Mozilla has issued advisories today: https://www.mozilla.org/security/announce/2014/mfsa2014-67.html https://www.mozilla.org/security/announce/2014/mfsa2014-72.html Firefox and Thunderbird 24.8 have been released to fix memory safety (CVE-2014-1562) and use-after-free (CVE-2014-1567) bugs. Updates to rootcerts 20140805, nspr 4.10.7, nss 3.17, firefox{,-l10n} 24.8.0 and thunderbird{,-l10n} 24.8.0 have been checked into SVN for Mageia 3 and Mageia 4. Waiting on RedHat's update for the advisory and the build system is too busy to push anything right now so I'll build the update later. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1567 https://www.mozilla.org/security/announce/2014/mfsa2014-67.html https://www.mozilla.org/security/announce/2014/mfsa2014-72.html https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Once this is built, the updated packages will be as follows. rootcerts-20140805.00-1.mga3 rootcerts-java-20140805.00-1.mga3 libnspr4-4.10.7-1.mga3 libnspr-devel-4.10.7-1.mga3 nss-3.17.0-1.mga3 nss-doc-3.17.0-1.mga3 libnss3-3.17.0-1.mga3 libnss-devel-3.17.0-1.mga3 libnss-static-devel-3.17.0-1.mga3 firefox-24.8.0-1.mga3 firefox-devel-24.8.0-1.mga3 firefox-af-24.8.0-1.mga3 firefox-ar-24.8.0-1.mga3 firefox-as-24.8.0-1.mga3 firefox-ast-24.8.0-1.mga3 firefox-be-24.8.0-1.mga3 firefox-bg-24.8.0-1.mga3 firefox-bn_IN-24.8.0-1.mga3 firefox-bn_BD-24.8.0-1.mga3 firefox-br-24.8.0-1.mga3 firefox-bs-24.8.0-1.mga3 firefox-ca-24.8.0-1.mga3 firefox-cs-24.8.0-1.mga3 firefox-csb-24.8.0-1.mga3 firefox-cy-24.8.0-1.mga3 firefox-da-24.8.0-1.mga3 firefox-de-24.8.0-1.mga3 firefox-el-24.8.0-1.mga3 firefox-en_GB-24.8.0-1.mga3 firefox-en_ZA-24.8.0-1.mga3 firefox-eo-24.8.0-1.mga3 firefox-es_AR-24.8.0-1.mga3 firefox-es_CL-24.8.0-1.mga3 firefox-es_ES-24.8.0-1.mga3 firefox-es_MX-24.8.0-1.mga3 firefox-et-24.8.0-1.mga3 firefox-eu-24.8.0-1.mga3 firefox-fa-24.8.0-1.mga3 firefox-ff-24.8.0-1.mga3 firefox-fi-24.8.0-1.mga3 firefox-fr-24.8.0-1.mga3 firefox-fy-24.8.0-1.mga3 firefox-ga_IE-24.8.0-1.mga3 firefox-gd-24.8.0-1.mga3 firefox-gl-24.8.0-1.mga3 firefox-gu_IN-24.8.0-1.mga3 firefox-he-24.8.0-1.mga3 firefox-hi-24.8.0-1.mga3 firefox-hr-24.8.0-1.mga3 firefox-hu-24.8.0-1.mga3 firefox-hy-24.8.0-1.mga3 firefox-id-24.8.0-1.mga3 firefox-is-24.8.0-1.mga3 firefox-it-24.8.0-1.mga3 firefox-ja-24.8.0-1.mga3 firefox-kk-24.8.0-1.mga3 firefox-ko-24.8.0-1.mga3 firefox-km-24.8.0-1.mga3 firefox-kn-24.8.0-1.mga3 firefox-ku-24.8.0-1.mga3 firefox-lg-24.8.0-1.mga3 firefox-lij-24.8.0-1.mga3 firefox-lt-24.8.0-1.mga3 firefox-lv-24.8.0-1.mga3 firefox-mai-24.8.0-1.mga3 firefox-mk-24.8.0-1.mga3 firefox-ml-24.8.0-1.mga3 firefox-mr-24.8.0-1.mga3 firefox-nb_NO-24.8.0-1.mga3 firefox-nl-24.8.0-1.mga3 firefox-nn_NO-24.8.0-1.mga3 firefox-nso-24.8.0-1.mga3 firefox-or-24.8.0-1.mga3 firefox-pa_IN-24.8.0-1.mga3 firefox-pl-24.8.0-1.mga3 firefox-pt_BR-24.8.0-1.mga3 firefox-pt_PT-24.8.0-1.mga3 firefox-ro-24.8.0-1.mga3 firefox-ru-24.8.0-1.mga3 firefox-si-24.8.0-1.mga3 firefox-sk-24.8.0-1.mga3 firefox-sl-24.8.0-1.mga3 firefox-sq-24.8.0-1.mga3 firefox-sr-24.8.0-1.mga3 firefox-sv_SE-24.8.0-1.mga3 firefox-ta-24.8.0-1.mga3 firefox-ta_LK-24.8.0-1.mga3 firefox-te-24.8.0-1.mga3 firefox-th-24.8.0-1.mga3 firefox-tr-24.8.0-1.mga3 firefox-uk-24.8.0-1.mga3 firefox-vi-24.8.0-1.mga3 firefox-zh_CN-24.8.0-1.mga3 firefox-zh_TW-24.8.0-1.mga3 firefox-zu-24.8.0-1.mga3 thunderbird-24.8.0-1.mga3 thunderbird-enigmail-24.8.0-1.mga3 nsinstall-24.8.0-1.mga3 thunderbird-ar-24.8.0-1.mga3 thunderbird-ast-24.8.0-1.mga3 thunderbird-be-24.8.0-1.mga3 thunderbird-bg-24.8.0-1.mga3 thunderbird-bn_BD-24.8.0-1.mga3 thunderbird-br-24.8.0-1.mga3 thunderbird-ca-24.8.0-1.mga3 thunderbird-cs-24.8.0-1.mga3 thunderbird-da-24.8.0-1.mga3 thunderbird-de-24.8.0-1.mga3 thunderbird-el-24.8.0-1.mga3 thunderbird-en_GB-24.8.0-1.mga3 thunderbird-es_AR-24.8.0-1.mga3 thunderbird-es_ES-24.8.0-1.mga3 thunderbird-et-24.8.0-1.mga3 thunderbird-eu-24.8.0-1.mga3 thunderbird-fi-24.8.0-1.mga3 thunderbird-fr-24.8.0-1.mga3 thunderbird-fy-24.8.0-1.mga3 thunderbird-ga-24.8.0-1.mga3 thunderbird-gd-24.8.0-1.mga3 thunderbird-gl-24.8.0-1.mga3 thunderbird-he-24.8.0-1.mga3 thunderbird-hr-24.8.0-1.mga3 thunderbird-hu-24.8.0-1.mga3 thunderbird-hy-24.8.0-1.mga3 thunderbird-id-24.8.0-1.mga3 thunderbird-is-24.8.0-1.mga3 thunderbird-it-24.8.0-1.mga3 thunderbird-ja-24.8.0-1.mga3 thunderbird-ko-24.8.0-1.mga3 thunderbird-lt-24.8.0-1.mga3 thunderbird-nb_NO-24.8.0-1.mga3 thunderbird-nl-24.8.0-1.mga3 thunderbird-nn_NO-24.8.0-1.mga3 thunderbird-pl-24.8.0-1.mga3 thunderbird-pa_IN-24.8.0-1.mga3 thunderbird-pt_BR-24.8.0-1.mga3 thunderbird-pt_PT-24.8.0-1.mga3 thunderbird-ro-24.8.0-1.mga3 thunderbird-ru-24.8.0-1.mga3 thunderbird-si-24.8.0-1.mga3 thunderbird-sk-24.8.0-1.mga3 thunderbird-sl-24.8.0-1.mga3 thunderbird-sq-24.8.0-1.mga3 thunderbird-sv_SE-24.8.0-1.mga3 thunderbird-ta_LK-24.8.0-1.mga3 thunderbird-tr-24.8.0-1.mga3 thunderbird-uk-24.8.0-1.mga3 thunderbird-vi-24.8.0-1.mga3 thunderbird-zh_CN-24.8.0-1.mga3 thunderbird-zh_TW-24.8.0-1.mga3 rootcerts-20140805.00-1.mga4 rootcerts-java-20140805.00-1.mga4 libnspr4-4.10.7-1.mga4 libnspr-devel-4.10.7-1.mga4 nss-3.17.0-1.mga4 nss-doc-3.17.0-1.mga4 libnss3-3.17.0-1.mga4 libnss-devel-3.17.0-1.mga4 libnss-static-devel-3.17.0-1.mga4 firefox-24.8.0-1.mga4 firefox-devel-24.8.0-1.mga4 firefox-af-24.8.0-1.mga4 firefox-ar-24.8.0-1.mga4 firefox-as-24.8.0-1.mga4 firefox-ast-24.8.0-1.mga4 firefox-be-24.8.0-1.mga4 firefox-bg-24.8.0-1.mga4 firefox-bn_IN-24.8.0-1.mga4 firefox-bn_BD-24.8.0-1.mga4 firefox-br-24.8.0-1.mga4 firefox-bs-24.8.0-1.mga4 firefox-ca-24.8.0-1.mga4 firefox-cs-24.8.0-1.mga4 firefox-csb-24.8.0-1.mga4 firefox-cy-24.8.0-1.mga4 firefox-da-24.8.0-1.mga4 firefox-de-24.8.0-1.mga4 firefox-el-24.8.0-1.mga4 firefox-en_GB-24.8.0-1.mga4 firefox-en_ZA-24.8.0-1.mga4 firefox-eo-24.8.0-1.mga4 firefox-es_AR-24.8.0-1.mga4 firefox-es_CL-24.8.0-1.mga4 firefox-es_ES-24.8.0-1.mga4 firefox-es_MX-24.8.0-1.mga4 firefox-et-24.8.0-1.mga4 firefox-eu-24.8.0-1.mga4 firefox-fa-24.8.0-1.mga4 firefox-ff-24.8.0-1.mga4 firefox-fi-24.8.0-1.mga4 firefox-fr-24.8.0-1.mga4 firefox-fy-24.8.0-1.mga4 firefox-ga_IE-24.8.0-1.mga4 firefox-gd-24.8.0-1.mga4 firefox-gl-24.8.0-1.mga4 firefox-gu_IN-24.8.0-1.mga4 firefox-he-24.8.0-1.mga4 firefox-hi-24.8.0-1.mga4 firefox-hr-24.8.0-1.mga4 firefox-hu-24.8.0-1.mga4 firefox-hy-24.8.0-1.mga4 firefox-id-24.8.0-1.mga4 firefox-is-24.8.0-1.mga4 firefox-it-24.8.0-1.mga4 firefox-ja-24.8.0-1.mga4 firefox-kk-24.8.0-1.mga4 firefox-ko-24.8.0-1.mga4 firefox-km-24.8.0-1.mga4 firefox-kn-24.8.0-1.mga4 firefox-ku-24.8.0-1.mga4 firefox-lg-24.8.0-1.mga4 firefox-lij-24.8.0-1.mga4 firefox-lt-24.8.0-1.mga4 firefox-lv-24.8.0-1.mga4 firefox-mai-24.8.0-1.mga4 firefox-mk-24.8.0-1.mga4 firefox-ml-24.8.0-1.mga4 firefox-mr-24.8.0-1.mga4 firefox-nb_NO-24.8.0-1.mga4 firefox-nl-24.8.0-1.mga4 firefox-nn_NO-24.8.0-1.mga4 firefox-nso-24.8.0-1.mga4 firefox-or-24.8.0-1.mga4 firefox-pa_IN-24.8.0-1.mga4 firefox-pl-24.8.0-1.mga4 firefox-pt_BR-24.8.0-1.mga4 firefox-pt_PT-24.8.0-1.mga4 firefox-ro-24.8.0-1.mga4 firefox-ru-24.8.0-1.mga4 firefox-si-24.8.0-1.mga4 firefox-sk-24.8.0-1.mga4 firefox-sl-24.8.0-1.mga4 firefox-sq-24.8.0-1.mga4 firefox-sr-24.8.0-1.mga4 firefox-sv_SE-24.8.0-1.mga4 firefox-ta-24.8.0-1.mga4 firefox-ta_LK-24.8.0-1.mga4 firefox-te-24.8.0-1.mga4 firefox-th-24.8.0-1.mga4 firefox-tr-24.8.0-1.mga4 firefox-uk-24.8.0-1.mga4 firefox-vi-24.8.0-1.mga4 firefox-zh_CN-24.8.0-1.mga4 firefox-zh_TW-24.8.0-1.mga4 firefox-zu-24.8.0-1.mga4 thunderbird-24.8.0-1.mga4 thunderbird-enigmail-24.8.0-1.mga4 nsinstall-24.8.0-1.mga4 thunderbird-ar-24.8.0-1.mga4 thunderbird-ast-24.8.0-1.mga4 thunderbird-be-24.8.0-1.mga4 thunderbird-bg-24.8.0-1.mga4 thunderbird-bn_BD-24.8.0-1.mga4 thunderbird-br-24.8.0-1.mga4 thunderbird-ca-24.8.0-1.mga4 thunderbird-cs-24.8.0-1.mga4 thunderbird-da-24.8.0-1.mga4 thunderbird-de-24.8.0-1.mga4 thunderbird-el-24.8.0-1.mga4 thunderbird-en_GB-24.8.0-1.mga4 thunderbird-es_AR-24.8.0-1.mga4 thunderbird-es_ES-24.8.0-1.mga4 thunderbird-et-24.8.0-1.mga4 thunderbird-eu-24.8.0-1.mga4 thunderbird-fi-24.8.0-1.mga4 thunderbird-fr-24.8.0-1.mga4 thunderbird-fy-24.8.0-1.mga4 thunderbird-ga-24.8.0-1.mga4 thunderbird-gd-24.8.0-1.mga4 thunderbird-gl-24.8.0-1.mga4 thunderbird-he-24.8.0-1.mga4 thunderbird-hr-24.8.0-1.mga4 thunderbird-hu-24.8.0-1.mga4 thunderbird-hy-24.8.0-1.mga4 thunderbird-id-24.8.0-1.mga4 thunderbird-is-24.8.0-1.mga4 thunderbird-it-24.8.0-1.mga4 thunderbird-ja-24.8.0-1.mga4 thunderbird-ko-24.8.0-1.mga4 thunderbird-lt-24.8.0-1.mga4 thunderbird-nb_NO-24.8.0-1.mga4 thunderbird-nl-24.8.0-1.mga4 thunderbird-nn_NO-24.8.0-1.mga4 thunderbird-pl-24.8.0-1.mga4 thunderbird-pa_IN-24.8.0-1.mga4 thunderbird-pt_BR-24.8.0-1.mga4 thunderbird-pt_PT-24.8.0-1.mga4 thunderbird-ro-24.8.0-1.mga4 thunderbird-ru-24.8.0-1.mga4 thunderbird-si-24.8.0-1.mga4 thunderbird-sk-24.8.0-1.mga4 thunderbird-sl-24.8.0-1.mga4 thunderbird-sq-24.8.0-1.mga4 thunderbird-sv_SE-24.8.0-1.mga4 thunderbird-ta_LK-24.8.0-1.mga4 thunderbird-tr-24.8.0-1.mga4 thunderbird-uk-24.8.0-1.mga4 thunderbird-vi-24.8.0-1.mga4 thunderbird-zh_CN-24.8.0-1.mga4 thunderbird-zh_TW-24.8.0-1.mga4 from SRPMS: rootcerts-20140805.00-1.mga3.src.rpm nspr-4.10.7-1.mga3.src.rpm nss-3.17.0-1.mga3.src.rpm firefox-24.8.0-1.mga3.src.rpm firefox-l10n-24.8.0-1.mga3.src.rpm thunderbird-24.8.0-1.mga3.src.rpm thunderbird-l10n-24.8.0-1.mga3.src.rpm rootcerts-20140805.00-1.mga4.src.rpm nspr-4.10.7-1.mga4.src.rpm nss-3.17.0-1.mga4.src.rpm firefox-24.8.0-1.mga4.src.rpm firefox-l10n-24.8.0-1.mga4.src.rpm thunderbird-24.8.0-1.mga4.src.rpm thunderbird-l10n-24.8.0-1.mga4.src.rpm
Updated packages uploaded for Mageia 3 and Mageia 4. Details in Comment 0 (formal advisory still pending). Package list in Comment 1.
Assignee: bugsquad => qa-bugs
No exploits listed on Securityfocus. Testing mga3-64. Thunderbird: send/receive/move/delete work on IMAP/SMTP Firefox: General browsing, sunspider javascript, flash (Youtube) all OK. I'm having an issue with getting java to run, but it's probably a setting on my end, as this is a fresh install. If I don't have any problems with mga4-64, I'll presume that's good to go.
CC: (none) => wrw105
Everything's working fine here Mageia 4 i586 (Java and Flash included) for Firefox and Thunderbird.
You're probably missing icedtea-web Bill
Claire: already checked that, it's there and enabled. Probably some obscure setting in the bowels of about:config that I'm missing. Mga4-64 tested as above, all OK including java.
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok mga3-64-ok
mga3-32: all OK.
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok
mga3 64 is OK here Java tested at https://www.java.com/en/download/installed.jsp http://javatester.org/version.html I had a to refresh a few times at the 2nd link but it showed properly then.
Also http://www.w3.org/People/mimasa/test/object/java/jar-nest2
Thanks Bill and Claire. Still no update from RedHat. I'm guessing their advisory will read as follows. We can use this and validate it. Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1562, CVE-2014-1567). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1567 https://www.mozilla.org/security/announce/2014/mfsa2014-67.html https://www.mozilla.org/security/announce/2014/mfsa2014-72.html https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok => MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok mga4-32-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok mga4-32-ok => MGA3TOO has_procedure advisory mga4-64-ok mga3-64-ok mga3-32-ok mga4-32-okCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/610599/
(In reply to David Walser from comment #10) > Still no update from RedHat. I'm guessing their > advisory will read as follows. We can use this and validate it. Nailed it! :D If someone wouldn't mind adding these to the references... https://rhn.redhat.com/errata/RHSA-2014-1144.html https://rhn.redhat.com/errata/RHSA-2014-1145.html
done
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0372.html
Status: NEW => RESOLVEDResolution: (none) => FIXED