Mozilla has issued advisories today (May 12): https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ Corresponding to these CVEs that affect ESR: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716 These were just posted here: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ RedHat has issued an advisory for this today (May 12): https://rhn.redhat.com/errata/RHSA-2015-0988.html There will be rootcerts and nss updates to go along with this, as well as an update for sqlite3, fixing several security issues, as noted in Bug 15756. Note that we already fixed CVE-2015-0797 in Bug 15713. Updates committed in SVN. Freeze push requested for Firefox in Cauldron. Reproducible: Steps to Reproduce:
I'll have to add in RedHat's Thunderbird advisory to the References once it's available, but otherwise the advisory and package list should look like this once everything's available. Advisory: ======================== Updated firefox, thunderbird, and sqlite3 packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713). A heap-based buffer overflow flaw was found in the way Firefox and Thunderbird processed compressed XML data. An attacker could create specially crafted compressed XML content that, when processed by Firefox or Thunderbird, could cause it to crash or execute arbitrary code with the privileges of the user running it (CVE-2015-2716). SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE at the end of a SELECT statement (CVE-2015-3414). The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement (CVE-2015-3415). The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement (CVE-2015-3416). The sqlite3 package has been updated to version 3.10.8, fixing the CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416 security issues, also fixing heap overflow and other possible issues found by fuzzing, as well as containing many other bug fixes and enhancements. The nss package has been updated to version 3.19, containing multiple root certificate updates, security enhancements, and other bug fixes. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416 https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/ https://sqlite.org/changes.html https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A217/ http://openwall.com/lists/oss-security/2015/05/12/7 https://rhn.redhat.com/errata/RHSA-2015-0988.html https://bugs.mageia.org/show_bug.cgi?id=15756 https://bugs.mageia.org/show_bug.cgi?id=15920 ======================== Updated packages in core/updates_testing: ======================== sqlite3-tcl-3.8.10.1-1.mga4 sqlite3-tools-3.8.10.1-1.mga4 lemon-3.8.10.1-1.mga4 libsqlite3-devel-3.8.10.1-1.mga4 libsqlite3-static-devel-3.8.10.1-1.mga4 libsqlite3_0-3.8.10.1-1.mga4 rootcerts-20150420.00-1.mga4 rootcerts-java-20150420.00-1.mga4 nss-3.19.0-1.1.mga4 nss-doc-3.19.0-1.1.mga4 libnss3-3.19.0-1.1.mga4 libnss-devel-3.19.0-1.1.mga4 libnss-static-devel-3.19.0-1.1.mga4 firefox-31.7.0-1.mga4 firefox-devel-31.7.0-1.mga4 firefox-af-31.7.0-1.mga4 firefox-ar-31.7.0-1.mga4 firefox-as-31.7.0-1.mga4 firefox-ast-31.7.0-1.mga4 firefox-be-31.7.0-1.mga4 firefox-bg-31.7.0-1.mga4 firefox-bn_IN-31.7.0-1.mga4 firefox-bn_BD-31.7.0-1.mga4 firefox-br-31.7.0-1.mga4 firefox-bs-31.7.0-1.mga4 firefox-ca-31.7.0-1.mga4 firefox-cs-31.7.0-1.mga4 firefox-csb-31.7.0-1.mga4 firefox-cy-31.7.0-1.mga4 firefox-da-31.7.0-1.mga4 firefox-de-31.7.0-1.mga4 firefox-el-31.7.0-1.mga4 firefox-en_GB-31.7.0-1.mga4 firefox-en_ZA-31.7.0-1.mga4 firefox-eo-31.7.0-1.mga4 firefox-es_AR-31.7.0-1.mga4 firefox-es_CL-31.7.0-1.mga4 firefox-es_ES-31.7.0-1.mga4 firefox-es_MX-31.7.0-1.mga4 firefox-et-31.7.0-1.mga4 firefox-eu-31.7.0-1.mga4 firefox-fa-31.7.0-1.mga4 firefox-ff-31.7.0-1.mga4 firefox-fi-31.7.0-1.mga4 firefox-fr-31.7.0-1.mga4 firefox-fy-31.7.0-1.mga4 firefox-ga_IE-31.7.0-1.mga4 firefox-gd-31.7.0-1.mga4 firefox-gl-31.7.0-1.mga4 firefox-gu_IN-31.7.0-1.mga4 firefox-he-31.7.0-1.mga4 firefox-hi-31.7.0-1.mga4 firefox-hr-31.7.0-1.mga4 firefox-hu-31.7.0-1.mga4 firefox-hy-31.7.0-1.mga4 firefox-id-31.7.0-1.mga4 firefox-is-31.7.0-1.mga4 firefox-it-31.7.0-1.mga4 firefox-ja-31.7.0-1.mga4 firefox-kk-31.7.0-1.mga4 firefox-ko-31.7.0-1.mga4 firefox-km-31.7.0-1.mga4 firefox-kn-31.7.0-1.mga4 firefox-ku-31.7.0-1.mga4 firefox-lij-31.7.0-1.mga4 firefox-lt-31.7.0-1.mga4 firefox-lv-31.7.0-1.mga4 firefox-mai-31.7.0-1.mga4 firefox-mk-31.7.0-1.mga4 firefox-ml-31.7.0-1.mga4 firefox-mr-31.7.0-1.mga4 firefox-nb_NO-31.7.0-1.mga4 firefox-nl-31.7.0-1.mga4 firefox-nn_NO-31.7.0-1.mga4 firefox-or-31.7.0-1.mga4 firefox-pa_IN-31.7.0-1.mga4 firefox-pl-31.7.0-1.mga4 firefox-pt_BR-31.7.0-1.mga4 firefox-pt_PT-31.7.0-1.mga4 firefox-ro-31.7.0-1.mga4 firefox-ru-31.7.0-1.mga4 firefox-si-31.7.0-1.mga4 firefox-sk-31.7.0-1.mga4 firefox-sl-31.7.0-1.mga4 firefox-sq-31.7.0-1.mga4 firefox-sr-31.7.0-1.mga4 firefox-sv_SE-31.7.0-1.mga4 firefox-ta-31.7.0-1.mga4 firefox-te-31.7.0-1.mga4 firefox-th-31.7.0-1.mga4 firefox-tr-31.7.0-1.mga4 firefox-uk-31.7.0-1.mga4 firefox-vi-31.7.0-1.mga4 firefox-zh_CN-31.7.0-1.mga4 firefox-zh_TW-31.7.0-1.mga4 firefox-zu-31.7.0-1.mga4 thunderbird-31.7.0-1.mga4 thunderbird-enigmail-31.7.0-1.mga4 nsinstall-31.7.0-1.mga4 thunderbird-ar-31.7.0-1.mga4 thunderbird-ast-31.7.0-1.mga4 thunderbird-be-31.7.0-1.mga4 thunderbird-bg-31.7.0-1.mga4 thunderbird-bn_BD-31.7.0-1.mga4 thunderbird-br-31.7.0-1.mga4 thunderbird-ca-31.7.0-1.mga4 thunderbird-cs-31.7.0-1.mga4 thunderbird-da-31.7.0-1.mga4 thunderbird-de-31.7.0-1.mga4 thunderbird-el-31.7.0-1.mga4 thunderbird-en_GB-31.7.0-1.mga4 thunderbird-es_AR-31.7.0-1.mga4 thunderbird-es_ES-31.7.0-1.mga4 thunderbird-et-31.7.0-1.mga4 thunderbird-eu-31.7.0-1.mga4 thunderbird-fi-31.7.0-1.mga4 thunderbird-fr-31.7.0-1.mga4 thunderbird-fy-31.7.0-1.mga4 thunderbird-ga-31.7.0-1.mga4 thunderbird-gd-31.7.0-1.mga4 thunderbird-gl-31.7.0-1.mga4 thunderbird-he-31.7.0-1.mga4 thunderbird-hr-31.7.0-1.mga4 thunderbird-hu-31.7.0-1.mga4 thunderbird-hy-31.7.0-1.mga4 thunderbird-id-31.7.0-1.mga4 thunderbird-is-31.7.0-1.mga4 thunderbird-it-31.7.0-1.mga4 thunderbird-ja-31.7.0-1.mga4 thunderbird-ko-31.7.0-1.mga4 thunderbird-lt-31.7.0-1.mga4 thunderbird-nb_NO-31.7.0-1.mga4 thunderbird-nl-31.7.0-1.mga4 thunderbird-nn_NO-31.7.0-1.mga4 thunderbird-pl-31.7.0-1.mga4 thunderbird-pa_IN-31.7.0-1.mga4 thunderbird-pt_BR-31.7.0-1.mga4 thunderbird-pt_PT-31.7.0-1.mga4 thunderbird-ro-31.7.0-1.mga4 thunderbird-ru-31.7.0-1.mga4 thunderbird-si-31.7.0-1.mga4 thunderbird-sk-31.7.0-1.mga4 thunderbird-sl-31.7.0-1.mga4 thunderbird-sq-31.7.0-1.mga4 thunderbird-sv_SE-31.7.0-1.mga4 thunderbird-ta_LK-31.7.0-1.mga4 thunderbird-tr-31.7.0-1.mga4 thunderbird-uk-31.7.0-1.mga4 thunderbird-vi-31.7.0-1.mga4 thunderbird-zh_CN-31.7.0-1.mga4 thunderbird-zh_TW-31.7.0-1.mga4 from SRPMS: sqlite3-3.8.10.1-1.mga4.src.rpm rootcerts-20150420.00-1.mga4.src.rpm nss-3.19.0-1.1.mga4.src.rpm firefox-31.7.0-1.mga4.src.rpm firefox-l10n-31.7.0-1.mga4.src.rpm thunderbird-31.7.0-1.mga4.src.rpm thunderbird-l10n-31.7.0-1.mga4.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/644248/
All packages are uploaded. Advisory and package list in Comment 1.
Assignee: bugsquad => qa-bugs
Tested mga4-64. Firefox: General browsing, youtube for flash, sunspider for javascript, javatester for java, acid3 all OK. Thunderbird: Send/receive/move/delete over SMTP/IMAP all OK.
CC: (none) => wrw105Whiteboard: (none) => mga4-64-ok has_procedure
Both are working fine on Mageia 4 i586 also.
Whiteboard: mga4-64-ok has_procedure => mga4-32-ok mga4-64-ok has_procedure
(On cauldron Thunderbird says it's the Daily branch, guess is the same mga4)
Yes, as I already mentioned on the dev ml, upstream failed to make the proper release tarballs available, so Fedora apparently had to use a nightly one and I copied it from them. Help > About does say 31.7.0, so it'll have to do. Hopefully next time upstream won't forget to release the source tarball!
well I guess end users will be afraid/confused if they saw this, will be better to found the tarball, Looks florian has a link
So four days late they finally decided to post the tarball. Anyway, you only see this screen when Thunderbird first starts, and only if you don't click on anything (and have it set to show the home screen when it starts).
(In reply to David Walser from comment #8) > So four days late they finally decided to post the tarball. Anyway, you > only see this screen when Thunderbird first starts, and only if you don't > click on anything (and have it set to show the home screen when it starts). And then they still posted the wrong tarball. The one in the usual location that's finally there now is the same tarball that we used.
Blocks: (none) => 15756
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: mga4-32-ok mga4-64-ok has_procedure => mga4-32-ok mga4-64-ok advisory has_procedureCC: (none) => sysadmin-bugs
RedHat has issued an advisory for Thunderbird today (May 18): https://rhn.redhat.com/errata/RHSA-2015-1012.html I added it to the references in the advisory in SVN.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0234.html
Status: NEW => RESOLVEDResolution: (none) => FIXED