Upstream has released version 24.6.0 today (June 10): http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html Fixing three critical security issues: http://www.mozilla.org/security/announce/2014/mfsa2014-48.html http://www.mozilla.org/security/announce/2014/mfsa2014-49.html http://www.mozilla.org/security/announce/2014/mfsa2014-52.html which correspond to the following CVEs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541 The rootcerts, nspr, and nss packages have also been updated to the latest versions. I'll post an advisory once RedHat posts theirs. Updated packages: rootcerts-20140401.00-1.mga3 rootcerts-java-20140401.00-1.mga3 libnspr4-4.10.6-1.mga3 libnspr-devel-4.10.6-1.mga3 nss-3.16.1-1.mga3 nss-doc-3.16.1-1.mga3 libnss3-3.16.1-1.mga3 libnss-devel-3.16.1-1.mga3 libnss-static-devel-3.16.1-1.mga3 firefox-24.6.0-1.mga3 firefox-devel-24.6.0-1.mga3 firefox-af-24.6.0-1.mga3 firefox-ar-24.6.0-1.mga3 firefox-as-24.6.0-1.mga3 firefox-ast-24.6.0-1.mga3 firefox-be-24.6.0-1.mga3 firefox-bg-24.6.0-1.mga3 firefox-bn_IN-24.6.0-1.mga3 firefox-bn_BD-24.6.0-1.mga3 firefox-br-24.6.0-1.mga3 firefox-bs-24.6.0-1.mga3 firefox-ca-24.6.0-1.mga3 firefox-cs-24.6.0-1.mga3 firefox-csb-24.6.0-1.mga3 firefox-cy-24.6.0-1.mga3 firefox-da-24.6.0-1.mga3 firefox-de-24.6.0-1.mga3 firefox-el-24.6.0-1.mga3 firefox-en_GB-24.6.0-1.mga3 firefox-en_ZA-24.6.0-1.mga3 firefox-eo-24.6.0-1.mga3 firefox-es_AR-24.6.0-1.mga3 firefox-es_CL-24.6.0-1.mga3 firefox-es_ES-24.6.0-1.mga3 firefox-es_MX-24.6.0-1.mga3 firefox-et-24.6.0-1.mga3 firefox-eu-24.6.0-1.mga3 firefox-fa-24.6.0-1.mga3 firefox-ff-24.6.0-1.mga3 firefox-fi-24.6.0-1.mga3 firefox-fr-24.6.0-1.mga3 firefox-fy-24.6.0-1.mga3 firefox-ga_IE-24.6.0-1.mga3 firefox-gd-24.6.0-1.mga3 firefox-gl-24.6.0-1.mga3 firefox-gu_IN-24.6.0-1.mga3 firefox-he-24.6.0-1.mga3 firefox-hi-24.6.0-1.mga3 firefox-hr-24.6.0-1.mga3 firefox-hu-24.6.0-1.mga3 firefox-hy-24.6.0-1.mga3 firefox-id-24.6.0-1.mga3 firefox-is-24.6.0-1.mga3 firefox-it-24.6.0-1.mga3 firefox-ja-24.6.0-1.mga3 firefox-kk-24.6.0-1.mga3 firefox-ko-24.6.0-1.mga3 firefox-km-24.6.0-1.mga3 firefox-kn-24.6.0-1.mga3 firefox-ku-24.6.0-1.mga3 firefox-lg-24.6.0-1.mga3 firefox-lij-24.6.0-1.mga3 firefox-lt-24.6.0-1.mga3 firefox-lv-24.6.0-1.mga3 firefox-mai-24.6.0-1.mga3 firefox-mk-24.6.0-1.mga3 firefox-ml-24.6.0-1.mga3 firefox-mr-24.6.0-1.mga3 firefox-nb_NO-24.6.0-1.mga3 firefox-nl-24.6.0-1.mga3 firefox-nn_NO-24.6.0-1.mga3 firefox-nso-24.6.0-1.mga3 firefox-or-24.6.0-1.mga3 firefox-pa_IN-24.6.0-1.mga3 firefox-pl-24.6.0-1.mga3 firefox-pt_BR-24.6.0-1.mga3 firefox-pt_PT-24.6.0-1.mga3 firefox-ro-24.6.0-1.mga3 firefox-ru-24.6.0-1.mga3 firefox-si-24.6.0-1.mga3 firefox-sk-24.6.0-1.mga3 firefox-sl-24.6.0-1.mga3 firefox-sq-24.6.0-1.mga3 firefox-sr-24.6.0-1.mga3 firefox-sv_SE-24.6.0-1.mga3 firefox-ta-24.6.0-1.mga3 firefox-ta_LK-24.6.0-1.mga3 firefox-te-24.6.0-1.mga3 firefox-th-24.6.0-1.mga3 firefox-tr-24.6.0-1.mga3 firefox-uk-24.6.0-1.mga3 firefox-vi-24.6.0-1.mga3 firefox-zh_CN-24.6.0-1.mga3 firefox-zh_TW-24.6.0-1.mga3 firefox-zu-24.6.0-1.mga3 thunderbird-24.6.0-1.mga3 thunderbird-enigmail-24.6.0-1.mga3 nsinstall-24.6.0-1.mga3 thunderbird-ar-24.6.0-1.mga3 thunderbird-ast-24.6.0-1.mga3 thunderbird-be-24.6.0-1.mga3 thunderbird-bg-24.6.0-1.mga3 thunderbird-bn_BD-24.6.0-1.mga3 thunderbird-br-24.6.0-1.mga3 thunderbird-ca-24.6.0-1.mga3 thunderbird-cs-24.6.0-1.mga3 thunderbird-da-24.6.0-1.mga3 thunderbird-de-24.6.0-1.mga3 thunderbird-el-24.6.0-1.mga3 thunderbird-en_GB-24.6.0-1.mga3 thunderbird-es_AR-24.6.0-1.mga3 thunderbird-es_ES-24.6.0-1.mga3 thunderbird-et-24.6.0-1.mga3 thunderbird-eu-24.6.0-1.mga3 thunderbird-fi-24.6.0-1.mga3 thunderbird-fr-24.6.0-1.mga3 thunderbird-fy-24.6.0-1.mga3 thunderbird-ga-24.6.0-1.mga3 thunderbird-gd-24.6.0-1.mga3 thunderbird-gl-24.6.0-1.mga3 thunderbird-he-24.6.0-1.mga3 thunderbird-hr-24.6.0-1.mga3 thunderbird-hu-24.6.0-1.mga3 thunderbird-hy-24.6.0-1.mga3 thunderbird-id-24.6.0-1.mga3 thunderbird-is-24.6.0-1.mga3 thunderbird-it-24.6.0-1.mga3 thunderbird-ja-24.6.0-1.mga3 thunderbird-ko-24.6.0-1.mga3 thunderbird-lt-24.6.0-1.mga3 thunderbird-nb_NO-24.6.0-1.mga3 thunderbird-nl-24.6.0-1.mga3 thunderbird-nn_NO-24.6.0-1.mga3 thunderbird-pl-24.6.0-1.mga3 thunderbird-pa_IN-24.6.0-1.mga3 thunderbird-pt_BR-24.6.0-1.mga3 thunderbird-pt_PT-24.6.0-1.mga3 thunderbird-ro-24.6.0-1.mga3 thunderbird-ru-24.6.0-1.mga3 thunderbird-si-24.6.0-1.mga3 thunderbird-sk-24.6.0-1.mga3 thunderbird-sl-24.6.0-1.mga3 thunderbird-sq-24.6.0-1.mga3 thunderbird-sv_SE-24.6.0-1.mga3 thunderbird-ta_LK-24.6.0-1.mga3 thunderbird-tr-24.6.0-1.mga3 thunderbird-uk-24.6.0-1.mga3 thunderbird-vi-24.6.0-1.mga3 thunderbird-zh_CN-24.6.0-1.mga3 thunderbird-zh_TW-24.6.0-1.mga3 rootcerts-20140401.00-1.mga4 rootcerts-java-20140401.00-1.mga4 libnspr4-4.10.6-1.mga4 libnspr-devel-4.10.6-1.mga4 nss-3.16.1-1.mga4 nss-doc-3.16.1-1.mga4 libnss3-3.16.1-1.mga4 libnss-devel-3.16.1-1.mga4 libnss-static-devel-3.16.1-1.mga4 firefox-24.6.0-1.mga4 firefox-devel-24.6.0-1.mga4 firefox-af-24.6.0-1.mga4 firefox-ar-24.6.0-1.mga4 firefox-as-24.6.0-1.mga4 firefox-ast-24.6.0-1.mga4 firefox-be-24.6.0-1.mga4 firefox-bg-24.6.0-1.mga4 firefox-bn_IN-24.6.0-1.mga4 firefox-bn_BD-24.6.0-1.mga4 firefox-br-24.6.0-1.mga4 firefox-bs-24.6.0-1.mga4 firefox-ca-24.6.0-1.mga4 firefox-cs-24.6.0-1.mga4 firefox-csb-24.6.0-1.mga4 firefox-cy-24.6.0-1.mga4 firefox-da-24.6.0-1.mga4 firefox-de-24.6.0-1.mga4 firefox-el-24.6.0-1.mga4 firefox-en_GB-24.6.0-1.mga4 firefox-en_ZA-24.6.0-1.mga4 firefox-eo-24.6.0-1.mga4 firefox-es_AR-24.6.0-1.mga4 firefox-es_CL-24.6.0-1.mga4 firefox-es_ES-24.6.0-1.mga4 firefox-es_MX-24.6.0-1.mga4 firefox-et-24.6.0-1.mga4 firefox-eu-24.6.0-1.mga4 firefox-fa-24.6.0-1.mga4 firefox-ff-24.6.0-1.mga4 firefox-fi-24.6.0-1.mga4 firefox-fr-24.6.0-1.mga4 firefox-fy-24.6.0-1.mga4 firefox-ga_IE-24.6.0-1.mga4 firefox-gd-24.6.0-1.mga4 firefox-gl-24.6.0-1.mga4 firefox-gu_IN-24.6.0-1.mga4 firefox-he-24.6.0-1.mga4 firefox-hi-24.6.0-1.mga4 firefox-hr-24.6.0-1.mga4 firefox-hu-24.6.0-1.mga4 firefox-hy-24.6.0-1.mga4 firefox-id-24.6.0-1.mga4 firefox-is-24.6.0-1.mga4 firefox-it-24.6.0-1.mga4 firefox-ja-24.6.0-1.mga4 firefox-kk-24.6.0-1.mga4 firefox-ko-24.6.0-1.mga4 firefox-km-24.6.0-1.mga4 firefox-kn-24.6.0-1.mga4 firefox-ku-24.6.0-1.mga4 firefox-lg-24.6.0-1.mga4 firefox-lij-24.6.0-1.mga4 firefox-lt-24.6.0-1.mga4 firefox-lv-24.6.0-1.mga4 firefox-mai-24.6.0-1.mga4 firefox-mk-24.6.0-1.mga4 firefox-ml-24.6.0-1.mga4 firefox-mr-24.6.0-1.mga4 firefox-nb_NO-24.6.0-1.mga4 firefox-nl-24.6.0-1.mga4 firefox-nn_NO-24.6.0-1.mga4 firefox-nso-24.6.0-1.mga4 firefox-or-24.6.0-1.mga4 firefox-pa_IN-24.6.0-1.mga4 firefox-pl-24.6.0-1.mga4 firefox-pt_BR-24.6.0-1.mga4 firefox-pt_PT-24.6.0-1.mga4 firefox-ro-24.6.0-1.mga4 firefox-ru-24.6.0-1.mga4 firefox-si-24.6.0-1.mga4 firefox-sk-24.6.0-1.mga4 firefox-sl-24.6.0-1.mga4 firefox-sq-24.6.0-1.mga4 firefox-sr-24.6.0-1.mga4 firefox-sv_SE-24.6.0-1.mga4 firefox-ta-24.6.0-1.mga4 firefox-ta_LK-24.6.0-1.mga4 firefox-te-24.6.0-1.mga4 firefox-th-24.6.0-1.mga4 firefox-tr-24.6.0-1.mga4 firefox-uk-24.6.0-1.mga4 firefox-vi-24.6.0-1.mga4 firefox-zh_CN-24.6.0-1.mga4 firefox-zh_TW-24.6.0-1.mga4 firefox-zu-24.6.0-1.mga4 thunderbird-24.6.0-1.mga4 thunderbird-enigmail-24.6.0-1.mga4 nsinstall-24.6.0-1.mga4 thunderbird-ar-24.6.0-1.mga4 thunderbird-ast-24.6.0-1.mga4 thunderbird-be-24.6.0-1.mga4 thunderbird-bg-24.6.0-1.mga4 thunderbird-bn_BD-24.6.0-1.mga4 thunderbird-br-24.6.0-1.mga4 thunderbird-ca-24.6.0-1.mga4 thunderbird-cs-24.6.0-1.mga4 thunderbird-da-24.6.0-1.mga4 thunderbird-de-24.6.0-1.mga4 thunderbird-el-24.6.0-1.mga4 thunderbird-en_GB-24.6.0-1.mga4 thunderbird-es_AR-24.6.0-1.mga4 thunderbird-es_ES-24.6.0-1.mga4 thunderbird-et-24.6.0-1.mga4 thunderbird-eu-24.6.0-1.mga4 thunderbird-fi-24.6.0-1.mga4 thunderbird-fr-24.6.0-1.mga4 thunderbird-fy-24.6.0-1.mga4 thunderbird-ga-24.6.0-1.mga4 thunderbird-gd-24.6.0-1.mga4 thunderbird-gl-24.6.0-1.mga4 thunderbird-he-24.6.0-1.mga4 thunderbird-hr-24.6.0-1.mga4 thunderbird-hu-24.6.0-1.mga4 thunderbird-hy-24.6.0-1.mga4 thunderbird-id-24.6.0-1.mga4 thunderbird-is-24.6.0-1.mga4 thunderbird-it-24.6.0-1.mga4 thunderbird-ja-24.6.0-1.mga4 thunderbird-ko-24.6.0-1.mga4 thunderbird-lt-24.6.0-1.mga4 thunderbird-nb_NO-24.6.0-1.mga4 thunderbird-nl-24.6.0-1.mga4 thunderbird-nn_NO-24.6.0-1.mga4 thunderbird-pl-24.6.0-1.mga4 thunderbird-pa_IN-24.6.0-1.mga4 thunderbird-pt_BR-24.6.0-1.mga4 thunderbird-pt_PT-24.6.0-1.mga4 thunderbird-ro-24.6.0-1.mga4 thunderbird-ru-24.6.0-1.mga4 thunderbird-si-24.6.0-1.mga4 thunderbird-sk-24.6.0-1.mga4 thunderbird-sl-24.6.0-1.mga4 thunderbird-sq-24.6.0-1.mga4 thunderbird-sv_SE-24.6.0-1.mga4 thunderbird-ta_LK-24.6.0-1.mga4 thunderbird-tr-24.6.0-1.mga4 thunderbird-uk-24.6.0-1.mga4 thunderbird-vi-24.6.0-1.mga4 thunderbird-zh_CN-24.6.0-1.mga4 thunderbird-zh_TW-24.6.0-1.mga4 from SRPMS: rootcerts-20140401.00-1.mga3.src.rpm nspr-4.10.6-1.mga3.src.rpm nss-3.16.1-1.mga3.src.rpm firefox-24.6.0-1.mga3.src.rpm firefox-l10n-24.6.0-1.mga3.src.rpm thunderbird-24.6.0-1.mga3.src.rpm thunderbird-l10n-24.6.0-1.mga3.src.rpm rootcerts-20140401.00-1.mga4.src.rpm nspr-4.10.6-1.mga4.src.rpm nss-3.16.1-1.mga4.src.rpm firefox-24.6.0-1.mga4.src.rpm firefox-l10n-24.6.0-1.mga4.src.rpm thunderbird-24.6.0-1.mga4.src.rpm thunderbird-l10n-24.6.0-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
No PoCs on Securityfocus. Tested mga4-32 for general use. FF: acid 3 for rendering sunspider for javascript javatester for java youtube for flash general browsing TB: send/receive/move/delete on smtp/imap All OK, no regressions noted.
CC: (none) => wrw105Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok
tested mga4-64 as above, all OK.
Whiteboard: MGA3TOO mga4-32-ok => MGA3TOO mga4-32-ok mga4-64-ok
tested mga3-32 as above, all OK.
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok
tested mga3-64 as above, all OK. Ready for validation when advisory uploaded to SVN.
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1533, CVE-2014-1538, CVE-2014-1541). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541 http://www.mozilla.org/security/announce/2014/mfsa2014-48.html http://www.mozilla.org/security/announce/2014/mfsa2014-49.html http://www.mozilla.org/security/announce/2014/mfsa2014-52.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html https://rhn.redhat.com/errata/RHSA-2014-0741.html https://rhn.redhat.com/errata/RHSA-2014-0742.html
Thanks both. Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0260.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
This update (specifically nspr) also fixed CVE-2014-1545: http://lwn.net/Vulnerabilities/602042/ Advisory addendum: Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions (CVE-2014-1545). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545 http://www.mozilla.org/security/announce/2014/mfsa2014-55.html
URL: (none) => http://lwn.net/Vulnerabilities/602039/