Bug 14293 - Firefox and Thunderbird 31.2
Summary: Firefox and Thunderbird 31.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/616263/
Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga3-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-15 19:09 CEST by David Walser
Modified: 2014-10-25 22:23 CEST (History)
8 users (show)

See Also:
Source RPM: firefox, thunderbird, nss
CVE:
Status comment:


Attachments

Description David Walser 2014-10-15 19:09:43 CEST
RedHat has issued an advisory today (October 15):
https://rhn.redhat.com/errata/RHSA-2014-1635.html

This will be our first update to the 31 ESR branch for Mageia 3 and Mageia 4.

The update will require updated libvpx and sqlite3 versions as well.

For Mageia 4, we're also updating libpng to the newest version.

The nss package will also be updated to 3.17.2 with this update.

Besides the security issues that are fixed in Firefox and Thunderbird 31.2, this update will fix one other security issue in Enigmail (part of the Thunderbird package), CVE-2013-5369, for which OpenSuSE issued an update on September 8:
http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html

from http://lwn.net/Vulnerabilities/610601/

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-15 19:09:59 CEST

CC: (none) => doktor5000
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-10-15 19:12:25 CEST
Oh, the thunderbird-lightning package is also being updated to version 3.3 for this update.
Comment 2 David Walser 2014-10-15 19:16:08 CEST
RedHat hasn't yet updated thunderbird, but Ubuntu has:
http://www.ubuntu.com/usn/usn-2373-1/
David Walser 2014-10-15 19:18:18 CEST

URL: (none) => http://lwn.net/Vulnerabilities/616263/

Comment 3 David Walser 2014-10-15 21:29:22 CEST
I believe everything is committed in SVN.

I'm waiting for freeze pushes in Cauldron.

These have yet to be built in updates_testing:
firefox-31.2.0-1.mga3.src.rpm
thunderbird-31.2.0-1.mga3.src.rpm
thunderbird-l10n-31.2.0-1.mga3.src.rpm
thunderbird-lightning-3.3-1.mga3.src.rpm
firefox-31.2.0-1.mga4.src.rpm
thunderbird-31.2.0-1.mga4.src.rpm
thunderbird-l10n-31.2.0-1.mga4.src.rpm

These ones are already built in updates_testing:
libvpx-1.3.0-1.mga3.src.rpm
sqlite3-3.8.6-1.mga3.src.rpm
nss-3.17.2-1.mga3.src.rpm
firefox-l10n-31.2.0-1.mga3.src.rpm
libpng-1.6.13-1.mga4.src.rpm
libvpx-1.3.0-1.mga4.src.rpm
sqlite3-3.8.6-1.mga4.src.rpm
nss-3.17.2-1.mga4.src.rpm
firefox-l10n-31.2.0-1.mga4.src.rpm
thunderbird-lightning-3.3-1.mga4.src.rpm

The full package list for the ones already built:
libvpx1-1.3.0-1.mga3
libvpx-devel-1.3.0-1.mga3
libvpx-utils-1.3.0-1.mga3
sqlite3-tcl-3.8.6-1.mga3
sqlite3-tools-3.8.6-1.mga3
lemon-3.8.6-1.mga3
libsqlite3-devel-3.8.6-1.mga3
libsqlite3-static-devel-3.8.6-1.mga3
libsqlite3_0-3.8.6-1.mga3
nss-3.17.2-1.mga3
nss-doc-3.17.2-1.mga3
libnss3-3.17.2-1.mga3
libnss-devel-3.17.2-1.mga3
libnss-static-devel-3.17.2-1.mga3
firefox-af-31.2.0-1.mga3
firefox-ar-31.2.0-1.mga3
firefox-as-31.2.0-1.mga3
firefox-ast-31.2.0-1.mga3
firefox-be-31.2.0-1.mga3
firefox-bg-31.2.0-1.mga3
firefox-bn_IN-31.2.0-1.mga3
firefox-bn_BD-31.2.0-1.mga3
firefox-br-31.2.0-1.mga3
firefox-bs-31.2.0-1.mga3
firefox-ca-31.2.0-1.mga3
firefox-cs-31.2.0-1.mga3
firefox-csb-31.2.0-1.mga3
firefox-cy-31.2.0-1.mga3
firefox-da-31.2.0-1.mga3
firefox-de-31.2.0-1.mga3
firefox-el-31.2.0-1.mga3
firefox-en_GB-31.2.0-1.mga3
firefox-en_ZA-31.2.0-1.mga3
firefox-eo-31.2.0-1.mga3
firefox-es_AR-31.2.0-1.mga3
firefox-es_CL-31.2.0-1.mga3
firefox-es_ES-31.2.0-1.mga3
firefox-es_MX-31.2.0-1.mga3
firefox-et-31.2.0-1.mga3
firefox-eu-31.2.0-1.mga3
firefox-fa-31.2.0-1.mga3
firefox-ff-31.2.0-1.mga3
firefox-fi-31.2.0-1.mga3
firefox-fr-31.2.0-1.mga3
firefox-fy-31.2.0-1.mga3
firefox-ga_IE-31.2.0-1.mga3
firefox-gd-31.2.0-1.mga3
firefox-gl-31.2.0-1.mga3
firefox-gu_IN-31.2.0-1.mga3
firefox-he-31.2.0-1.mga3
firefox-hi-31.2.0-1.mga3
firefox-hr-31.2.0-1.mga3
firefox-hu-31.2.0-1.mga3
firefox-hy-31.2.0-1.mga3
firefox-id-31.2.0-1.mga3
firefox-is-31.2.0-1.mga3
firefox-it-31.2.0-1.mga3
firefox-ja-31.2.0-1.mga3
firefox-kk-31.2.0-1.mga3
firefox-ko-31.2.0-1.mga3
firefox-km-31.2.0-1.mga3
firefox-kn-31.2.0-1.mga3
firefox-ku-31.2.0-1.mga3
firefox-lg-31.2.0-1.mga3
firefox-lij-31.2.0-1.mga3
firefox-lt-31.2.0-1.mga3
firefox-lv-31.2.0-1.mga3
firefox-mai-31.2.0-1.mga3
firefox-mk-31.2.0-1.mga3
firefox-ml-31.2.0-1.mga3
firefox-mr-31.2.0-1.mga3
firefox-nb_NO-31.2.0-1.mga3
firefox-nl-31.2.0-1.mga3
firefox-nn_NO-31.2.0-1.mga3
firefox-nso-31.2.0-1.mga3
firefox-or-31.2.0-1.mga3
firefox-pa_IN-31.2.0-1.mga3
firefox-pl-31.2.0-1.mga3
firefox-pt_BR-31.2.0-1.mga3
firefox-pt_PT-31.2.0-1.mga3
firefox-ro-31.2.0-1.mga3
firefox-ru-31.2.0-1.mga3
firefox-si-31.2.0-1.mga3
firefox-sk-31.2.0-1.mga3
firefox-sl-31.2.0-1.mga3
firefox-sq-31.2.0-1.mga3
firefox-sr-31.2.0-1.mga3
firefox-sv_SE-31.2.0-1.mga3
firefox-ta-31.2.0-1.mga3
firefox-ta_LK-31.2.0-1.mga3
firefox-te-31.2.0-1.mga3
firefox-th-31.2.0-1.mga3
firefox-tr-31.2.0-1.mga3
firefox-uk-31.2.0-1.mga3
firefox-vi-31.2.0-1.mga3
firefox-zh_CN-31.2.0-1.mga3
firefox-zh_TW-31.2.0-1.mga3
firefox-zu-31.2.0-1.mga3
libpng16_16-1.6.13-1.mga4
libpng-devel-1.6.13-1.mga4
libvpx1-1.3.0-1.mga4
libvpx-devel-1.3.0-1.mga4
libvpx-utils-1.3.0-1.mga4
sqlite3-tcl-3.8.6-1.mga4
sqlite3-tools-3.8.6-1.mga4
lemon-3.8.6-1.mga4
libsqlite3-devel-3.8.6-1.mga4
libsqlite3-static-devel-3.8.6-1.mga4
libsqlite3_0-3.8.6-1.mga4
nss-3.17.2-1.mga4
nss-doc-3.17.2-1.mga4
libnss3-3.17.2-1.mga4
libnss-devel-3.17.2-1.mga4
libnss-static-devel-3.17.2-1.mga4
firefox-af-31.2.0-1.mga4
firefox-ar-31.2.0-1.mga4
firefox-as-31.2.0-1.mga4
firefox-ast-31.2.0-1.mga4
firefox-be-31.2.0-1.mga4
firefox-bg-31.2.0-1.mga4
firefox-bn_IN-31.2.0-1.mga4
firefox-bn_BD-31.2.0-1.mga4
firefox-br-31.2.0-1.mga4
firefox-bs-31.2.0-1.mga4
firefox-ca-31.2.0-1.mga4
firefox-cs-31.2.0-1.mga4
firefox-csb-31.2.0-1.mga4
firefox-cy-31.2.0-1.mga4
firefox-da-31.2.0-1.mga4
firefox-de-31.2.0-1.mga4
firefox-el-31.2.0-1.mga4
firefox-en_GB-31.2.0-1.mga4
firefox-en_ZA-31.2.0-1.mga4
firefox-eo-31.2.0-1.mga4
firefox-es_AR-31.2.0-1.mga4
firefox-es_CL-31.2.0-1.mga4
firefox-es_ES-31.2.0-1.mga4
firefox-es_MX-31.2.0-1.mga4
firefox-et-31.2.0-1.mga4
firefox-eu-31.2.0-1.mga4
firefox-fa-31.2.0-1.mga4
firefox-ff-31.2.0-1.mga4
firefox-fi-31.2.0-1.mga4
firefox-fr-31.2.0-1.mga4
firefox-fy-31.2.0-1.mga4
firefox-ga_IE-31.2.0-1.mga4
firefox-gd-31.2.0-1.mga4
firefox-gl-31.2.0-1.mga4
firefox-gu_IN-31.2.0-1.mga4
firefox-he-31.2.0-1.mga4
firefox-hi-31.2.0-1.mga4
firefox-hr-31.2.0-1.mga4
firefox-hu-31.2.0-1.mga4
firefox-hy-31.2.0-1.mga4
firefox-id-31.2.0-1.mga4
firefox-is-31.2.0-1.mga4
firefox-it-31.2.0-1.mga4
firefox-ja-31.2.0-1.mga4
firefox-kk-31.2.0-1.mga4
firefox-ko-31.2.0-1.mga4
firefox-km-31.2.0-1.mga4
firefox-kn-31.2.0-1.mga4
firefox-ku-31.2.0-1.mga4
firefox-lg-31.2.0-1.mga4
firefox-lij-31.2.0-1.mga4
firefox-lt-31.2.0-1.mga4
firefox-lv-31.2.0-1.mga4
firefox-mai-31.2.0-1.mga4
firefox-mk-31.2.0-1.mga4
firefox-ml-31.2.0-1.mga4
firefox-mr-31.2.0-1.mga4
firefox-nb_NO-31.2.0-1.mga4
firefox-nl-31.2.0-1.mga4
firefox-nn_NO-31.2.0-1.mga4
firefox-nso-31.2.0-1.mga4
firefox-or-31.2.0-1.mga4
firefox-pa_IN-31.2.0-1.mga4
firefox-pl-31.2.0-1.mga4
firefox-pt_BR-31.2.0-1.mga4
firefox-pt_PT-31.2.0-1.mga4
firefox-ro-31.2.0-1.mga4
firefox-ru-31.2.0-1.mga4
firefox-si-31.2.0-1.mga4
firefox-sk-31.2.0-1.mga4
firefox-sl-31.2.0-1.mga4
firefox-sq-31.2.0-1.mga4
firefox-sr-31.2.0-1.mga4
firefox-sv_SE-31.2.0-1.mga4
firefox-ta-31.2.0-1.mga4
firefox-ta_LK-31.2.0-1.mga4
firefox-te-31.2.0-1.mga4
firefox-th-31.2.0-1.mga4
firefox-tr-31.2.0-1.mga4
firefox-uk-31.2.0-1.mga4
firefox-vi-31.2.0-1.mga4
firefox-zh_CN-31.2.0-1.mga4
firefox-zh_TW-31.2.0-1.mga4
firefox-zu-31.2.0-1.mga4
thunderbird-lightning-3.3-1.mga4
Comment 4 Otto Leipälä 2014-10-15 23:28:30 CEST
Testing firefox 31.2 mga4 64&32 no crash not even single problem found so far,same to thunderbird tomorrow i will test mga3.

CC: (none) => ozkyster

Comment 5 David Walser 2014-10-15 23:31:07 CEST
The firefox 31.2 mga4 build that was temporarily available was removed due to some errors in the SPEC file.  It will be rebuilt later.  No FF/TB builds are available to test yet.
Comment 6 Otto Leipälä 2014-10-15 23:44:35 CEST
Ok i will remove it from testing and wait for newer version.
Comment 7 David Walser 2014-10-16 18:05:06 CEST
RedHat has issued an advisory for Thunderbird on October 15:
https://rhn.redhat.com/errata/RHSA-2014-1647.html
Comment 8 David Walser 2014-10-16 20:53:01 CEST
The thunderbird and thunderbird-l10n packages have been pushed in Cauldron.

For firefox in Cauldron, there's a linking error:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20141016115250.ennael.valstar.19035/log/firefox-31.2.0-2.mga5/build.0.20141016120428.log
Comment 9 Florian Hubold 2014-10-16 22:49:38 CEST
Actually only those two lines are an issue:

/home/iurt/rpmbuild/BUILD/mozilla-esr31/content/media/SharedBuffer.h:68: error: undefined reference to 'mozilla::AudioQueueMemoryFunctor::MallocSizeOf(void const*)'
/home/iurt/rpmbuild/BUILD/mozilla-esr31/content/media/MediaData.h:86: error: undefined reference to 'mozilla::AudioQueueMemoryFunctor::MallocSizeOf(void const*)'

See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1025639 and maybe https://bugzilla.mozilla.org/show_bug.cgi?id=999496

Probably won't have time to look at this until end of next week -.-
Alejandro Cobo 2014-10-20 19:26:00 CEST

CC: (none) => alejandrocobo

Comment 10 Oden Eriksson 2014-10-22 12:32:08 CEST
(In reply to David Walser from comment #5)
> The firefox 31.2 mga4 build that was temporarily available was removed due
> to some errors in the SPEC file.  It will be rebuilt later.  No FF/TB builds
> are available to test yet.

Which errors?

CC: (none) => oe

Comment 11 David Walser 2014-10-22 12:50:57 CEST
(In reply to Oden Eriksson from comment #10)
> (In reply to David Walser from comment #5)
> > The firefox 31.2 mga4 build that was temporarily available was removed due
> > to some errors in the SPEC file.  It will be rebuilt later.  No FF/TB builds
> > are available to test yet.
> 
> Which errors?

The ones I fixed in this commit:
http://svnweb.mageia.org/packages?view=revision&revision=755374

It's basically ready to build now, but the problem is it doesn't build in Cauldron, as you can see in Comment 8.  Florian gave some links that might help in Comment 9, and Thierry commented on the dev ml that he may have fixed this issue previously in firefox-beta in Cauldron, I'm guessing with this commit:
http://svnweb.mageia.org/packages?view=revision&revision=636421

I'll try adding that patch when I get a chance, maybe tomorrow.
Comment 12 Florian Hubold 2014-10-23 14:33:38 CEST
http://svnweb.mageia.org/packages?view=revision&revision=792682 sent to BS as firefox-31.2.0-3.mga5 for updates_testing, let's hope it builds.
Angelo Naselli 2014-10-23 15:35:03 CEST

CC: (none) => anaselli

Comment 13 David Walser 2014-10-24 21:32:29 CEST
Everything is built and uploaded.  Advisory to come.

Updated packages in core/updates_testing:
========================
libvpx1-1.3.0-1.mga3
libvpx-devel-1.3.0-1.mga3
libvpx-utils-1.3.0-1.mga3
sqlite3-tcl-3.8.6-1.mga3
sqlite3-tools-3.8.6-1.mga3
lemon-3.8.6-1.mga3
libsqlite3-devel-3.8.6-1.mga3
libsqlite3-static-devel-3.8.6-1.mga3
libsqlite3_0-3.8.6-1.mga3
nss-3.17.2-1.mga3
nss-doc-3.17.2-1.mga3
libnss3-3.17.2-1.mga3
libnss-devel-3.17.2-1.mga3
libnss-static-devel-3.17.2-1.mga3
firefox-31.2.0-1.mga3
firefox-devel-31.2.0-1.mga3
firefox-af-31.2.0-1.mga3
firefox-ar-31.2.0-1.mga3
firefox-as-31.2.0-1.mga3
firefox-ast-31.2.0-1.mga3
firefox-be-31.2.0-1.mga3
firefox-bg-31.2.0-1.mga3
firefox-bn_IN-31.2.0-1.mga3
firefox-bn_BD-31.2.0-1.mga3
firefox-br-31.2.0-1.mga3
firefox-bs-31.2.0-1.mga3
firefox-ca-31.2.0-1.mga3
firefox-cs-31.2.0-1.mga3
firefox-csb-31.2.0-1.mga3
firefox-cy-31.2.0-1.mga3
firefox-da-31.2.0-1.mga3
firefox-de-31.2.0-1.mga3
firefox-el-31.2.0-1.mga3
firefox-en_GB-31.2.0-1.mga3
firefox-en_ZA-31.2.0-1.mga3
firefox-eo-31.2.0-1.mga3
firefox-es_AR-31.2.0-1.mga3
firefox-es_CL-31.2.0-1.mga3
firefox-es_ES-31.2.0-1.mga3
firefox-es_MX-31.2.0-1.mga3
firefox-et-31.2.0-1.mga3
firefox-eu-31.2.0-1.mga3
firefox-fa-31.2.0-1.mga3
firefox-ff-31.2.0-1.mga3
firefox-fi-31.2.0-1.mga3
firefox-fr-31.2.0-1.mga3
firefox-fy-31.2.0-1.mga3
firefox-ga_IE-31.2.0-1.mga3
firefox-gd-31.2.0-1.mga3
firefox-gl-31.2.0-1.mga3
firefox-gu_IN-31.2.0-1.mga3
firefox-he-31.2.0-1.mga3
firefox-hi-31.2.0-1.mga3
firefox-hr-31.2.0-1.mga3
firefox-hu-31.2.0-1.mga3
firefox-hy-31.2.0-1.mga3
firefox-id-31.2.0-1.mga3
firefox-is-31.2.0-1.mga3
firefox-it-31.2.0-1.mga3
firefox-ja-31.2.0-1.mga3
firefox-kk-31.2.0-1.mga3
firefox-ko-31.2.0-1.mga3
firefox-km-31.2.0-1.mga3
firefox-kn-31.2.0-1.mga3
firefox-ku-31.2.0-1.mga3
firefox-lg-31.2.0-1.mga3
firefox-lij-31.2.0-1.mga3
firefox-lt-31.2.0-1.mga3
firefox-lv-31.2.0-1.mga3
firefox-mai-31.2.0-1.mga3
firefox-mk-31.2.0-1.mga3
firefox-ml-31.2.0-1.mga3
firefox-mr-31.2.0-1.mga3
firefox-nb_NO-31.2.0-1.mga3
firefox-nl-31.2.0-1.mga3
firefox-nn_NO-31.2.0-1.mga3
firefox-nso-31.2.0-1.mga3
firefox-or-31.2.0-1.mga3
firefox-pa_IN-31.2.0-1.mga3
firefox-pl-31.2.0-1.mga3
firefox-pt_BR-31.2.0-1.mga3
firefox-pt_PT-31.2.0-1.mga3
firefox-ro-31.2.0-1.mga3
firefox-ru-31.2.0-1.mga3
firefox-si-31.2.0-1.mga3
firefox-sk-31.2.0-1.mga3
firefox-sl-31.2.0-1.mga3
firefox-sq-31.2.0-1.mga3
firefox-sr-31.2.0-1.mga3
firefox-sv_SE-31.2.0-1.mga3
firefox-ta-31.2.0-1.mga3
firefox-ta_LK-31.2.0-1.mga3
firefox-te-31.2.0-1.mga3
firefox-th-31.2.0-1.mga3
firefox-tr-31.2.0-1.mga3
firefox-uk-31.2.0-1.mga3
firefox-vi-31.2.0-1.mga3
firefox-zh_CN-31.2.0-1.mga3
firefox-zh_TW-31.2.0-1.mga3
firefox-zu-31.2.0-1.mga3
thunderbird-31.2.0-1.mga3
thunderbird-enigmail-31.2.0-1.mga3
nsinstall-31.2.0-1.mga3
thunderbird-ar-31.2.0-1.mga3
thunderbird-ast-31.2.0-1.mga3
thunderbird-be-31.2.0-1.mga3
thunderbird-bg-31.2.0-1.mga3
thunderbird-bn_BD-31.2.0-1.mga3
thunderbird-br-31.2.0-1.mga3
thunderbird-ca-31.2.0-1.mga3
thunderbird-cs-31.2.0-1.mga3
thunderbird-da-31.2.0-1.mga3
thunderbird-de-31.2.0-1.mga3
thunderbird-el-31.2.0-1.mga3
thunderbird-en_GB-31.2.0-1.mga3
thunderbird-es_AR-31.2.0-1.mga3
thunderbird-es_ES-31.2.0-1.mga3
thunderbird-et-31.2.0-1.mga3
thunderbird-eu-31.2.0-1.mga3
thunderbird-fi-31.2.0-1.mga3
thunderbird-fr-31.2.0-1.mga3
thunderbird-fy-31.2.0-1.mga3
thunderbird-ga-31.2.0-1.mga3
thunderbird-gd-31.2.0-1.mga3
thunderbird-gl-31.2.0-1.mga3
thunderbird-he-31.2.0-1.mga3
thunderbird-hr-31.2.0-1.mga3
thunderbird-hu-31.2.0-1.mga3
thunderbird-hy-31.2.0-1.mga3
thunderbird-id-31.2.0-1.mga3
thunderbird-is-31.2.0-1.mga3
thunderbird-it-31.2.0-1.mga3
thunderbird-ja-31.2.0-1.mga3
thunderbird-ko-31.2.0-1.mga3
thunderbird-lt-31.2.0-1.mga3
thunderbird-nb_NO-31.2.0-1.mga3
thunderbird-nl-31.2.0-1.mga3
thunderbird-nn_NO-31.2.0-1.mga3
thunderbird-pl-31.2.0-1.mga3
thunderbird-pa_IN-31.2.0-1.mga3
thunderbird-pt_BR-31.2.0-1.mga3
thunderbird-pt_PT-31.2.0-1.mga3
thunderbird-ro-31.2.0-1.mga3
thunderbird-ru-31.2.0-1.mga3
thunderbird-si-31.2.0-1.mga3
thunderbird-sk-31.2.0-1.mga3
thunderbird-sl-31.2.0-1.mga3
thunderbird-sq-31.2.0-1.mga3
thunderbird-sv_SE-31.2.0-1.mga3
thunderbird-ta_LK-31.2.0-1.mga3
thunderbird-tr-31.2.0-1.mga3
thunderbird-uk-31.2.0-1.mga3
thunderbird-vi-31.2.0-1.mga3
thunderbird-zh_CN-31.2.0-1.mga3
thunderbird-zh_TW-31.2.0-1.mga3
thunderbird-lightning-3.3-1.mga3
libpng16_16-1.6.13-1.mga4
libpng-devel-1.6.13-1.mga4
libvpx1-1.3.0-1.mga4
libvpx-devel-1.3.0-1.mga4
libvpx-utils-1.3.0-1.mga4
sqlite3-tcl-3.8.6-1.mga4
sqlite3-tools-3.8.6-1.mga4
lemon-3.8.6-1.mga4
libsqlite3-devel-3.8.6-1.mga4
libsqlite3-static-devel-3.8.6-1.mga4
libsqlite3_0-3.8.6-1.mga4
nss-3.17.2-1.mga4
nss-doc-3.17.2-1.mga4
libnss3-3.17.2-1.mga4
libnss-devel-3.17.2-1.mga4
libnss-static-devel-3.17.2-1.mga4
firefox-31.2.0-1.mga4
firefox-devel-31.2.0-1.mga4
firefox-af-31.2.0-1.mga4
firefox-ar-31.2.0-1.mga4
firefox-as-31.2.0-1.mga4
firefox-ast-31.2.0-1.mga4
firefox-be-31.2.0-1.mga4
firefox-bg-31.2.0-1.mga4
firefox-bn_IN-31.2.0-1.mga4
firefox-bn_BD-31.2.0-1.mga4
firefox-br-31.2.0-1.mga4
firefox-bs-31.2.0-1.mga4
firefox-ca-31.2.0-1.mga4
firefox-cs-31.2.0-1.mga4
firefox-csb-31.2.0-1.mga4
firefox-cy-31.2.0-1.mga4
firefox-da-31.2.0-1.mga4
firefox-de-31.2.0-1.mga4
firefox-el-31.2.0-1.mga4
firefox-en_GB-31.2.0-1.mga4
firefox-en_ZA-31.2.0-1.mga4
firefox-eo-31.2.0-1.mga4
firefox-es_AR-31.2.0-1.mga4
firefox-es_CL-31.2.0-1.mga4
firefox-es_ES-31.2.0-1.mga4
firefox-es_MX-31.2.0-1.mga4
firefox-et-31.2.0-1.mga4
firefox-eu-31.2.0-1.mga4
firefox-fa-31.2.0-1.mga4
firefox-ff-31.2.0-1.mga4
firefox-fi-31.2.0-1.mga4
firefox-fr-31.2.0-1.mga4
firefox-fy-31.2.0-1.mga4
firefox-ga_IE-31.2.0-1.mga4
firefox-gd-31.2.0-1.mga4
firefox-gl-31.2.0-1.mga4
firefox-gu_IN-31.2.0-1.mga4
firefox-he-31.2.0-1.mga4
firefox-hi-31.2.0-1.mga4
firefox-hr-31.2.0-1.mga4
firefox-hu-31.2.0-1.mga4
firefox-hy-31.2.0-1.mga4
firefox-id-31.2.0-1.mga4
firefox-is-31.2.0-1.mga4
firefox-it-31.2.0-1.mga4
firefox-ja-31.2.0-1.mga4
firefox-kk-31.2.0-1.mga4
firefox-ko-31.2.0-1.mga4
firefox-km-31.2.0-1.mga4
firefox-kn-31.2.0-1.mga4
firefox-ku-31.2.0-1.mga4
firefox-lg-31.2.0-1.mga4
firefox-lij-31.2.0-1.mga4
firefox-lt-31.2.0-1.mga4
firefox-lv-31.2.0-1.mga4
firefox-mai-31.2.0-1.mga4
firefox-mk-31.2.0-1.mga4
firefox-ml-31.2.0-1.mga4
firefox-mr-31.2.0-1.mga4
firefox-nb_NO-31.2.0-1.mga4
firefox-nl-31.2.0-1.mga4
firefox-nn_NO-31.2.0-1.mga4
firefox-nso-31.2.0-1.mga4
firefox-or-31.2.0-1.mga4
firefox-pa_IN-31.2.0-1.mga4
firefox-pl-31.2.0-1.mga4
firefox-pt_BR-31.2.0-1.mga4
firefox-pt_PT-31.2.0-1.mga4
firefox-ro-31.2.0-1.mga4
firefox-ru-31.2.0-1.mga4
firefox-si-31.2.0-1.mga4
firefox-sk-31.2.0-1.mga4
firefox-sl-31.2.0-1.mga4
firefox-sq-31.2.0-1.mga4
firefox-sr-31.2.0-1.mga4
firefox-sv_SE-31.2.0-1.mga4
firefox-ta-31.2.0-1.mga4
firefox-ta_LK-31.2.0-1.mga4
firefox-te-31.2.0-1.mga4
firefox-th-31.2.0-1.mga4
firefox-tr-31.2.0-1.mga4
firefox-uk-31.2.0-1.mga4
firefox-vi-31.2.0-1.mga4
firefox-zh_CN-31.2.0-1.mga4
firefox-zh_TW-31.2.0-1.mga4
firefox-zu-31.2.0-1.mga4
thunderbird-31.2.0-1.mga4
thunderbird-enigmail-31.2.0-1.mga4
nsinstall-31.2.0-1.mga4
thunderbird-ar-31.2.0-1.mga4
thunderbird-ast-31.2.0-1.mga4
thunderbird-be-31.2.0-1.mga4
thunderbird-bg-31.2.0-1.mga4
thunderbird-bn_BD-31.2.0-1.mga4
thunderbird-br-31.2.0-1.mga4
thunderbird-ca-31.2.0-1.mga4
thunderbird-cs-31.2.0-1.mga4
thunderbird-da-31.2.0-1.mga4
thunderbird-de-31.2.0-1.mga4
thunderbird-el-31.2.0-1.mga4
thunderbird-en_GB-31.2.0-1.mga4
thunderbird-es_AR-31.2.0-1.mga4
thunderbird-es_ES-31.2.0-1.mga4
thunderbird-et-31.2.0-1.mga4
thunderbird-eu-31.2.0-1.mga4
thunderbird-fi-31.2.0-1.mga4
thunderbird-fr-31.2.0-1.mga4
thunderbird-fy-31.2.0-1.mga4
thunderbird-ga-31.2.0-1.mga4
thunderbird-gd-31.2.0-1.mga4
thunderbird-gl-31.2.0-1.mga4
thunderbird-he-31.2.0-1.mga4
thunderbird-hr-31.2.0-1.mga4
thunderbird-hu-31.2.0-1.mga4
thunderbird-hy-31.2.0-1.mga4
thunderbird-id-31.2.0-1.mga4
thunderbird-is-31.2.0-1.mga4
thunderbird-it-31.2.0-1.mga4
thunderbird-ja-31.2.0-1.mga4
thunderbird-ko-31.2.0-1.mga4
thunderbird-lt-31.2.0-1.mga4
thunderbird-nb_NO-31.2.0-1.mga4
thunderbird-nl-31.2.0-1.mga4
thunderbird-nn_NO-31.2.0-1.mga4
thunderbird-pl-31.2.0-1.mga4
thunderbird-pa_IN-31.2.0-1.mga4
thunderbird-pt_BR-31.2.0-1.mga4
thunderbird-pt_PT-31.2.0-1.mga4
thunderbird-ro-31.2.0-1.mga4
thunderbird-ru-31.2.0-1.mga4
thunderbird-si-31.2.0-1.mga4
thunderbird-sk-31.2.0-1.mga4
thunderbird-sl-31.2.0-1.mga4
thunderbird-sq-31.2.0-1.mga4
thunderbird-sv_SE-31.2.0-1.mga4
thunderbird-ta_LK-31.2.0-1.mga4
thunderbird-tr-31.2.0-1.mga4
thunderbird-uk-31.2.0-1.mga4
thunderbird-vi-31.2.0-1.mga4
thunderbird-zh_CN-31.2.0-1.mga4
thunderbird-zh_TW-31.2.0-1.mga4
thunderbird-lightning-3.3-1.mga4

from SRPMS:
libvpx-1.3.0-1.mga3.src.rpm
sqlite3-3.8.6-1.mga3.src.rpm
nss-3.17.2-1.mga3.src.rpm
firefox-31.2.0-1.mga3.src.rpm
firefox-l10n-31.2.0-1.mga3.src.rpm
thunderbird-31.2.0-1.mga3.src.rpm
thunderbird-l10n-31.2.0-1.mga3.src.rpm
thunderbird-lightning-3.3-1.mga3.src.rpm
libpng-1.6.13-1.mga4.src.rpm
libvpx-1.3.0-1.mga4.src.rpm
sqlite3-3.8.6-1.mga4.src.rpm
nss-3.17.2-1.mga4.src.rpm
firefox-31.2.0-1.mga4.src.rpm
firefox-l10n-31.2.0-1.mga4.src.rpm
thunderbird-31.2.0-1.mga4.src.rpm
thunderbird-l10n-31.2.0-1.mga4.src.rpm
thunderbird-lightning-3.3-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 14 David Walser 2014-10-24 21:43:09 CEST
Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running it (CVE-2014-1574, CVE-2014-1578, CVE-2014-1581, CVE-2014-1576,
CVE-2014-1577).

A flaw was found in the Alarm API in Firefox, which allows applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass cross-origin restrictions (CVE-2014-1583).

Also, Enigmail (part of the Thunderbird package) has been updated to version
1.7.2 which contains several bugfixes including mail with only Bcc recipients
being sent in plain text unexpectedly (CVE-2014-5369).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1578
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5369
https://www.mozilla.org/security/announce/2014/mfsa2014-74.html
https://www.mozilla.org/security/announce/2014/mfsa2014-75.html
https://www.mozilla.org/security/announce/2014/mfsa2014-76.html
https://www.mozilla.org/security/announce/2014/mfsa2014-77.html
https://www.mozilla.org/security/announce/2014/mfsa2014-79.html
https://www.mozilla.org/security/announce/2014/mfsa2014-82.html
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
https://rhn.redhat.com/errata/RHSA-2014-1635.html
https://rhn.redhat.com/errata/RHSA-2014-1647.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html
Comment 15 Bill Wilkinson 2014-10-25 01:11:03 CEST
tested mga4-64 with the usual battery:
Firefox:
Acid3
sunspider for javascript
general browsing
javatester to verify java
tested png files through google search
Tested vp8 through www.webmfiles.org/demo-files
Youtube for flash

THunderbird: 
Send/receive/move/delete via smtp/imap, calendars load normally in lightning.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 16 Bill Wilkinson 2014-10-25 02:34:06 CEST
tested mga3-64 as above: except, per luigi12 on IRC, there is no libpng update for mga3.  Otherwise it behaves as expected.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok

Comment 17 Bill Wilkinson 2014-10-25 03:14:09 CEST
Tested mga3-32 as comment 16.  All OK.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok

Comment 18 David Walser 2014-10-25 06:39:22 CEST
Firefox and Thunderbird working fine, Mageia 4 i586.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok => MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok mga4-32-ok

Comment 19 Otto Leipälä 2014-10-25 06:43:45 CEST
I tested Mga3-64 firefox and thunderbird ok,we should get this validated and pushed fast we can because 24 esr support is end of life so we have no supported firefox in both stable releases.
Comment 20 David Walser 2014-10-25 06:46:52 CEST
Yep, it's a critical update and it's delayed already since it took a while to get packaged.  Feel free to validate it.
Comment 21 Otto Leipälä 2014-10-25 06:51:38 CEST
It seems all testing is done i validate this update if somebody have problems unvalidate it.
Sysadmin please push this to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 22 Otto Leipälä 2014-10-25 06:52:07 CEST
It seems all testing is done i validate this update.
Sysadmin please push this to updates.
Comment 23 Rémi Verschelde 2014-10-25 10:11:13 CEST
Advisory uploaded.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok mga4-32-ok => MGA3TOO mga4-64-ok mga3-64-ok mga3-32-ok mga4-32-ok advisory

Comment 24 David Walser 2014-10-25 16:28:03 CEST
Adding a paragraph to the advisory if you could update it...thanks.

Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running it (CVE-2014-1574, CVE-2014-1578, CVE-2014-1581, CVE-2014-1576,
CVE-2014-1577).

A flaw was found in the Alarm API in Firefox, which allows applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass cross-origin restrictions (CVE-2014-1583).

This update provides Firefox and Thunderbird 31.2, which fixes these issues
and other bugs, and also provides several new features, including WebRTC
support.  The thunderbird-lightning package has also been updated to version
3.3 which is compatible with the new Thunderbird version.

Also, Enigmail (part of the Thunderbird package) has been updated to version
1.7.2 which contains several bugfixes including mail with only Bcc recipients
being sent in plain text unexpectedly (CVE-2014-5369).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1578
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5369
https://www.mozilla.org/security/announce/2014/mfsa2014-74.html
https://www.mozilla.org/security/announce/2014/mfsa2014-75.html
https://www.mozilla.org/security/announce/2014/mfsa2014-76.html
https://www.mozilla.org/security/announce/2014/mfsa2014-77.html
https://www.mozilla.org/security/announce/2014/mfsa2014-79.html
https://www.mozilla.org/security/announce/2014/mfsa2014-82.html
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
https://rhn.redhat.com/errata/RHSA-2014-1635.html
https://rhn.redhat.com/errata/RHSA-2014-1647.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00008.html
Comment 25 Rémi Verschelde 2014-10-25 16:30:52 CEST
Advisory updated.

CC: (none) => remi

Comment 26 Mageia Robot 2014-10-25 22:23:36 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0421.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.