderbird 24.3
: Firefox and Thunderbird 24.3
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/584257/
: MGA3TOO has_procedure advisory MGA4-6...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-04 23:30 CET by David Walser
Modified: 2014-02-06 21:04 CET (History)
5 users (show)

See Also:
Source RPM: firefox, thunderbird
CVE:
Status comment:


Attachments

Comment 1 David Walser 2014-02-05 18:04:56 CET
Updated packages uploaded by Funda.  Thanks Funda!

According to upstream, it should no longer be necessary to update thunderbird-lightning with every single Thunderbird update, and version 2.6.4 should still work with Thunderbird 24.3 and future Thunderbird 24 releases.

Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1477, CVE-2014-1482, CVE-2014-1486).

A flaw was found in the way Firefox and Thunderbird handled error messages
related to web workers. An attacker could use this flaw to bypass the
same-origin policy, which could lead to cross-site scripting (XSS) attacks,
or could potentially be used to gather authentication tokens and other data
from third-party websites (CVE-2014-1487).

A flaw was found in the implementation of System Only Wrappers (SOW).
An attacker could use this flaw to crash Firefox or Thunderbird. When
combined with other vulnerabilities, this flaw could have additional
security implications (CVE-2014-1479).

It was found that the Firefox and Thunderbird JavaScript engine incorrectly
handled window objects. A remote attacker could use this flaw to bypass
certain security checks and possibly execute arbitrary code (CVE-2014-1481).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1487
http://www.mozilla.org/security/announce/2014/mfsa2014-01.html
http://www.mozilla.org/security/announce/2014/mfsa2014-02.html
http://www.mozilla.org/security/announce/2014/mfsa2014-04.html
http://www.mozilla.org/security/announce/2014/mfsa2014-08.html
http://www.mozilla.org/security/announce/2014/mfsa2014-09.html
http://www.mozilla.org/security/announce/2014/mfsa2014-13.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
https://rhn.redhat.com/errata/RHSA-2014-0132.html
https://rhn.redhat.com/errata/RHSA-2014-0133.html
========================

Updated packages in core/updates_testing:
========================
libnspr4-4.10.3-1.mga3
libnspr-devel-4.10.3-1.mga3
firefox-24.3.0-1.mga3
firefox-devel-24.3.0-1.mga3
firefox-af-24.3.0-1.mga3
firefox-ar-24.3.0-1.mga3
firefox-as-24.3.0-1.mga3
firefox-ast-24.3.0-1.mga3
firefox-be-24.3.0-1.mga3
firefox-bg-24.3.0-1.mga3
firefox-bn_IN-24.3.0-1.mga3
firefox-bn_BD-24.3.0-1.mga3
firefox-br-24.3.0-1.mga3
firefox-bs-24.3.0-1.mga3
firefox-ca-24.3.0-1.mga3
firefox-cs-24.3.0-1.mga3
firefox-csb-24.3.0-1.mga3
firefox-cy-24.3.0-1.mga3
firefox-da-24.3.0-1.mga3
firefox-de-24.3.0-1.mga3
firefox-el-24.3.0-1.mga3
firefox-en_GB-24.3.0-1.mga3
firefox-en_ZA-24.3.0-1.mga3
firefox-eo-24.3.0-1.mga3
firefox-es_AR-24.3.0-1.mga3
firefox-es_CL-24.3.0-1.mga3
firefox-es_ES-24.3.0-1.mga3
firefox-es_MX-24.3.0-1.mga3
firefox-et-24.3.0-1.mga3
firefox-eu-24.3.0-1.mga3
firefox-fa-24.3.0-1.mga3
firefox-ff-24.3.0-1.mga3
firefox-fi-24.3.0-1.mga3
firefox-fr-24.3.0-1.mga3
firefox-fy-24.3.0-1.mga3
firefox-ga_IE-24.3.0-1.mga3
firefox-gd-24.3.0-1.mga3
firefox-gl-24.3.0-1.mga3
firefox-gu_IN-24.3.0-1.mga3
firefox-he-24.3.0-1.mga3
firefox-hi-24.3.0-1.mga3
firefox-hr-24.3.0-1.mga3
firefox-hu-24.3.0-1.mga3
firefox-hy-24.3.0-1.mga3
firefox-id-24.3.0-1.mga3
firefox-is-24.3.0-1.mga3
firefox-it-24.3.0-1.mga3
firefox-ja-24.3.0-1.mga3
firefox-kk-24.3.0-1.mga3
firefox-ko-24.3.0-1.mga3
firefox-km-24.3.0-1.mga3
firefox-kn-24.3.0-1.mga3
firefox-ku-24.3.0-1.mga3
firefox-lg-24.3.0-1.mga3
firefox-lij-24.3.0-1.mga3
firefox-lt-24.3.0-1.mga3
firefox-lv-24.3.0-1.mga3
firefox-mai-24.3.0-1.mga3
firefox-mk-24.3.0-1.mga3
firefox-ml-24.3.0-1.mga3
firefox-mr-24.3.0-1.mga3
firefox-nb_NO-24.3.0-1.mga3
firefox-nl-24.3.0-1.mga3
firefox-nn_NO-24.3.0-1.mga3
firefox-nso-24.3.0-1.mga3
firefox-or-24.3.0-1.mga3
firefox-pa_IN-24.3.0-1.mga3
firefox-pl-24.3.0-1.mga3
firefox-pt_BR-24.3.0-1.mga3
firefox-pt_PT-24.3.0-1.mga3
firefox-ro-24.3.0-1.mga3
firefox-ru-24.3.0-1.mga3
firefox-si-24.3.0-1.mga3
firefox-sk-24.3.0-1.mga3
firefox-sl-24.3.0-1.mga3
firefox-sq-24.3.0-1.mga3
firefox-sr-24.3.0-1.mga3
firefox-sv_SE-24.3.0-1.mga3
firefox-ta-24.3.0-1.mga3
firefox-ta_LK-24.3.0-1.mga3
firefox-te-24.3.0-1.mga3
firefox-th-24.3.0-1.mga3
firefox-tr-24.3.0-1.mga3
firefox-uk-24.3.0-1.mga3
firefox-vi-24.3.0-1.mga3
firefox-zh_CN-24.3.0-1.mga3
firefox-zh_TW-24.3.0-1.mga3
firefox-zu-24.3.0-1.mga3
thunderbird-24.3.0-1.mga3
thunderbird-enigmail-24.3.0-1.mga3
nsinstall-24.3.0-1.mga3
thunderbird-ar-24.3.0-1.mga3
thunderbird-ast-24.3.0-1.mga3
thunderbird-be-24.3.0-1.mga3
thunderbird-bg-24.3.0-1.mga3
thunderbird-bn_BD-24.3.0-1.mga3
thunderbird-br-24.3.0-1.mga3
thunderbird-ca-24.3.0-1.mga3
thunderbird-cs-24.3.0-1.mga3
thunderbird-da-24.3.0-1.mga3
thunderbird-de-24.3.0-1.mga3
thunderbird-el-24.3.0-1.mga3
thunderbird-en_GB-24.3.0-1.mga3
thunderbird-es_AR-24.3.0-1.mga3
thunderbird-es_ES-24.3.0-1.mga3
thunderbird-et-24.3.0-1.mga3
thunderbird-eu-24.3.0-1.mga3
thunderbird-fi-24.3.0-1.mga3
thunderbird-fr-24.3.0-1.mga3
thunderbird-fy-24.3.0-1.mga3
thunderbird-ga-24.3.0-1.mga3
thunderbird-gd-24.3.0-1.mga3
thunderbird-gl-24.3.0-1.mga3
thunderbird-he-24.3.0-1.mga3
thunderbird-hr-24.3.0-1.mga3
thunderbird-hu-24.3.0-1.mga3
thunderbird-hy-24.3.0-1.mga3
thunderbird-id-24.3.0-1.mga3
thunderbird-is-24.3.0-1.mga3
thunderbird-it-24.3.0-1.mga3
thunderbird-ja-24.3.0-1.mga3
thunderbird-ko-24.3.0-1.mga3
thunderbird-lt-24.3.0-1.mga3
thunderbird-nb_NO-24.3.0-1.mga3
thunderbird-nl-24.3.0-1.mga3
thunderbird-nn_NO-24.3.0-1.mga3
thunderbird-pl-24.3.0-1.mga3
thunderbird-pa_IN-24.3.0-1.mga3
thunderbird-pt_BR-24.3.0-1.mga3
thunderbird-pt_PT-24.3.0-1.mga3
thunderbird-ro-24.3.0-1.mga3
thunderbird-ru-24.3.0-1.mga3
thunderbird-si-24.3.0-1.mga3
thunderbird-sk-24.3.0-1.mga3
thunderbird-sl-24.3.0-1.mga3
thunderbird-sq-24.3.0-1.mga3
thunderbird-sv_SE-24.3.0-1.mga3
thunderbird-ta_LK-24.3.0-1.mga3
thunderbird-tr-24.3.0-1.mga3
thunderbird-uk-24.3.0-1.mga3
thunderbird-vi-24.3.0-1.mga3
thunderbird-zh_CN-24.3.0-1.mga3
thunderbird-zh_TW-24.3.0-1.mga3
libnspr4-4.10.3-1.mga4
libnspr-devel-4.10.3-1.mga4
firefox-24.3.0-1.mga4
firefox-devel-24.3.0-1.mga4
firefox-af-24.3.0-1.mga4
firefox-ar-24.3.0-1.mga4
firefox-as-24.3.0-1.mga4
firefox-ast-24.3.0-1.mga4
firefox-be-24.3.0-1.mga4
firefox-bg-24.3.0-1.mga4
firefox-bn_IN-24.3.0-1.mga4
firefox-bn_BD-24.3.0-1.mga4
firefox-br-24.3.0-1.mga4
firefox-bs-24.3.0-1.mga4
firefox-ca-24.3.0-1.mga4
firefox-cs-24.3.0-1.mga4
firefox-csb-24.3.0-1.mga4
firefox-cy-24.3.0-1.mga4
firefox-da-24.3.0-1.mga4
firefox-de-24.3.0-1.mga4
firefox-el-24.3.0-1.mga4
firefox-en_GB-24.3.0-1.mga4
firefox-en_ZA-24.3.0-1.mga4
firefox-eo-24.3.0-1.mga4
firefox-es_AR-24.3.0-1.mga4
firefox-es_CL-24.3.0-1.mga4
firefox-es_ES-24.3.0-1.mga4
firefox-es_MX-24.3.0-1.mga4
firefox-et-24.3.0-1.mga4
firefox-eu-24.3.0-1.mga4
firefox-fa-24.3.0-1.mga4
firefox-ff-24.3.0-1.mga4
firefox-fi-24.3.0-1.mga4
firefox-fr-24.3.0-1.mga4
firefox-fy-24.3.0-1.mga4
firefox-ga_IE-24.3.0-1.mga4
firefox-gd-24.3.0-1.mga4
firefox-gl-24.3.0-1.mga4
firefox-gu_IN-24.3.0-1.mga4
firefox-he-24.3.0-1.mga4
firefox-hi-24.3.0-1.mga4
firefox-hr-24.3.0-1.mga4
firefox-hu-24.3.0-1.mga4
firefox-hy-24.3.0-1.mga4
firefox-id-24.3.0-1.mga4
firefox-is-24.3.0-1.mga4
firefox-it-24.3.0-1.mga4
firefox-ja-24.3.0-1.mga4
firefox-kk-24.3.0-1.mga4
firefox-ko-24.3.0-1.mga4
firefox-km-24.3.0-1.mga4
firefox-kn-24.3.0-1.mga4
firefox-ku-24.3.0-1.mga4
firefox-lg-24.3.0-1.mga4
firefox-lij-24.3.0-1.mga4
firefox-lt-24.3.0-1.mga4
firefox-lv-24.3.0-1.mga4
firefox-mai-24.3.0-1.mga4
firefox-mk-24.3.0-1.mga4
firefox-ml-24.3.0-1.mga4
firefox-mr-24.3.0-1.mga4
firefox-nb_NO-24.3.0-1.mga4
firefox-nl-24.3.0-1.mga4
firefox-nn_NO-24.3.0-1.mga4
firefox-nso-24.3.0-1.mga4
firefox-or-24.3.0-1.mga4
firefox-pa_IN-24.3.0-1.mga4
firefox-pl-24.3.0-1.mga4
firefox-pt_BR-24.3.0-1.mga4
firefox-pt_PT-24.3.0-1.mga4
firefox-ro-24.3.0-1.mga4
firefox-ru-24.3.0-1.mga4
firefox-si-24.3.0-1.mga4
firefox-sk-24.3.0-1.mga4
firefox-sl-24.3.0-1.mga4
firefox-sq-24.3.0-1.mga4
firefox-sr-24.3.0-1.mga4
firefox-sv_SE-24.3.0-1.mga4
firefox-ta-24.3.0-1.mga4
firefox-ta_LK-24.3.0-1.mga4
firefox-te-24.3.0-1.mga4
firefox-th-24.3.0-1.mga4
firefox-tr-24.3.0-1.mga4
firefox-uk-24.3.0-1.mga4
firefox-vi-24.3.0-1.mga4
firefox-zh_CN-24.3.0-1.mga4
firefox-zh_TW-24.3.0-1.mga4
firefox-zu-24.3.0-1.mga4
thunderbird-24.3.0-1.mga4
thunderbird-enigmail-24.3.0-1.mga4
nsinstall-24.3.0-1.mga4
thunderbird-ar-24.3.0-1.mga4
thunderbird-ast-24.3.0-1.mga4
thunderbird-be-24.3.0-1.mga4
thunderbird-bg-24.3.0-1.mga4
thunderbird-bn_BD-24.3.0-1.mga4
thunderbird-br-24.3.0-1.mga4
thunderbird-ca-24.3.0-1.mga4
thunderbird-cs-24.3.0-1.mga4
thunderbird-da-24.3.0-1.mga4
thunderbird-de-24.3.0-1.mga4
thunderbird-el-24.3.0-1.mga4
thunderbird-en_GB-24.3.0-1.mga4
thunderbird-es_AR-24.3.0-1.mga4
thunderbird-es_ES-24.3.0-1.mga4
thunderbird-et-24.3.0-1.mga4
thunderbird-eu-24.3.0-1.mga4
thunderbird-fi-24.3.0-1.mga4
thunderbird-fr-24.3.0-1.mga4
thunderbird-fy-24.3.0-1.mga4
thunderbird-ga-24.3.0-1.mga4
thunderbird-gd-24.3.0-1.mga4
thunderbird-gl-24.3.0-1.mga4
thunderbird-he-24.3.0-1.mga4
thunderbird-hr-24.3.0-1.mga4
thunderbird-hu-24.3.0-1.mga4
thunderbird-hy-24.3.0-1.mga4
thunderbird-id-24.3.0-1.mga4
thunderbird-is-24.3.0-1.mga4
thunderbird-it-24.3.0-1.mga4
thunderbird-ja-24.3.0-1.mga4
thunderbird-ko-24.3.0-1.mga4
thunderbird-lt-24.3.0-1.mga4
thunderbird-nb_NO-24.3.0-1.mga4
thunderbird-nl-24.3.0-1.mga4
thunderbird-nn_NO-24.3.0-1.mga4
thunderbird-pl-24.3.0-1.mga4
thunderbird-pa_IN-24.3.0-1.mga4
thunderbird-pt_BR-24.3.0-1.mga4
thunderbird-pt_PT-24.3.0-1.mga4
thunderbird-ro-24.3.0-1.mga4
thunderbird-ru-24.3.0-1.mga4
thunderbird-si-24.3.0-1.mga4
thunderbird-sk-24.3.0-1.mga4
thunderbird-sl-24.3.0-1.mga4
thunderbird-sq-24.3.0-1.mga4
thunderbird-sv_SE-24.3.0-1.mga4
thunderbird-ta_LK-24.3.0-1.mga4
thunderbird-tr-24.3.0-1.mga4
thunderbird-uk-24.3.0-1.mga4
thunderbird-vi-24.3.0-1.mga4
thunderbird-zh_CN-24.3.0-1.mga4
thunderbird-zh_TW-24.3.0-1.mga4

from SRPMS:
nspr-4.10.3-1.mga3.src.rpm
firefox-24.3.0-1.mga3.src.rpm
firefox-l10n-24.3.0-1.mga3.src.rpm
thunderbird-24.3.0-1.mga3.src.rpm
thunderbird-l10n-24.3.0-1.mga3.src.rpm
nspr-4.10.3-1.mga4.src.rpm
firefox-24.3.0-1.mga4.src.rpm
firefox-l10n-24.3.0-1.mga4.src.rpm
thunderbird-24.3.0-1.mga4.src.rpm
thunderbird-l10n-24.3.0-1.mga4.src.rpm
Comment 2 Samuel Verschelde 2014-02-05 21:59:40 CET
firefox + firefox-fr working well for now on x86_64 mga4. Will report if I spot any issue.
Comment 3 Thomas Backlund 2014-02-06 00:03:03 CET
mga4 x86_64:

* firefox + fi & sv 
  - browsing normal sites and sites with flash, java  and videos ok

* thunderbird + fi & sv
  - mailing, newsreading, normal use,  adding/removing accounts ok
Comment 4 Bill Wilkinson 2014-02-06 01:33:43 CET
mga4-32
Firefox:
 general browsing, flash, java, javascript tested, all OK

Thunderbird:
 Sent/received/moved messages, lightning loads calendar properly.

all OK
Comment 5 claire robinson 2014-02-06 11:43:08 CET
Testing complete mga3 32
Comment 6 claire robinson 2014-02-06 13:40:14 CET
Advisory uploaded.
Comment 7 claire robinson 2014-02-06 14:59:22 CET
Testing complete mga3 64

Could sysadmin please push from 3&4 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2014-02-06 21:04:15 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0036.html

Note You need to log in before you can comment on or make changes to this bug.