Firefox 38.2 is out. The upstream advisories haven't been posted yet, nor has the Thunderbird 38.2 tarball, so the advisory and Thunderbird update will come later. This update will also include the rootcerts/nss update for some update root CA certificates: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes Updated packages uploaded for Mageia 4 and Mageia 5. Updated packages in core/updates_testing: ======================== rootcerts-20150709.00-1.mga4 rootcerts-java-20150709.00-1.mga4 nss-3.19.3-1.mga4 nss-doc-3.19.3-1.mga4 libnss3-3.19.3-1.mga4 libnss-devel-3.19.3-1.mga4 libnss-static-devel-3.19.3-1.mga4 firefox-38.2.0-1.mga4 firefox-devel-38.2.0-1.mga4 firefox-af-38.2.0-1.mga4 firefox-an-38.2.0-1.mga4 firefox-ar-38.2.0-1.mga4 firefox-as-38.2.0-1.mga4 firefox-ast-38.2.0-1.mga4 firefox-az-38.2.0-1.mga4 firefox-be-38.2.0-1.mga4 firefox-bg-38.2.0-1.mga4 firefox-bn_IN-38.2.0-1.mga4 firefox-bn_BD-38.2.0-1.mga4 firefox-br-38.2.0-1.mga4 firefox-bs-38.2.0-1.mga4 firefox-ca-38.2.0-1.mga4 firefox-cs-38.2.0-1.mga4 firefox-cy-38.2.0-1.mga4 firefox-da-38.2.0-1.mga4 firefox-de-38.2.0-1.mga4 firefox-el-38.2.0-1.mga4 firefox-en_GB-38.2.0-1.mga4 firefox-en_US-38.2.0-1.mga4 firefox-en_ZA-38.2.0-1.mga4 firefox-eo-38.2.0-1.mga4 firefox-es_AR-38.2.0-1.mga4 firefox-es_CL-38.2.0-1.mga4 firefox-es_ES-38.2.0-1.mga4 firefox-es_MX-38.2.0-1.mga4 firefox-et-38.2.0-1.mga4 firefox-eu-38.2.0-1.mga4 firefox-fa-38.2.0-1.mga4 firefox-ff-38.2.0-1.mga4 firefox-fi-38.2.0-1.mga4 firefox-fr-38.2.0-1.mga4 firefox-fy_NL-38.2.0-1.mga4 firefox-ga_IE-38.2.0-1.mga4 firefox-gd-38.2.0-1.mga4 firefox-gl-38.2.0-1.mga4 firefox-gu_IN-38.2.0-1.mga4 firefox-he-38.2.0-1.mga4 firefox-hi_IN-38.2.0-1.mga4 firefox-hr-38.2.0-1.mga4 firefox-hsb-38.2.0-1.mga4 firefox-hu-38.2.0-1.mga4 firefox-hy_AM-38.2.0-1.mga4 firefox-id-38.2.0-1.mga4 firefox-is-38.2.0-1.mga4 firefox-it-38.2.0-1.mga4 firefox-ja-38.2.0-1.mga4 firefox-kk-38.2.0-1.mga4 firefox-km-38.2.0-1.mga4 firefox-kn-38.2.0-1.mga4 firefox-ko-38.2.0-1.mga4 firefox-lij-38.2.0-1.mga4 firefox-lt-38.2.0-1.mga4 firefox-lv-38.2.0-1.mga4 firefox-mai-38.2.0-1.mga4 firefox-mk-38.2.0-1.mga4 firefox-ml-38.2.0-1.mga4 firefox-mr-38.2.0-1.mga4 firefox-ms-38.2.0-1.mga4 firefox-nb_NO-38.2.0-1.mga4 firefox-nl-38.2.0-1.mga4 firefox-nn_NO-38.2.0-1.mga4 firefox-or-38.2.0-1.mga4 firefox-pa_IN-38.2.0-1.mga4 firefox-pl-38.2.0-1.mga4 firefox-pt_BR-38.2.0-1.mga4 firefox-pt_PT-38.2.0-1.mga4 firefox-ro-38.2.0-1.mga4 firefox-ru-38.2.0-1.mga4 firefox-si-38.2.0-1.mga4 firefox-sk-38.2.0-1.mga4 firefox-sl-38.2.0-1.mga4 firefox-sq-38.2.0-1.mga4 firefox-sr-38.2.0-1.mga4 firefox-sv_SE-38.2.0-1.mga4 firefox-ta-38.2.0-1.mga4 firefox-te-38.2.0-1.mga4 firefox-th-38.2.0-1.mga4 firefox-tr-38.2.0-1.mga4 firefox-uk-38.2.0-1.mga4 firefox-uz-38.2.0-1.mga4 firefox-vi-38.2.0-1.mga4 firefox-xh-38.2.0-1.mga4 firefox-zh_CN-38.2.0-1.mga4 firefox-zh_TW-38.2.0-1.mga4 rootcerts-20150709.00-1.mga5 rootcerts-java-20150709.00-1.mga5 nss-3.19.3-1.mga5 nss-doc-3.19.3-1.mga5 libnss3-3.19.3-1.mga5 libnss-devel-3.19.3-1.mga5 libnss-static-devel-3.19.3-1.mga5 firefox-38.2.0-1.mga5 firefox-devel-38.2.0-1.mga5 firefox-af-38.2.0-1.mga5 firefox-an-38.2.0-1.mga5 firefox-ar-38.2.0-1.mga5 firefox-as-38.2.0-1.mga5 firefox-ast-38.2.0-1.mga5 firefox-az-38.2.0-1.mga5 firefox-be-38.2.0-1.mga5 firefox-bg-38.2.0-1.mga5 firefox-bn_IN-38.2.0-1.mga5 firefox-bn_BD-38.2.0-1.mga5 firefox-br-38.2.0-1.mga5 firefox-bs-38.2.0-1.mga5 firefox-ca-38.2.0-1.mga5 firefox-cs-38.2.0-1.mga5 firefox-cy-38.2.0-1.mga5 firefox-da-38.2.0-1.mga5 firefox-de-38.2.0-1.mga5 firefox-el-38.2.0-1.mga5 firefox-en_GB-38.2.0-1.mga5 firefox-en_US-38.2.0-1.mga5 firefox-en_ZA-38.2.0-1.mga5 firefox-eo-38.2.0-1.mga5 firefox-es_AR-38.2.0-1.mga5 firefox-es_CL-38.2.0-1.mga5 firefox-es_ES-38.2.0-1.mga5 firefox-es_MX-38.2.0-1.mga5 firefox-et-38.2.0-1.mga5 firefox-eu-38.2.0-1.mga5 firefox-fa-38.2.0-1.mga5 firefox-ff-38.2.0-1.mga5 firefox-fi-38.2.0-1.mga5 firefox-fr-38.2.0-1.mga5 firefox-fy_NL-38.2.0-1.mga5 firefox-ga_IE-38.2.0-1.mga5 firefox-gd-38.2.0-1.mga5 firefox-gl-38.2.0-1.mga5 firefox-gu_IN-38.2.0-1.mga5 firefox-he-38.2.0-1.mga5 firefox-hi_IN-38.2.0-1.mga5 firefox-hr-38.2.0-1.mga5 firefox-hsb-38.2.0-1.mga5 firefox-hu-38.2.0-1.mga5 firefox-hy_AM-38.2.0-1.mga5 firefox-id-38.2.0-1.mga5 firefox-is-38.2.0-1.mga5 firefox-it-38.2.0-1.mga5 firefox-ja-38.2.0-1.mga5 firefox-kk-38.2.0-1.mga5 firefox-km-38.2.0-1.mga5 firefox-kn-38.2.0-1.mga5 firefox-ko-38.2.0-1.mga5 firefox-lij-38.2.0-1.mga5 firefox-lt-38.2.0-1.mga5 firefox-lv-38.2.0-1.mga5 firefox-mai-38.2.0-1.mga5 firefox-mk-38.2.0-1.mga5 firefox-ml-38.2.0-1.mga5 firefox-mr-38.2.0-1.mga5 firefox-ms-38.2.0-1.mga5 firefox-nb_NO-38.2.0-1.mga5 firefox-nl-38.2.0-1.mga5 firefox-nn_NO-38.2.0-1.mga5 firefox-or-38.2.0-1.mga5 firefox-pa_IN-38.2.0-1.mga5 firefox-pl-38.2.0-1.mga5 firefox-pt_BR-38.2.0-1.mga5 firefox-pt_PT-38.2.0-1.mga5 firefox-ro-38.2.0-1.mga5 firefox-ru-38.2.0-1.mga5 firefox-si-38.2.0-1.mga5 firefox-sk-38.2.0-1.mga5 firefox-sl-38.2.0-1.mga5 firefox-sq-38.2.0-1.mga5 firefox-sr-38.2.0-1.mga5 firefox-sv_SE-38.2.0-1.mga5 firefox-ta-38.2.0-1.mga5 firefox-te-38.2.0-1.mga5 firefox-th-38.2.0-1.mga5 firefox-tr-38.2.0-1.mga5 firefox-uk-38.2.0-1.mga5 firefox-uz-38.2.0-1.mga5 firefox-vi-38.2.0-1.mga5 firefox-xh-38.2.0-1.mga5 firefox-zh_CN-38.2.0-1.mga5 firefox-zh_TW-38.2.0-1.mga5 from SRPMS: rootcerts-20150709.00-1.mga4.src.rpm nss-3.19.3-1.mga4.src.rpm firefox-38.2.0-1.mga4.src.rpm firefox-l10n-38.2.0-1.mga4.src.rpm rootcerts-20150709.00-1.mga5.src.rpm nss-3.19.3-1.mga5.src.rpm firefox-38.2.0-1.mga5.src.rpm firefox-l10n-38.2.0-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
The upstream advisories have been posted: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ None of the issues are listed as affecting Thunderbird, so I guess there won't be a Thunderbird 38.2. I'll post the advisory when RedHat posts their update. I was concerned about MFSA2015-89, since it says the issue is with libvpx, but there are no changes in the bundled libvpx code between Firefox 38.1 and 38.2, so I guess the fixes must have gone into the Firefox code itself. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4493 https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Working fine for me, Mageia 4 and Mageia 5 i586.
Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK MGA5-32-OK
Severity: normal => critical
mga5-64, usual battery but with JetStream in place of sunspider, javatester, general browsing, youtube for flash, all OK.
CC: (none) => wrw105Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Removing the advisory tag. Updated the wrong bug. I'll fix that shortly.
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok
Also removing the validated_update update keyword until the advisory is available.
Keywords: validated_update => (none)
RedHat has issued an advisory for this today (August 11): https://rhn.redhat.com/errata/RHSA-2015-1586.html Advisory: ======================== Updated firefox packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479, CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4493 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2015-1586.html
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0312.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/654275/