Bug 14716 - Firefox and Thunderbird 31.3
Summary: Firefox and Thunderbird 31.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/624300/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-02 22:45 CET by David Walser
Modified: 2014-12-04 20:32 CET (History)
5 users (show)

See Also:
Source RPM: firefox, thunderbird, rootcerts, nss
CVE:
Status comment:


Attachments

Description David Walser 2014-12-02 22:45:52 CET
Mozilla has issued advisories on December 1:
https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/

Corresponding to these CVEs that affect ESR:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594

I saw these last night at:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/

New rootcerts and nss versions are also available upstream.  The changes are documented here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes

As noted in those release notes, nss 3.17.3 fixes CVE-2014-1569:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569

Also, the adding of TLS_FALLBACK_SCSV support for ssltap and tstclnt in nss 3.17.3 and the disabling by default of SSLv3 in Firefox/Thunderbird 31.3.0 are POODLE mitigations.

Updates are committed in SVN and built for Mageia 4 and Cauldron, except for Thunderbird, for which a build failure is currently being investigated.

Once Thunderbird is fixed, the updated packages for Mageia 4 will be:
rootcerts-20141117.00-1.mga4
rootcerts-java-20141117.00-1.mga4
nss-3.17.3-1.mga4
nss-doc-3.17.3-1.mga4
libnss3-3.17.3-1.mga4
libnss-devel-3.17.3-1.mga4
libnss-static-devel-3.17.3-1.mga4
firefox-31.3.0-1.mga4
firefox-devel-31.3.0-1.mga4
firefox-af-31.3.0-1.mga4
firefox-ar-31.3.0-1.mga4
firefox-as-31.3.0-1.mga4
firefox-ast-31.3.0-1.mga4
firefox-be-31.3.0-1.mga4
firefox-bg-31.3.0-1.mga4
firefox-bn_IN-31.3.0-1.mga4
firefox-bn_BD-31.3.0-1.mga4
firefox-br-31.3.0-1.mga4
firefox-bs-31.3.0-1.mga4
firefox-ca-31.3.0-1.mga4
firefox-cs-31.3.0-1.mga4
firefox-csb-31.3.0-1.mga4
firefox-cy-31.3.0-1.mga4
firefox-da-31.3.0-1.mga4
firefox-de-31.3.0-1.mga4
firefox-el-31.3.0-1.mga4
firefox-en_GB-31.3.0-1.mga4
firefox-en_ZA-31.3.0-1.mga4
firefox-eo-31.3.0-1.mga4
firefox-es_AR-31.3.0-1.mga4
firefox-es_CL-31.3.0-1.mga4
firefox-es_ES-31.3.0-1.mga4
firefox-es_MX-31.3.0-1.mga4
firefox-et-31.3.0-1.mga4
firefox-eu-31.3.0-1.mga4
firefox-fa-31.3.0-1.mga4
firefox-ff-31.3.0-1.mga4
firefox-fi-31.3.0-1.mga4
firefox-fr-31.3.0-1.mga4
firefox-fy-31.3.0-1.mga4
firefox-ga_IE-31.3.0-1.mga4
firefox-gd-31.3.0-1.mga4
firefox-gl-31.3.0-1.mga4
firefox-gu_IN-31.3.0-1.mga4
firefox-he-31.3.0-1.mga4
firefox-hi-31.3.0-1.mga4
firefox-hr-31.3.0-1.mga4
firefox-hu-31.3.0-1.mga4
firefox-hy-31.3.0-1.mga4
firefox-id-31.3.0-1.mga4
firefox-is-31.3.0-1.mga4
firefox-it-31.3.0-1.mga4
firefox-ja-31.3.0-1.mga4
firefox-kk-31.3.0-1.mga4
firefox-ko-31.3.0-1.mga4
firefox-km-31.3.0-1.mga4
firefox-kn-31.3.0-1.mga4
firefox-ku-31.3.0-1.mga4
firefox-lij-31.3.0-1.mga4
firefox-lt-31.3.0-1.mga4
firefox-lv-31.3.0-1.mga4
firefox-mai-31.3.0-1.mga4
firefox-mk-31.3.0-1.mga4
firefox-ml-31.3.0-1.mga4
firefox-mr-31.3.0-1.mga4
firefox-nb_NO-31.3.0-1.mga4
firefox-nl-31.3.0-1.mga4
firefox-nn_NO-31.3.0-1.mga4
firefox-or-31.3.0-1.mga4
firefox-pa_IN-31.3.0-1.mga4
firefox-pl-31.3.0-1.mga4
firefox-pt_BR-31.3.0-1.mga4
firefox-pt_PT-31.3.0-1.mga4
firefox-ro-31.3.0-1.mga4
firefox-ru-31.3.0-1.mga4
firefox-si-31.3.0-1.mga4
firefox-sk-31.3.0-1.mga4
firefox-sl-31.3.0-1.mga4
firefox-sq-31.3.0-1.mga4
firefox-sr-31.3.0-1.mga4
firefox-sv_SE-31.3.0-1.mga4
firefox-ta-31.3.0-1.mga4
firefox-te-31.3.0-1.mga4
firefox-th-31.3.0-1.mga4
firefox-tr-31.3.0-1.mga4
firefox-uk-31.3.0-1.mga4
firefox-vi-31.3.0-1.mga4
firefox-zh_CN-31.3.0-1.mga4
firefox-zh_TW-31.3.0-1.mga4
firefox-zu-31.3.0-1.mga4
thunderbird-31.3.0-1.mga4
thunderbird-enigmail-31.3.0-1.mga4
nsinstall-31.3.0-1.mga4
thunderbird-ar-31.3.0-1.mga4
thunderbird-ast-31.3.0-1.mga4
thunderbird-be-31.3.0-1.mga4
thunderbird-bg-31.3.0-1.mga4
thunderbird-bn_BD-31.3.0-1.mga4
thunderbird-br-31.3.0-1.mga4
thunderbird-ca-31.3.0-1.mga4
thunderbird-cs-31.3.0-1.mga4
thunderbird-da-31.3.0-1.mga4
thunderbird-de-31.3.0-1.mga4
thunderbird-el-31.3.0-1.mga4
thunderbird-en_GB-31.3.0-1.mga4
thunderbird-es_AR-31.3.0-1.mga4
thunderbird-es_ES-31.3.0-1.mga4
thunderbird-et-31.3.0-1.mga4
thunderbird-eu-31.3.0-1.mga4
thunderbird-fi-31.3.0-1.mga4
thunderbird-fr-31.3.0-1.mga4
thunderbird-fy-31.3.0-1.mga4
thunderbird-ga-31.3.0-1.mga4
thunderbird-gd-31.3.0-1.mga4
thunderbird-gl-31.3.0-1.mga4
thunderbird-he-31.3.0-1.mga4
thunderbird-hr-31.3.0-1.mga4
thunderbird-hu-31.3.0-1.mga4
thunderbird-hy-31.3.0-1.mga4
thunderbird-id-31.3.0-1.mga4
thunderbird-is-31.3.0-1.mga4
thunderbird-it-31.3.0-1.mga4
thunderbird-ja-31.3.0-1.mga4
thunderbird-ko-31.3.0-1.mga4
thunderbird-lt-31.3.0-1.mga4
thunderbird-nb_NO-31.3.0-1.mga4
thunderbird-nl-31.3.0-1.mga4
thunderbird-nn_NO-31.3.0-1.mga4
thunderbird-pl-31.3.0-1.mga4
thunderbird-pa_IN-31.3.0-1.mga4
thunderbird-pt_BR-31.3.0-1.mga4
thunderbird-pt_PT-31.3.0-1.mga4
thunderbird-ro-31.3.0-1.mga4
thunderbird-ru-31.3.0-1.mga4
thunderbird-si-31.3.0-1.mga4
thunderbird-sk-31.3.0-1.mga4
thunderbird-sl-31.3.0-1.mga4
thunderbird-sq-31.3.0-1.mga4
thunderbird-sv_SE-31.3.0-1.mga4
thunderbird-ta_LK-31.3.0-1.mga4
thunderbird-tr-31.3.0-1.mga4
thunderbird-uk-31.3.0-1.mga4
thunderbird-vi-31.3.0-1.mga4
thunderbird-zh_CN-31.3.0-1.mga4
thunderbird-zh_TW-31.3.0-1.mga4

from SRPMS:
rootcerts-20141117.00-1.mga4.src.rpm
nss-3.17.3-1.mga4.src.rpm
firefox-31.3.0-1.mga4.src.rpm
firefox-l10n-31.3.0-1.mga4.src.rpm
thunderbird-31.3.0-1.mga4.src.rpm
thunderbird-l10n-31.3.0-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-02 22:46:37 CET
CC'ing the QA team, as Firefox can be tested now.  Thunderbird will come later.

CC: (none) => doktor5000, qa-bugs

Comment 2 Florian Hubold 2014-12-02 23:22:55 CET
FWIW, I'm working on fixing the thunderbird update, first for mga4 then for cauldron. Opened https://bugzilla.mozilla.org/show_bug.cgi?id=1106883
Comment 3 Florian Hubold 2014-12-03 01:42:12 CET
thunderbird-31.3.0-1.mga4 submitted to 4/updates_testing - hopefully it builds :)
Comment 4 David Walser 2014-12-03 02:01:02 CET
The Thunderbird update is now uploaded.  Assigning to QA.

Package list and details in Comment 0.  Advisory to come later.

CC: qa-bugs => (none)
Assignee: bugsquad => qa-bugs

Comment 5 David Walser 2014-12-03 03:59:12 CET
Firefox and Thunderbird working fine for me on Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 6 James Kerr 2014-12-03 04:54:50 CET
Was there a problem with thunderbird-l10n? The packages don't seem to have made it to the mirrors. (I'm waiting for thunderbird-en_GB before updating.)

Firefox is working fine for me on 64 bit Mageia 4.
Comment 7 David Walser 2014-12-03 05:05:12 CET
Thanks James.  The l10n packages are on the way.
Comment 8 Olivier Delaune 2014-12-03 08:36:20 CET
Tested on Mageia 4 64-bits. Works fine up to now. Nothing special.

CC: (none) => olivier.delaune

Comment 9 James Kerr 2014-12-03 14:34:22 CET
Testing thunderbird on mga4 64 (only those features that I use)

Mail collection (via POP from ISP)  OK
Mail filters  OK
Links open in chrome (default browser) OK
Mail sending (through ISP)  OK
System Mail collection (from /var/spool/mail)  OK
RSS feeds  OK
Usenet  OK
Address books (I don't create mailing lists) OK
Calendars (I only use Events and not Tasks)  OK

For me there are no regressions or problems
Comment 10 olivier charles 2014-12-03 18:06:39 CET
Testing on Mageia4x64 real hardware

firefox-31.3.0-1.mga4
firefox-fr-31.3.0-1.mga4
thunderbird-31.3.0-1.mga4
thunderbird-fr-31.3.0-1.mga4
rootcerts-20141117.00-1.mga4
rootcerts-java-20141117.00-1.mga4
nss-3.17.3-1.mga4

Firefox (browsing, bookmarks, java, flash, installing/updating/removing extensions, theming, ...)
Thunderbird (registering new account, retrieving/sending mails, installing/removing extensions, theming, address book,...)

All OK up to now.

CC: (none) => olchal

Comment 11 David Walser 2014-12-03 18:07:30 CET
Adding the OKs from Olivier, olivier, and James's tests.

Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 12 claire robinson 2014-12-03 18:12:31 CET
Just need an advisory then David please
Comment 13 David Walser 2014-12-03 18:17:26 CET
RedHat has issued advisories for this on December 2:
https://rhn.redhat.com/errata/RHSA-2014-1948.html
https://rhn.redhat.com/errata/RHSA-2014-1919.html
https://rhn.redhat.com/errata/RHSA-2014-1924.html

Advisory:
========================

Updated nss, firefox, and thunderbird packages fix security vulnerabilities:

In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths
is too permissive, allowing undetected smuggling of arbitrary data
(CVE-2014-1569).

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592,
CVE-2014-1593).

A flaw was found in the Alarm API, which could allow applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass the same-origin policy (CVE-2014-1594).

This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails. This can prevent a forceful downgrade of
the communication to SSL 3.0, mitigating CVE-2014-3566, also known as
POODLE.  SSL 3.0 support has also been disabled by default in this Firefox
and Thunderbird update, further mitigating POODLE.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594
https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/
https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
https://rhn.redhat.com/errata/RHSA-2014-1948.html
https://rhn.redhat.com/errata/RHSA-2014-1919.html
https://rhn.redhat.com/errata/RHSA-2014-1924.html
Comment 14 claire robinson 2014-12-03 18:24:41 CET
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

David Walser 2014-12-03 18:43:54 CET

URL: (none) => http://lwn.net/Vulnerabilities/624300/

Comment 15 Mageia Robot 2014-12-03 20:28:16 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0507.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 16 Ben McMonagle 2014-12-03 20:55:54 CET
Thunderbird on Mga4- i586 real h/w

thunderbird-31.3.0-1.mga4.i586.rpm 
thunderbird-en_GB-31.3.0-1.mga4.noarch.rpm 

create  account - ok.
mail collection from isp pop3 -ok.
send e-mail - isp- ok
open link in browser - [ default browser ] firefox - ok
save address o addres book - ok.
retrieve address from address book - ok

CC: (none) => westel

Comment 17 David Walser 2014-12-04 20:32:56 CET
LWN reference for CVE-2014-1569:
http://lwn.net/Vulnerabilities/624611/

Note You need to log in before you can comment on or make changes to this bug.