Mozilla has issued advisories today (January 13): https://www.mozilla.org/en-US/security/advisories/mfsa2015-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-03/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-04/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-06/ Corresponding to these CVEs that affect ESR: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8641 These were just posted here: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ There are no rootcerts, nspr, or nss updates this time. The updates are submitted in Cauldron and committed in SVN for Mageia 4 and will be pushed soon. RedHat has issued advisories for this today: https://rhn.redhat.com/errata/RHSA-2015-0046.html https://rhn.redhat.com/errata/RHSA-2015-0047.html I'll go ahead and assign to QA now, but it'll take a few hours for this update to actually get built and uploaded. It can be tested as soon as it is available on your mirror. Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-8634). It was found that the Beacon interface implementation in Firefox and Thunderbird did not follow the Cross-Origin Resource Sharing (CORS) specification. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (XSRF) attack (CVE-2014-8638). It was found that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read (CVE-2014-8639). Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior. Note that this issue only affects Firefox (CVE-2014-8641). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8641 https://www.mozilla.org/en-US/security/advisories/mfsa2015-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-03/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-04/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-06/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ https://rhn.redhat.com/errata/RHSA-2015-0046.html https://rhn.redhat.com/errata/RHSA-2015-0047.html ======================== Updated packages in core/updates_testing: ======================== firefox-31.4.0-1.mga4 firefox-devel-31.4.0-1.mga4 firefox-af-31.4.0-1.mga4 firefox-ar-31.4.0-1.mga4 firefox-as-31.4.0-1.mga4 firefox-ast-31.4.0-1.mga4 firefox-be-31.4.0-1.mga4 firefox-bg-31.4.0-1.mga4 firefox-bn_IN-31.4.0-1.mga4 firefox-bn_BD-31.4.0-1.mga4 firefox-br-31.4.0-1.mga4 firefox-bs-31.4.0-1.mga4 firefox-ca-31.4.0-1.mga4 firefox-cs-31.4.0-1.mga4 firefox-csb-31.4.0-1.mga4 firefox-cy-31.4.0-1.mga4 firefox-da-31.4.0-1.mga4 firefox-de-31.4.0-1.mga4 firefox-el-31.4.0-1.mga4 firefox-en_GB-31.4.0-1.mga4 firefox-en_ZA-31.4.0-1.mga4 firefox-eo-31.4.0-1.mga4 firefox-es_AR-31.4.0-1.mga4 firefox-es_CL-31.4.0-1.mga4 firefox-es_ES-31.4.0-1.mga4 firefox-es_MX-31.4.0-1.mga4 firefox-et-31.4.0-1.mga4 firefox-eu-31.4.0-1.mga4 firefox-fa-31.4.0-1.mga4 firefox-ff-31.4.0-1.mga4 firefox-fi-31.4.0-1.mga4 firefox-fr-31.4.0-1.mga4 firefox-fy-31.4.0-1.mga4 firefox-ga_IE-31.4.0-1.mga4 firefox-gd-31.4.0-1.mga4 firefox-gl-31.4.0-1.mga4 firefox-gu_IN-31.4.0-1.mga4 firefox-he-31.4.0-1.mga4 firefox-hi-31.4.0-1.mga4 firefox-hr-31.4.0-1.mga4 firefox-hu-31.4.0-1.mga4 firefox-hy-31.4.0-1.mga4 firefox-id-31.4.0-1.mga4 firefox-is-31.4.0-1.mga4 firefox-it-31.4.0-1.mga4 firefox-ja-31.4.0-1.mga4 firefox-kk-31.4.0-1.mga4 firefox-ko-31.4.0-1.mga4 firefox-km-31.4.0-1.mga4 firefox-kn-31.4.0-1.mga4 firefox-ku-31.4.0-1.mga4 firefox-lij-31.4.0-1.mga4 firefox-lt-31.4.0-1.mga4 firefox-lv-31.4.0-1.mga4 firefox-mai-31.4.0-1.mga4 firefox-mk-31.4.0-1.mga4 firefox-ml-31.4.0-1.mga4 firefox-mr-31.4.0-1.mga4 firefox-nb_NO-31.4.0-1.mga4 firefox-nl-31.4.0-1.mga4 firefox-nn_NO-31.4.0-1.mga4 firefox-or-31.4.0-1.mga4 firefox-pa_IN-31.4.0-1.mga4 firefox-pl-31.4.0-1.mga4 firefox-pt_BR-31.4.0-1.mga4 firefox-pt_PT-31.4.0-1.mga4 firefox-ro-31.4.0-1.mga4 firefox-ru-31.4.0-1.mga4 firefox-si-31.4.0-1.mga4 firefox-sk-31.4.0-1.mga4 firefox-sl-31.4.0-1.mga4 firefox-sq-31.4.0-1.mga4 firefox-sr-31.4.0-1.mga4 firefox-sv_SE-31.4.0-1.mga4 firefox-ta-31.4.0-1.mga4 firefox-te-31.4.0-1.mga4 firefox-th-31.4.0-1.mga4 firefox-tr-31.4.0-1.mga4 firefox-uk-31.4.0-1.mga4 firefox-vi-31.4.0-1.mga4 firefox-zh_CN-31.4.0-1.mga4 firefox-zh_TW-31.4.0-1.mga4 firefox-zu-31.4.0-1.mga4 thunderbird-31.4.0-1.mga4 thunderbird-enigmail-31.4.0-1.mga4 nsinstall-31.4.0-1.mga4 thunderbird-ar-31.4.0-1.mga4 thunderbird-ast-31.4.0-1.mga4 thunderbird-be-31.4.0-1.mga4 thunderbird-bg-31.4.0-1.mga4 thunderbird-bn_BD-31.4.0-1.mga4 thunderbird-br-31.4.0-1.mga4 thunderbird-ca-31.4.0-1.mga4 thunderbird-cs-31.4.0-1.mga4 thunderbird-da-31.4.0-1.mga4 thunderbird-de-31.4.0-1.mga4 thunderbird-el-31.4.0-1.mga4 thunderbird-en_GB-31.4.0-1.mga4 thunderbird-es_AR-31.4.0-1.mga4 thunderbird-es_ES-31.4.0-1.mga4 thunderbird-et-31.4.0-1.mga4 thunderbird-eu-31.4.0-1.mga4 thunderbird-fi-31.4.0-1.mga4 thunderbird-fr-31.4.0-1.mga4 thunderbird-fy-31.4.0-1.mga4 thunderbird-ga-31.4.0-1.mga4 thunderbird-gd-31.4.0-1.mga4 thunderbird-gl-31.4.0-1.mga4 thunderbird-he-31.4.0-1.mga4 thunderbird-hr-31.4.0-1.mga4 thunderbird-hu-31.4.0-1.mga4 thunderbird-hy-31.4.0-1.mga4 thunderbird-id-31.4.0-1.mga4 thunderbird-is-31.4.0-1.mga4 thunderbird-it-31.4.0-1.mga4 thunderbird-ja-31.4.0-1.mga4 thunderbird-ko-31.4.0-1.mga4 thunderbird-lt-31.4.0-1.mga4 thunderbird-nb_NO-31.4.0-1.mga4 thunderbird-nl-31.4.0-1.mga4 thunderbird-nn_NO-31.4.0-1.mga4 thunderbird-pl-31.4.0-1.mga4 thunderbird-pa_IN-31.4.0-1.mga4 thunderbird-pt_BR-31.4.0-1.mga4 thunderbird-pt_PT-31.4.0-1.mga4 thunderbird-ro-31.4.0-1.mga4 thunderbird-ru-31.4.0-1.mga4 thunderbird-si-31.4.0-1.mga4 thunderbird-sk-31.4.0-1.mga4 thunderbird-sl-31.4.0-1.mga4 thunderbird-sq-31.4.0-1.mga4 thunderbird-sv_SE-31.4.0-1.mga4 thunderbird-ta_LK-31.4.0-1.mga4 thunderbird-tr-31.4.0-1.mga4 thunderbird-uk-31.4.0-1.mga4 thunderbird-vi-31.4.0-1.mga4 thunderbird-zh_CN-31.4.0-1.mga4 thunderbird-zh_TW-31.4.0-1.mga4 from SRPMS: firefox-31.4.0-1.mga4.src.rpm firefox-l10n-31.4.0-1.mga4.src.rpm thunderbird-31.4.0-1.mga4.src.rpm thunderbird-l10n-31.4.0-1.mga4.src.rpm Reproducible: Steps to Reproduce:
The Thunderbird build is available. The Firefox build failed only on x86_64, so this will take more time. I'll add the feedback marker. The full log is here: http://pkgsubmit.mageia.org/uploads/failure/4/core/updates_testing/20150113223154.luigiwalser.valstar.29541/log/firefox-31.4.0-1.mga4/build.0.20150113223206.log The failure bit near the end is: ../../../dist/bin/nsinstall -R -m 644 '/home/iurt/rpmbuild/BUILD/mozilla-esr31/toolkit/devtools/gcli/source/lib/gcli/index.js' '../../../dist/bin/modules/devtools/gcli' mkdir -p '.deps/' ../../../dist/bin/nsinstall: cannot make symbolic link /home/iurt/rpmbuild/BUILD/obj/dist/bin/modules/devtools/gcli/ui/focus.js: No such file or directory /home/iurt/rpmbuild/BUILD/mozilla-esr31/config/rules.mk:1474: recipe for target '../../../dist/bin/modules/devtools/gcli/ui/focus.js' failed make[5]: *** [../../../dist/bin/modules/devtools/gcli/ui/focus.js] Error 1 make[5]: *** Deleting file '../../../dist/bin/modules/devtools/gcli/ui/focus.js' ../../../dist/bin/nsinstall: cannot make symbolic link /home/iurt/rpmbuild/BUILD/obj/dist/bin/modules/devtools/gcli/util: File exists make[5]: *** Waiting for unfinished jobs.... /home/iurt/rpmbuild/BUILD/mozilla-esr31/config/rules.mk:1474: recipe for target '../../../dist/bin/modules/devtools/gcli/util' failed make[5]: *** [../../../dist/bin/modules/devtools/gcli/util] Error 1 make[5]: Leaving directory '/home/iurt/rpmbuild/BUILD/obj/toolkit/devtools/gcli'
Whiteboard: (none) => feedback
URL: (none) => http://lwn.net/Vulnerabilities/629468/
The build error was a transient error. Resubmitting it worked. Firefox is now also available. Enjoy.
Whiteboard: feedback => (none)
Firefox and Thunderbird working fine for me, Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
Tested mga4-64: Thunderbird: send/receive/move/delete on SMTP/IMAP OK Chat connect and enter to #mageia-qa on freenode OK. Firefox: general browsing, sunspider for javascript, javatester for java plugin, flash on Youtube, acid3 all OK Validating Ready for release when advisory uploaded to svn.
CC: (none) => wrw105, sysadmin-bugsWhiteboard: MGA4-32-OK => MGA4-32-OK mga4-64-okKeywords: (none) => validated_update
advisory uploaded
CC: (none) => tmbWhiteboard: MGA4-32-OK mga4-64-ok => MGA4-32-OK mga4-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0025.html
Status: NEW => RESOLVEDResolution: (none) => FIXED