Mozilla has issued advisories on December 1: https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/ Corresponding to these CVEs that affect ESR: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594 I saw these last night at: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ New rootcerts and nss versions are also available upstream. The changes are documented here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes As noted in those release notes, nss 3.17.3 fixes CVE-2014-1569: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569 Also, the adding of TLS_FALLBACK_SCSV support for ssltap and tstclnt in nss 3.17.3 and the disabling by default of SSLv3 in Firefox/Thunderbird 31.3.0 are POODLE mitigations. Updates are committed in SVN and built for Mageia 4 and Cauldron, except for Thunderbird, for which a build failure is currently being investigated. Once Thunderbird is fixed, the updated packages for Mageia 4 will be: rootcerts-20141117.00-1.mga4 rootcerts-java-20141117.00-1.mga4 nss-3.17.3-1.mga4 nss-doc-3.17.3-1.mga4 libnss3-3.17.3-1.mga4 libnss-devel-3.17.3-1.mga4 libnss-static-devel-3.17.3-1.mga4 firefox-31.3.0-1.mga4 firefox-devel-31.3.0-1.mga4 firefox-af-31.3.0-1.mga4 firefox-ar-31.3.0-1.mga4 firefox-as-31.3.0-1.mga4 firefox-ast-31.3.0-1.mga4 firefox-be-31.3.0-1.mga4 firefox-bg-31.3.0-1.mga4 firefox-bn_IN-31.3.0-1.mga4 firefox-bn_BD-31.3.0-1.mga4 firefox-br-31.3.0-1.mga4 firefox-bs-31.3.0-1.mga4 firefox-ca-31.3.0-1.mga4 firefox-cs-31.3.0-1.mga4 firefox-csb-31.3.0-1.mga4 firefox-cy-31.3.0-1.mga4 firefox-da-31.3.0-1.mga4 firefox-de-31.3.0-1.mga4 firefox-el-31.3.0-1.mga4 firefox-en_GB-31.3.0-1.mga4 firefox-en_ZA-31.3.0-1.mga4 firefox-eo-31.3.0-1.mga4 firefox-es_AR-31.3.0-1.mga4 firefox-es_CL-31.3.0-1.mga4 firefox-es_ES-31.3.0-1.mga4 firefox-es_MX-31.3.0-1.mga4 firefox-et-31.3.0-1.mga4 firefox-eu-31.3.0-1.mga4 firefox-fa-31.3.0-1.mga4 firefox-ff-31.3.0-1.mga4 firefox-fi-31.3.0-1.mga4 firefox-fr-31.3.0-1.mga4 firefox-fy-31.3.0-1.mga4 firefox-ga_IE-31.3.0-1.mga4 firefox-gd-31.3.0-1.mga4 firefox-gl-31.3.0-1.mga4 firefox-gu_IN-31.3.0-1.mga4 firefox-he-31.3.0-1.mga4 firefox-hi-31.3.0-1.mga4 firefox-hr-31.3.0-1.mga4 firefox-hu-31.3.0-1.mga4 firefox-hy-31.3.0-1.mga4 firefox-id-31.3.0-1.mga4 firefox-is-31.3.0-1.mga4 firefox-it-31.3.0-1.mga4 firefox-ja-31.3.0-1.mga4 firefox-kk-31.3.0-1.mga4 firefox-ko-31.3.0-1.mga4 firefox-km-31.3.0-1.mga4 firefox-kn-31.3.0-1.mga4 firefox-ku-31.3.0-1.mga4 firefox-lij-31.3.0-1.mga4 firefox-lt-31.3.0-1.mga4 firefox-lv-31.3.0-1.mga4 firefox-mai-31.3.0-1.mga4 firefox-mk-31.3.0-1.mga4 firefox-ml-31.3.0-1.mga4 firefox-mr-31.3.0-1.mga4 firefox-nb_NO-31.3.0-1.mga4 firefox-nl-31.3.0-1.mga4 firefox-nn_NO-31.3.0-1.mga4 firefox-or-31.3.0-1.mga4 firefox-pa_IN-31.3.0-1.mga4 firefox-pl-31.3.0-1.mga4 firefox-pt_BR-31.3.0-1.mga4 firefox-pt_PT-31.3.0-1.mga4 firefox-ro-31.3.0-1.mga4 firefox-ru-31.3.0-1.mga4 firefox-si-31.3.0-1.mga4 firefox-sk-31.3.0-1.mga4 firefox-sl-31.3.0-1.mga4 firefox-sq-31.3.0-1.mga4 firefox-sr-31.3.0-1.mga4 firefox-sv_SE-31.3.0-1.mga4 firefox-ta-31.3.0-1.mga4 firefox-te-31.3.0-1.mga4 firefox-th-31.3.0-1.mga4 firefox-tr-31.3.0-1.mga4 firefox-uk-31.3.0-1.mga4 firefox-vi-31.3.0-1.mga4 firefox-zh_CN-31.3.0-1.mga4 firefox-zh_TW-31.3.0-1.mga4 firefox-zu-31.3.0-1.mga4 thunderbird-31.3.0-1.mga4 thunderbird-enigmail-31.3.0-1.mga4 nsinstall-31.3.0-1.mga4 thunderbird-ar-31.3.0-1.mga4 thunderbird-ast-31.3.0-1.mga4 thunderbird-be-31.3.0-1.mga4 thunderbird-bg-31.3.0-1.mga4 thunderbird-bn_BD-31.3.0-1.mga4 thunderbird-br-31.3.0-1.mga4 thunderbird-ca-31.3.0-1.mga4 thunderbird-cs-31.3.0-1.mga4 thunderbird-da-31.3.0-1.mga4 thunderbird-de-31.3.0-1.mga4 thunderbird-el-31.3.0-1.mga4 thunderbird-en_GB-31.3.0-1.mga4 thunderbird-es_AR-31.3.0-1.mga4 thunderbird-es_ES-31.3.0-1.mga4 thunderbird-et-31.3.0-1.mga4 thunderbird-eu-31.3.0-1.mga4 thunderbird-fi-31.3.0-1.mga4 thunderbird-fr-31.3.0-1.mga4 thunderbird-fy-31.3.0-1.mga4 thunderbird-ga-31.3.0-1.mga4 thunderbird-gd-31.3.0-1.mga4 thunderbird-gl-31.3.0-1.mga4 thunderbird-he-31.3.0-1.mga4 thunderbird-hr-31.3.0-1.mga4 thunderbird-hu-31.3.0-1.mga4 thunderbird-hy-31.3.0-1.mga4 thunderbird-id-31.3.0-1.mga4 thunderbird-is-31.3.0-1.mga4 thunderbird-it-31.3.0-1.mga4 thunderbird-ja-31.3.0-1.mga4 thunderbird-ko-31.3.0-1.mga4 thunderbird-lt-31.3.0-1.mga4 thunderbird-nb_NO-31.3.0-1.mga4 thunderbird-nl-31.3.0-1.mga4 thunderbird-nn_NO-31.3.0-1.mga4 thunderbird-pl-31.3.0-1.mga4 thunderbird-pa_IN-31.3.0-1.mga4 thunderbird-pt_BR-31.3.0-1.mga4 thunderbird-pt_PT-31.3.0-1.mga4 thunderbird-ro-31.3.0-1.mga4 thunderbird-ru-31.3.0-1.mga4 thunderbird-si-31.3.0-1.mga4 thunderbird-sk-31.3.0-1.mga4 thunderbird-sl-31.3.0-1.mga4 thunderbird-sq-31.3.0-1.mga4 thunderbird-sv_SE-31.3.0-1.mga4 thunderbird-ta_LK-31.3.0-1.mga4 thunderbird-tr-31.3.0-1.mga4 thunderbird-uk-31.3.0-1.mga4 thunderbird-vi-31.3.0-1.mga4 thunderbird-zh_CN-31.3.0-1.mga4 thunderbird-zh_TW-31.3.0-1.mga4 from SRPMS: rootcerts-20141117.00-1.mga4.src.rpm nss-3.17.3-1.mga4.src.rpm firefox-31.3.0-1.mga4.src.rpm firefox-l10n-31.3.0-1.mga4.src.rpm thunderbird-31.3.0-1.mga4.src.rpm thunderbird-l10n-31.3.0-1.mga4.src.rpm Reproducible: Steps to Reproduce:
CC'ing the QA team, as Firefox can be tested now. Thunderbird will come later.
CC: (none) => doktor5000, qa-bugs
FWIW, I'm working on fixing the thunderbird update, first for mga4 then for cauldron. Opened https://bugzilla.mozilla.org/show_bug.cgi?id=1106883
thunderbird-31.3.0-1.mga4 submitted to 4/updates_testing - hopefully it builds :)
The Thunderbird update is now uploaded. Assigning to QA. Package list and details in Comment 0. Advisory to come later.
CC: qa-bugs => (none)Assignee: bugsquad => qa-bugs
Firefox and Thunderbird working fine for me on Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
Was there a problem with thunderbird-l10n? The packages don't seem to have made it to the mirrors. (I'm waiting for thunderbird-en_GB before updating.) Firefox is working fine for me on 64 bit Mageia 4.
Thanks James. The l10n packages are on the way.
Tested on Mageia 4 64-bits. Works fine up to now. Nothing special.
CC: (none) => olivier.delaune
Testing thunderbird on mga4 64 (only those features that I use) Mail collection (via POP from ISP) OK Mail filters OK Links open in chrome (default browser) OK Mail sending (through ISP) OK System Mail collection (from /var/spool/mail) OK RSS feeds OK Usenet OK Address books (I don't create mailing lists) OK Calendars (I only use Events and not Tasks) OK For me there are no regressions or problems
Testing on Mageia4x64 real hardware firefox-31.3.0-1.mga4 firefox-fr-31.3.0-1.mga4 thunderbird-31.3.0-1.mga4 thunderbird-fr-31.3.0-1.mga4 rootcerts-20141117.00-1.mga4 rootcerts-java-20141117.00-1.mga4 nss-3.17.3-1.mga4 Firefox (browsing, bookmarks, java, flash, installing/updating/removing extensions, theming, ...) Thunderbird (registering new account, retrieving/sending mails, installing/removing extensions, theming, address book,...) All OK up to now.
CC: (none) => olchal
Adding the OKs from Olivier, olivier, and James's tests.
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Just need an advisory then David please
RedHat has issued advisories for this on December 2: https://rhn.redhat.com/errata/RHSA-2014-1948.html https://rhn.redhat.com/errata/RHSA-2014-1919.html https://rhn.redhat.com/errata/RHSA-2014-1924.html Advisory: ======================== Updated nss, firefox, and thunderbird packages fix security vulnerabilities: In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (CVE-2014-1569). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593). A flaw was found in the Alarm API, which could allow applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass the same-origin policy (CVE-2014-1594). This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0, mitigating CVE-2014-3566, also known as POODLE. SSL 3.0 support has also been disabled by default in this Firefox and Thunderbird update, further mitigating POODLE. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594 https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/ https://bugzilla.mozilla.org/show_bug.cgi?id=1064670 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2014-1948.html https://rhn.redhat.com/errata/RHSA-2014-1919.html https://rhn.redhat.com/errata/RHSA-2014-1924.html
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/624300/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0507.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Thunderbird on Mga4- i586 real h/w thunderbird-31.3.0-1.mga4.i586.rpm thunderbird-en_GB-31.3.0-1.mga4.noarch.rpm create account - ok. mail collection from isp pop3 -ok. send e-mail - isp- ok open link in browser - [ default browser ] firefox - ok save address o addres book - ok. retrieve address from address book - ok
CC: (none) => westel
LWN reference for CVE-2014-1569: http://lwn.net/Vulnerabilities/624611/