Mozilla has released firefox 31.5.3 to deal with the following bug: https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ Reproducible: Steps to Reproduce:
Actually it was to deal with two bugs, issued on March 20: https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ Ubuntu has issued an advisory for this on March 22: http://www.ubuntu.com/usn/usn-2538-1/ NSS 3.18 has also been released, and new rootcerts are available: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
Version: 4 => CauldronSummary: Firefox new security updates in 31.5.3 => Firefox new security issues CVE-2015-0817 and CVE-2015-0818Whiteboard: (none) => MGA5TOO, MGA4TOOSeverity: normal => critical
CC: (none) => luigiwalserComponent: RPM Packages => SecurityQA Contact: (none) => security
Updates checked into SVN. Freeze push requested for Cauldron.
Saving the advisory for later when this is uploaded. Advisory: ======================== Updated firefox packages fix security vulnerabilities: A flaw was discovered in the implementation of typed array bounds checking in the Javascript just-in-time compilation. If a user were tricked in to opening a specially crafted website, an attacked could exploit this to execute arbitrary code with the privileges of the user invoking Firefox (CVE-2015-0817). Mariusz Mlynski discovered a flaw in the processing of SVG format content navigation. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to run arbitrary script in a privileged context (CVE-2015-0818). The firefox package has been updated to version 31.5.3 to fix these issues. Also, the nss package has been updated to version 3.18, which enables TLS and DTLS 1.2, increases the default RSA key size created by certutil to 2048 bits, and has some CA root certificate updates. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0818 https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ http://www.ubuntu.com/usn/usn-2538-1/ ======================== Updated packages in core/updates_testing: ======================== rootcerts-20150226.00-1.mga4 rootcerts-java-20150226.00-1.mga4 nss-3.18.0-1.mga4 nss-doc-3.18.0-1.mga4 libnss3-3.18.0-1.mga4 libnss-devel-3.18.0-1.mga4 libnss-static-devel-3.18.0-1.mga4 firefox-31.5.3-1.mga4 firefox-devel-31.5.3-1.mga4 firefox-af-31.5.3-1.mga4 firefox-ar-31.5.3-1.mga4 firefox-as-31.5.3-1.mga4 firefox-ast-31.5.3-1.mga4 firefox-be-31.5.3-1.mga4 firefox-bg-31.5.3-1.mga4 firefox-bn_IN-31.5.3-1.mga4 firefox-bn_BD-31.5.3-1.mga4 firefox-br-31.5.3-1.mga4 firefox-bs-31.5.3-1.mga4 firefox-ca-31.5.3-1.mga4 firefox-cs-31.5.3-1.mga4 firefox-csb-31.5.3-1.mga4 firefox-cy-31.5.3-1.mga4 firefox-da-31.5.3-1.mga4 firefox-de-31.5.3-1.mga4 firefox-el-31.5.3-1.mga4 firefox-en_GB-31.5.3-1.mga4 firefox-en_ZA-31.5.3-1.mga4 firefox-eo-31.5.3-1.mga4 firefox-es_AR-31.5.3-1.mga4 firefox-es_CL-31.5.3-1.mga4 firefox-es_ES-31.5.3-1.mga4 firefox-es_MX-31.5.3-1.mga4 firefox-et-31.5.3-1.mga4 firefox-eu-31.5.3-1.mga4 firefox-fa-31.5.3-1.mga4 firefox-ff-31.5.3-1.mga4 firefox-fi-31.5.3-1.mga4 firefox-fr-31.5.3-1.mga4 firefox-fy-31.5.3-1.mga4 firefox-ga_IE-31.5.3-1.mga4 firefox-gd-31.5.3-1.mga4 firefox-gl-31.5.3-1.mga4 firefox-gu_IN-31.5.3-1.mga4 firefox-he-31.5.3-1.mga4 firefox-hi-31.5.3-1.mga4 firefox-hr-31.5.3-1.mga4 firefox-hu-31.5.3-1.mga4 firefox-hy-31.5.3-1.mga4 firefox-id-31.5.3-1.mga4 firefox-is-31.5.3-1.mga4 firefox-it-31.5.3-1.mga4 firefox-ja-31.5.3-1.mga4 firefox-kk-31.5.3-1.mga4 firefox-ko-31.5.3-1.mga4 firefox-km-31.5.3-1.mga4 firefox-kn-31.5.3-1.mga4 firefox-ku-31.5.3-1.mga4 firefox-lij-31.5.3-1.mga4 firefox-lt-31.5.3-1.mga4 firefox-lv-31.5.3-1.mga4 firefox-mai-31.5.3-1.mga4 firefox-mk-31.5.3-1.mga4 firefox-ml-31.5.3-1.mga4 firefox-mr-31.5.3-1.mga4 firefox-nb_NO-31.5.3-1.mga4 firefox-nl-31.5.3-1.mga4 firefox-nn_NO-31.5.3-1.mga4 firefox-or-31.5.3-1.mga4 firefox-pa_IN-31.5.3-1.mga4 firefox-pl-31.5.3-1.mga4 firefox-pt_BR-31.5.3-1.mga4 firefox-pt_PT-31.5.3-1.mga4 firefox-ro-31.5.3-1.mga4 firefox-ru-31.5.3-1.mga4 firefox-si-31.5.3-1.mga4 firefox-sk-31.5.3-1.mga4 firefox-sl-31.5.3-1.mga4 firefox-sq-31.5.3-1.mga4 firefox-sr-31.5.3-1.mga4 firefox-sv_SE-31.5.3-1.mga4 firefox-ta-31.5.3-1.mga4 firefox-te-31.5.3-1.mga4 firefox-th-31.5.3-1.mga4 firefox-tr-31.5.3-1.mga4 firefox-uk-31.5.3-1.mga4 firefox-vi-31.5.3-1.mga4 firefox-zh_CN-31.5.3-1.mga4 firefox-zh_TW-31.5.3-1.mga4 firefox-zu-31.5.3-1.mga4 from SRPMS: rootcerts-20150226.00-1.mga4.src.rpm nss-3.18.0-1.mga4.src.rpm firefox-31.5.3-1.mga4.src.rpm firefox-l10n-31.5.3-1.mga4.src.rpm
Updated packages uploaded for Mageia 4 and Cauldron. See Comment 3 for the advisory and package list.
URL: (none) => http://lwn.net/Vulnerabilities/637568/Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
David: Mozilla was only showing the one on the firefox ESR page, but both on the Seamonkey page. Maybe I was too quick! Tested MGA4-64 General browsing, sunspider for javascript, javatester for java plugin, youtube for flash plugin, https logins for nss and rootcerts, acid3. All OK
CC: (none) => wrw105Whiteboard: (none) => mga4-64-ok has_procedure
Confirmed everything is working fine on Mageia 4 i586 as well.
Whiteboard: mga4-64-ok has_procedure => has_procedure MGA4-32-OK mga4-64-ok
validating Can someone from the sysadmin team please push to core/updates? Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure MGA4-32-OK mga4-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0115.html
Status: NEW => RESOLVEDResolution: (none) => FIXED