RedHat has issued advisories today (June 22): https://rhn.redhat.com/errata/RHSA-2014-0919.html https://rhn.redhat.com/errata/RHSA-2014-0918.html https://rhn.redhat.com/errata/RHSA-2014-0917.html The update to nss 3.16.3 fixes CVE-2014-1544: https://www.mozilla.org/security/announce/2014/mfsa2014-63.html The Firefox/Thunderbird 24.7 update fixes CVE-2014-1547 and CVE-2014-155[5-7]: https://www.mozilla.org/security/announce/2014/mfsa2014-56.html https://www.mozilla.org/security/announce/2014/mfsa2014-61.html https://www.mozilla.org/security/announce/2014/mfsa2014-62.html https://www.mozilla.org/security/announce/2014/mfsa2014-64.html The other issues fixed in RedHat's nspr/nss update were fixed by us previously. The update is in progress. The advisory will read as follows: Advisory: ======================== Updated nss, firefox, and thunderbird packages fix security vulnerabilities: A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application (CVE-2014-1544). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1547, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557). The rootcerts and nss packages have been updated to NSS 3.16.3, and the firefox and thunderbird packages have been updated to version 24.7.0, fixing these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1557 https://www.mozilla.org/security/announce/2014/mfsa2014-56.html https://www.mozilla.org/security/announce/2014/mfsa2014-61.html https://www.mozilla.org/security/announce/2014/mfsa2014-62.html https://www.mozilla.org/security/announce/2014/mfsa2014-63.html https://www.mozilla.org/security/announce/2014/mfsa2014-64.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html https://rhn.redhat.com/errata/RHSA-2014-0919.html https://rhn.redhat.com/errata/RHSA-2014-0918.html https://rhn.redhat.com/errata/RHSA-2014-0917.html Reproducible: Steps to Reproduce:
The updated packages will be: rootcerts-20140703.00-1.mga3 rootcerts-java-20140703.00-1.mga3 nss-3.16.3-1.mga3 nss-doc-3.16.3-1.mga3 libnss3-3.16.3-1.mga3 libnss-devel-3.16.3-1.mga3 libnss-static-devel-3.16.3-1.mga3 firefox-24.7.0-1.mga3 firefox-devel-24.7.0-1.mga3 firefox-af-24.7.0-1.mga3 firefox-ar-24.7.0-1.mga3 firefox-as-24.7.0-1.mga3 firefox-ast-24.7.0-1.mga3 firefox-be-24.7.0-1.mga3 firefox-bg-24.7.0-1.mga3 firefox-bn_IN-24.7.0-1.mga3 firefox-bn_BD-24.7.0-1.mga3 firefox-br-24.7.0-1.mga3 firefox-bs-24.7.0-1.mga3 firefox-ca-24.7.0-1.mga3 firefox-cs-24.7.0-1.mga3 firefox-csb-24.7.0-1.mga3 firefox-cy-24.7.0-1.mga3 firefox-da-24.7.0-1.mga3 firefox-de-24.7.0-1.mga3 firefox-el-24.7.0-1.mga3 firefox-en_GB-24.7.0-1.mga3 firefox-en_ZA-24.7.0-1.mga3 firefox-eo-24.7.0-1.mga3 firefox-es_AR-24.7.0-1.mga3 firefox-es_CL-24.7.0-1.mga3 firefox-es_ES-24.7.0-1.mga3 firefox-es_MX-24.7.0-1.mga3 firefox-et-24.7.0-1.mga3 firefox-eu-24.7.0-1.mga3 firefox-fa-24.7.0-1.mga3 firefox-ff-24.7.0-1.mga3 firefox-fi-24.7.0-1.mga3 firefox-fr-24.7.0-1.mga3 firefox-fy-24.7.0-1.mga3 firefox-ga_IE-24.7.0-1.mga3 firefox-gd-24.7.0-1.mga3 firefox-gl-24.7.0-1.mga3 firefox-gu_IN-24.7.0-1.mga3 firefox-he-24.7.0-1.mga3 firefox-hi-24.7.0-1.mga3 firefox-hr-24.7.0-1.mga3 firefox-hu-24.7.0-1.mga3 firefox-hy-24.7.0-1.mga3 firefox-id-24.7.0-1.mga3 firefox-is-24.7.0-1.mga3 firefox-it-24.7.0-1.mga3 firefox-ja-24.7.0-1.mga3 firefox-kk-24.7.0-1.mga3 firefox-ko-24.7.0-1.mga3 firefox-km-24.7.0-1.mga3 firefox-kn-24.7.0-1.mga3 firefox-ku-24.7.0-1.mga3 firefox-lg-24.7.0-1.mga3 firefox-lij-24.7.0-1.mga3 firefox-lt-24.7.0-1.mga3 firefox-lv-24.7.0-1.mga3 firefox-mai-24.7.0-1.mga3 firefox-mk-24.7.0-1.mga3 firefox-ml-24.7.0-1.mga3 firefox-mr-24.7.0-1.mga3 firefox-nb_NO-24.7.0-1.mga3 firefox-nl-24.7.0-1.mga3 firefox-nn_NO-24.7.0-1.mga3 firefox-nso-24.7.0-1.mga3 firefox-or-24.7.0-1.mga3 firefox-pa_IN-24.7.0-1.mga3 firefox-pl-24.7.0-1.mga3 firefox-pt_BR-24.7.0-1.mga3 firefox-pt_PT-24.7.0-1.mga3 firefox-ro-24.7.0-1.mga3 firefox-ru-24.7.0-1.mga3 firefox-si-24.7.0-1.mga3 firefox-sk-24.7.0-1.mga3 firefox-sl-24.7.0-1.mga3 firefox-sq-24.7.0-1.mga3 firefox-sr-24.7.0-1.mga3 firefox-sv_SE-24.7.0-1.mga3 firefox-ta-24.7.0-1.mga3 firefox-ta_LK-24.7.0-1.mga3 firefox-te-24.7.0-1.mga3 firefox-th-24.7.0-1.mga3 firefox-tr-24.7.0-1.mga3 firefox-uk-24.7.0-1.mga3 firefox-vi-24.7.0-1.mga3 firefox-zh_CN-24.7.0-1.mga3 firefox-zh_TW-24.7.0-1.mga3 firefox-zu-24.7.0-1.mga3 thunderbird-24.7.0-1.mga3 thunderbird-enigmail-24.7.0-1.mga3 nsinstall-24.7.0-1.mga3 thunderbird-ar-24.7.0-1.mga3 thunderbird-ast-24.7.0-1.mga3 thunderbird-be-24.7.0-1.mga3 thunderbird-bg-24.7.0-1.mga3 thunderbird-bn_BD-24.7.0-1.mga3 thunderbird-br-24.7.0-1.mga3 thunderbird-ca-24.7.0-1.mga3 thunderbird-cs-24.7.0-1.mga3 thunderbird-da-24.7.0-1.mga3 thunderbird-de-24.7.0-1.mga3 thunderbird-el-24.7.0-1.mga3 thunderbird-en_GB-24.7.0-1.mga3 thunderbird-es_AR-24.7.0-1.mga3 thunderbird-es_ES-24.7.0-1.mga3 thunderbird-et-24.7.0-1.mga3 thunderbird-eu-24.7.0-1.mga3 thunderbird-fi-24.7.0-1.mga3 thunderbird-fr-24.7.0-1.mga3 thunderbird-fy-24.7.0-1.mga3 thunderbird-ga-24.7.0-1.mga3 thunderbird-gd-24.7.0-1.mga3 thunderbird-gl-24.7.0-1.mga3 thunderbird-he-24.7.0-1.mga3 thunderbird-hr-24.7.0-1.mga3 thunderbird-hu-24.7.0-1.mga3 thunderbird-hy-24.7.0-1.mga3 thunderbird-id-24.7.0-1.mga3 thunderbird-is-24.7.0-1.mga3 thunderbird-it-24.7.0-1.mga3 thunderbird-ja-24.7.0-1.mga3 thunderbird-ko-24.7.0-1.mga3 thunderbird-lt-24.7.0-1.mga3 thunderbird-nb_NO-24.7.0-1.mga3 thunderbird-nl-24.7.0-1.mga3 thunderbird-nn_NO-24.7.0-1.mga3 thunderbird-pl-24.7.0-1.mga3 thunderbird-pa_IN-24.7.0-1.mga3 thunderbird-pt_BR-24.7.0-1.mga3 thunderbird-pt_PT-24.7.0-1.mga3 thunderbird-ro-24.7.0-1.mga3 thunderbird-ru-24.7.0-1.mga3 thunderbird-si-24.7.0-1.mga3 thunderbird-sk-24.7.0-1.mga3 thunderbird-sl-24.7.0-1.mga3 thunderbird-sq-24.7.0-1.mga3 thunderbird-sv_SE-24.7.0-1.mga3 thunderbird-ta_LK-24.7.0-1.mga3 thunderbird-tr-24.7.0-1.mga3 thunderbird-uk-24.7.0-1.mga3 thunderbird-vi-24.7.0-1.mga3 thunderbird-zh_CN-24.7.0-1.mga3 thunderbird-zh_TW-24.7.0-1.mga3 rootcerts-20140703.00-1.mga4 rootcerts-java-20140703.00-1.mga4 nss-3.16.3-1.mga4 nss-doc-3.16.3-1.mga4 libnss3-3.16.3-1.mga4 libnss-devel-3.16.3-1.mga4 libnss-static-devel-3.16.3-1.mga4 firefox-24.7.0-1.mga4 firefox-devel-24.7.0-1.mga4 firefox-af-24.7.0-1.mga4 firefox-ar-24.7.0-1.mga4 firefox-as-24.7.0-1.mga4 firefox-ast-24.7.0-1.mga4 firefox-be-24.7.0-1.mga4 firefox-bg-24.7.0-1.mga4 firefox-bn_IN-24.7.0-1.mga4 firefox-bn_BD-24.7.0-1.mga4 firefox-br-24.7.0-1.mga4 firefox-bs-24.7.0-1.mga4 firefox-ca-24.7.0-1.mga4 firefox-cs-24.7.0-1.mga4 firefox-csb-24.7.0-1.mga4 firefox-cy-24.7.0-1.mga4 firefox-da-24.7.0-1.mga4 firefox-de-24.7.0-1.mga4 firefox-el-24.7.0-1.mga4 firefox-en_GB-24.7.0-1.mga4 firefox-en_ZA-24.7.0-1.mga4 firefox-eo-24.7.0-1.mga4 firefox-es_AR-24.7.0-1.mga4 firefox-es_CL-24.7.0-1.mga4 firefox-es_ES-24.7.0-1.mga4 firefox-es_MX-24.7.0-1.mga4 firefox-et-24.7.0-1.mga4 firefox-eu-24.7.0-1.mga4 firefox-fa-24.7.0-1.mga4 firefox-ff-24.7.0-1.mga4 firefox-fi-24.7.0-1.mga4 firefox-fr-24.7.0-1.mga4 firefox-fy-24.7.0-1.mga4 firefox-ga_IE-24.7.0-1.mga4 firefox-gd-24.7.0-1.mga4 firefox-gl-24.7.0-1.mga4 firefox-gu_IN-24.7.0-1.mga4 firefox-he-24.7.0-1.mga4 firefox-hi-24.7.0-1.mga4 firefox-hr-24.7.0-1.mga4 firefox-hu-24.7.0-1.mga4 firefox-hy-24.7.0-1.mga4 firefox-id-24.7.0-1.mga4 firefox-is-24.7.0-1.mga4 firefox-it-24.7.0-1.mga4 firefox-ja-24.7.0-1.mga4 firefox-kk-24.7.0-1.mga4 firefox-ko-24.7.0-1.mga4 firefox-km-24.7.0-1.mga4 firefox-kn-24.7.0-1.mga4 firefox-ku-24.7.0-1.mga4 firefox-lg-24.7.0-1.mga4 firefox-lij-24.7.0-1.mga4 firefox-lt-24.7.0-1.mga4 firefox-lv-24.7.0-1.mga4 firefox-mai-24.7.0-1.mga4 firefox-mk-24.7.0-1.mga4 firefox-ml-24.7.0-1.mga4 firefox-mr-24.7.0-1.mga4 firefox-nb_NO-24.7.0-1.mga4 firefox-nl-24.7.0-1.mga4 firefox-nn_NO-24.7.0-1.mga4 firefox-nso-24.7.0-1.mga4 firefox-or-24.7.0-1.mga4 firefox-pa_IN-24.7.0-1.mga4 firefox-pl-24.7.0-1.mga4 firefox-pt_BR-24.7.0-1.mga4 firefox-pt_PT-24.7.0-1.mga4 firefox-ro-24.7.0-1.mga4 firefox-ru-24.7.0-1.mga4 firefox-si-24.7.0-1.mga4 firefox-sk-24.7.0-1.mga4 firefox-sl-24.7.0-1.mga4 firefox-sq-24.7.0-1.mga4 firefox-sr-24.7.0-1.mga4 firefox-sv_SE-24.7.0-1.mga4 firefox-ta-24.7.0-1.mga4 firefox-ta_LK-24.7.0-1.mga4 firefox-te-24.7.0-1.mga4 firefox-th-24.7.0-1.mga4 firefox-tr-24.7.0-1.mga4 firefox-uk-24.7.0-1.mga4 firefox-vi-24.7.0-1.mga4 firefox-zh_CN-24.7.0-1.mga4 firefox-zh_TW-24.7.0-1.mga4 firefox-zu-24.7.0-1.mga4 thunderbird-24.7.0-1.mga4 thunderbird-enigmail-24.7.0-1.mga4 nsinstall-24.7.0-1.mga4 thunderbird-ar-24.7.0-1.mga4 thunderbird-ast-24.7.0-1.mga4 thunderbird-be-24.7.0-1.mga4 thunderbird-bg-24.7.0-1.mga4 thunderbird-bn_BD-24.7.0-1.mga4 thunderbird-br-24.7.0-1.mga4 thunderbird-ca-24.7.0-1.mga4 thunderbird-cs-24.7.0-1.mga4 thunderbird-da-24.7.0-1.mga4 thunderbird-de-24.7.0-1.mga4 thunderbird-el-24.7.0-1.mga4 thunderbird-en_GB-24.7.0-1.mga4 thunderbird-es_AR-24.7.0-1.mga4 thunderbird-es_ES-24.7.0-1.mga4 thunderbird-et-24.7.0-1.mga4 thunderbird-eu-24.7.0-1.mga4 thunderbird-fi-24.7.0-1.mga4 thunderbird-fr-24.7.0-1.mga4 thunderbird-fy-24.7.0-1.mga4 thunderbird-ga-24.7.0-1.mga4 thunderbird-gd-24.7.0-1.mga4 thunderbird-gl-24.7.0-1.mga4 thunderbird-he-24.7.0-1.mga4 thunderbird-hr-24.7.0-1.mga4 thunderbird-hu-24.7.0-1.mga4 thunderbird-hy-24.7.0-1.mga4 thunderbird-id-24.7.0-1.mga4 thunderbird-is-24.7.0-1.mga4 thunderbird-it-24.7.0-1.mga4 thunderbird-ja-24.7.0-1.mga4 thunderbird-ko-24.7.0-1.mga4 thunderbird-lt-24.7.0-1.mga4 thunderbird-nb_NO-24.7.0-1.mga4 thunderbird-nl-24.7.0-1.mga4 thunderbird-nn_NO-24.7.0-1.mga4 thunderbird-pl-24.7.0-1.mga4 thunderbird-pa_IN-24.7.0-1.mga4 thunderbird-pt_BR-24.7.0-1.mga4 thunderbird-pt_PT-24.7.0-1.mga4 thunderbird-ro-24.7.0-1.mga4 thunderbird-ru-24.7.0-1.mga4 thunderbird-si-24.7.0-1.mga4 thunderbird-sk-24.7.0-1.mga4 thunderbird-sl-24.7.0-1.mga4 thunderbird-sq-24.7.0-1.mga4 thunderbird-sv_SE-24.7.0-1.mga4 thunderbird-ta_LK-24.7.0-1.mga4 thunderbird-tr-24.7.0-1.mga4 thunderbird-uk-24.7.0-1.mga4 thunderbird-vi-24.7.0-1.mga4 thunderbird-zh_CN-24.7.0-1.mga4 thunderbird-zh_TW-24.7.0-1.mga4 from SRPMS: rootcerts-20140703.00-1.mga3.src.rpm nss-3.16.3-1.mga3.src.rpm firefox-24.7.0-1.mga3.src.rpm firefox-l10n-24.7.0-1.mga3.src.rpm thunderbird-24.7.0-1.mga3.src.rpm thunderbird-l10n-24.7.0-1.mga3.src.rpm rootcerts-20140703.00-1.mga4.src.rpm nss-3.16.3-1.mga4.src.rpm firefox-24.7.0-1.mga4.src.rpm firefox-l10n-24.7.0-1.mga4.src.rpm thunderbird-24.7.0-1.mga4.src.rpm thunderbird-l10n-24.7.0-1.mga4.src.rpm
Whiteboard: (none) => MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory is in Comment 0. Package list is in Comment 1.
Assignee: bugsquad => qa-bugs
No working exploits on SecurityFocus, testing general use. Mga4-64: Firefox: Acid3, general browsing, Javatester version, sunspider, youtube Thunderbird: Ensure calendar loads in Lightning, send/receive/move/delete using SMTP/IMAP
CC: (none) => wrw105Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
mga4-32 tested as above, no regressions noted. If nobody beats me to them, I'll get to mga3 this evening (US East coast time)
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok
In VirtualBox, M3, KDE, 32-bit Package(s) under test: Firefox & Thunderbird default install of Firefox Thunderbird [root@localhost wilcal]# urpmi firefox Package firefox-24.6.0-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi thunderbird Package thunderbird-24.6.0-1.mga3.i586 is already installed Firefox opens, plays CNN videos and surfs the Internet Thunderbird opens and works. install Firefox and Thunderbird from updates_testing [root@localhost wilcal]# urpmi firefox Package firefox-24.7.0-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi thunderbird Package thunderbird-24.7.0-1.mga3.i586 is already installed Firefox updates bookmarks and passwords opens, plays CNN videos and surfs the Internet. Thunderbird opens and works. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok MGA3-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: Firefox & Thunderbird default install of Firefox Thunderbird [root@localhost wilcal]# urpmi firefox Package firefox-24.6.0-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi thunderbird Package thunderbird-24.6.0-1.mga3.x86_64 is already installed Firefox opens, plays CNN videos and surfs the Internet Thunderbird opens and works. install Firefox and Thunderbird from updates_testing [root@localhost wilcal]# urpmi firefox Package firefox-24.7.0-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi thunderbird Package thunderbird-24.7.0-1.mga3.x86_64 is already installed Firefox updates bookmarks and passwords opens, plays CNN videos and surfs the Internet. Thunderbird opens and works. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok MGA3-32-OK => MGA3TOO mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK
For me this update works fine. We could test all 80+ language packages but that's not practical. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
LWN reference for nss issue CVE-2014-1544: http://lwn.net/Vulnerabilities/606299/
URL: (none) => http://lwn.net/Vulnerabilities/606292/
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK => MGA3TOO mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0293.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED