Mozilla has issued advisories on March 31: https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/ Corresponding to these CVEs that affect ESR: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816 These were just posted here: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ There is no rootcerts update, so nss is being rebuilt against it. There are not newer versions of nspr and nss available at this time. RedHat has issued advisories for this today (April 1, and it's no joke): https://rhn.redhat.com/errata/RHSA-2015-0766.html https://rhn.redhat.com/errata/RHSA-2015-0771.html Updated packages are in the process of being built. The advisory will be as follows: Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2015-0801, CVE-2015-0813, CVE-2015-0815). A flaw was found in the Beacon interface implementation in Firefox and Thunderbird. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (CSRF) attack (CVE-2015-0807). A flaw was found in the way documents were loaded via resource URLs in, for example, Firefox's PDF.js PDF file viewer. An attacker could use this flaw to bypass certain restrictions and under certain conditions even execute arbitrary code with the privileges of the user running Firefox or Thunderbird (CVE-2015-0816) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816 https://www.mozilla.org/en-US/security/advisories/mfsa2015-30/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-31/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-33/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-37/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-40/ https://rhn.redhat.com/errata/RHSA-2015-0766.html https://rhn.redhat.com/errata/RHSA-2015-0771.html ======================== Updated packages in core/updates_testing: ======================== rootcerts-20150326.00-1.mga4 rootcerts-java-20150326.00-1.mga4 nss-3.18.0-1.1.mga4 nss-doc-3.18.0-1.1.mga4 libnss3-3.18.0-1.1.mga4 libnss-devel-3.18.0-1.1.mga4 libnss-static-devel-3.18.0-1.1.mga4 firefox-31.6.0-1.mga4 firefox-devel-31.6.0-1.mga4 firefox-af-31.6.0-1.mga4 firefox-ar-31.6.0-1.mga4 firefox-as-31.6.0-1.mga4 firefox-ast-31.6.0-1.mga4 firefox-be-31.6.0-1.mga4 firefox-bg-31.6.0-1.mga4 firefox-bn_IN-31.6.0-1.mga4 firefox-bn_BD-31.6.0-1.mga4 firefox-br-31.6.0-1.mga4 firefox-bs-31.6.0-1.mga4 firefox-ca-31.6.0-1.mga4 firefox-cs-31.6.0-1.mga4 firefox-csb-31.6.0-1.mga4 firefox-cy-31.6.0-1.mga4 firefox-da-31.6.0-1.mga4 firefox-de-31.6.0-1.mga4 firefox-el-31.6.0-1.mga4 firefox-en_GB-31.6.0-1.mga4 firefox-en_ZA-31.6.0-1.mga4 firefox-eo-31.6.0-1.mga4 firefox-es_AR-31.6.0-1.mga4 firefox-es_CL-31.6.0-1.mga4 firefox-es_ES-31.6.0-1.mga4 firefox-es_MX-31.6.0-1.mga4 firefox-et-31.6.0-1.mga4 firefox-eu-31.6.0-1.mga4 firefox-fa-31.6.0-1.mga4 firefox-ff-31.6.0-1.mga4 firefox-fi-31.6.0-1.mga4 firefox-fr-31.6.0-1.mga4 firefox-fy-31.6.0-1.mga4 firefox-ga_IE-31.6.0-1.mga4 firefox-gd-31.6.0-1.mga4 firefox-gl-31.6.0-1.mga4 firefox-gu_IN-31.6.0-1.mga4 firefox-he-31.6.0-1.mga4 firefox-hi-31.6.0-1.mga4 firefox-hr-31.6.0-1.mga4 firefox-hu-31.6.0-1.mga4 firefox-hy-31.6.0-1.mga4 firefox-id-31.6.0-1.mga4 firefox-is-31.6.0-1.mga4 firefox-it-31.6.0-1.mga4 firefox-ja-31.6.0-1.mga4 firefox-kk-31.6.0-1.mga4 firefox-ko-31.6.0-1.mga4 firefox-km-31.6.0-1.mga4 firefox-kn-31.6.0-1.mga4 firefox-ku-31.6.0-1.mga4 firefox-lij-31.6.0-1.mga4 firefox-lt-31.6.0-1.mga4 firefox-lv-31.6.0-1.mga4 firefox-mai-31.6.0-1.mga4 firefox-mk-31.6.0-1.mga4 firefox-ml-31.6.0-1.mga4 firefox-mr-31.6.0-1.mga4 firefox-nb_NO-31.6.0-1.mga4 firefox-nl-31.6.0-1.mga4 firefox-nn_NO-31.6.0-1.mga4 firefox-or-31.6.0-1.mga4 firefox-pa_IN-31.6.0-1.mga4 firefox-pl-31.6.0-1.mga4 firefox-pt_BR-31.6.0-1.mga4 firefox-pt_PT-31.6.0-1.mga4 firefox-ro-31.6.0-1.mga4 firefox-ru-31.6.0-1.mga4 firefox-si-31.6.0-1.mga4 firefox-sk-31.6.0-1.mga4 firefox-sl-31.6.0-1.mga4 firefox-sq-31.6.0-1.mga4 firefox-sr-31.6.0-1.mga4 firefox-sv_SE-31.6.0-1.mga4 firefox-ta-31.6.0-1.mga4 firefox-te-31.6.0-1.mga4 firefox-th-31.6.0-1.mga4 firefox-tr-31.6.0-1.mga4 firefox-uk-31.6.0-1.mga4 firefox-vi-31.6.0-1.mga4 firefox-zh_CN-31.6.0-1.mga4 firefox-zh_TW-31.6.0-1.mga4 firefox-zu-31.6.0-1.mga4 thunderbird-31.6.0-1.mga4 thunderbird-enigmail-31.6.0-1.mga4 nsinstall-31.6.0-1.mga4 thunderbird-ar-31.6.0-1.mga4 thunderbird-ast-31.6.0-1.mga4 thunderbird-be-31.6.0-1.mga4 thunderbird-bg-31.6.0-1.mga4 thunderbird-bn_BD-31.6.0-1.mga4 thunderbird-br-31.6.0-1.mga4 thunderbird-ca-31.6.0-1.mga4 thunderbird-cs-31.6.0-1.mga4 thunderbird-da-31.6.0-1.mga4 thunderbird-de-31.6.0-1.mga4 thunderbird-el-31.6.0-1.mga4 thunderbird-en_GB-31.6.0-1.mga4 thunderbird-es_AR-31.6.0-1.mga4 thunderbird-es_ES-31.6.0-1.mga4 thunderbird-et-31.6.0-1.mga4 thunderbird-eu-31.6.0-1.mga4 thunderbird-fi-31.6.0-1.mga4 thunderbird-fr-31.6.0-1.mga4 thunderbird-fy-31.6.0-1.mga4 thunderbird-ga-31.6.0-1.mga4 thunderbird-gd-31.6.0-1.mga4 thunderbird-gl-31.6.0-1.mga4 thunderbird-he-31.6.0-1.mga4 thunderbird-hr-31.6.0-1.mga4 thunderbird-hu-31.6.0-1.mga4 thunderbird-hy-31.6.0-1.mga4 thunderbird-id-31.6.0-1.mga4 thunderbird-is-31.6.0-1.mga4 thunderbird-it-31.6.0-1.mga4 thunderbird-ja-31.6.0-1.mga4 thunderbird-ko-31.6.0-1.mga4 thunderbird-lt-31.6.0-1.mga4 thunderbird-nb_NO-31.6.0-1.mga4 thunderbird-nl-31.6.0-1.mga4 thunderbird-nn_NO-31.6.0-1.mga4 thunderbird-pl-31.6.0-1.mga4 thunderbird-pa_IN-31.6.0-1.mga4 thunderbird-pt_BR-31.6.0-1.mga4 thunderbird-pt_PT-31.6.0-1.mga4 thunderbird-ro-31.6.0-1.mga4 thunderbird-ru-31.6.0-1.mga4 thunderbird-si-31.6.0-1.mga4 thunderbird-sk-31.6.0-1.mga4 thunderbird-sl-31.6.0-1.mga4 thunderbird-sq-31.6.0-1.mga4 thunderbird-sv_SE-31.6.0-1.mga4 thunderbird-ta_LK-31.6.0-1.mga4 thunderbird-tr-31.6.0-1.mga4 thunderbird-uk-31.6.0-1.mga4 thunderbird-vi-31.6.0-1.mga4 thunderbird-zh_CN-31.6.0-1.mga4 thunderbird-zh_TW-31.6.0-1.mga4 from SRPMS: rootcerts-20150326.00-1.mga4.src.rpm nss-3.18.0-1.1.mga4.src.rpm firefox-31.6.0-1.mga4.src.rpm firefox-l10n-31.6.0-1.mga4.src.rpm thunderbird-31.6.0-1.mga4.src.rpm thunderbird-l10n-31.6.0-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Updated packages are on their way to mirrors now, and should be generally available within the next couple hours. Advisory and package list in Comment 0.
Assignee: bugsquad => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/638720/
Testing MGA4 x64 Updated just the essential Firefox (I do not use Thunderbird) + a language pack. Have played with it looking at interactive maps and a YouTube music number, no problems noted.
CC: (none) => lewyssmith
tested mga4-64 Updated thunderbird, firefox, rootcerts, nss Firefox: general browsing, acid3, sunspider for javascript, javatester for java, youtube for flash, all OK Thunderbird: Mail: Send/receive/move/delete over SMTP/IMAP connected to freenode and joined #mageia-qa to test chat. All OK.
CC: (none) => wrw105Whiteboard: (none) => mga4-64-ok has_procedure
Tested mga4-32 as above. All OK. validating. Ready for push when advisory uploaded to svn.
Keywords: (none) => validated_updateWhiteboard: mga4-64-ok has_procedure => has_procedure mga4-64-ok mga4-32-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure mga4-64-ok mga4-32-OK => has_procedure advisory mga4-64-ok mga4-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0131.html
Status: NEW => RESOLVEDResolution: (none) => FIXED