16571 – Firefox 38.2

Bug 16571 - Firefox 38.2

Summary: Firefox 38.2

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/654275/
Whiteboard:	MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-08-11 17:23 CEST by David Walser
Modified:	2015-08-12 20:05 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	firefox, rootcerts, nss
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-08-11 17:23:34 CEST

Firefox 38.2 is out.  The upstream advisories haven't been posted yet, nor has the Thunderbird 38.2 tarball, so the advisory and Thunderbird update will come later.

This update will also include the rootcerts/nss update for some update root CA certificates:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes

Updated packages uploaded for Mageia 4 and Mageia 5.

Updated packages in core/updates_testing:
========================
rootcerts-20150709.00-1.mga4
rootcerts-java-20150709.00-1.mga4
nss-3.19.3-1.mga4
nss-doc-3.19.3-1.mga4
libnss3-3.19.3-1.mga4
libnss-devel-3.19.3-1.mga4
libnss-static-devel-3.19.3-1.mga4
firefox-38.2.0-1.mga4
firefox-devel-38.2.0-1.mga4
firefox-af-38.2.0-1.mga4
firefox-an-38.2.0-1.mga4
firefox-ar-38.2.0-1.mga4
firefox-as-38.2.0-1.mga4
firefox-ast-38.2.0-1.mga4
firefox-az-38.2.0-1.mga4
firefox-be-38.2.0-1.mga4
firefox-bg-38.2.0-1.mga4
firefox-bn_IN-38.2.0-1.mga4
firefox-bn_BD-38.2.0-1.mga4
firefox-br-38.2.0-1.mga4
firefox-bs-38.2.0-1.mga4
firefox-ca-38.2.0-1.mga4
firefox-cs-38.2.0-1.mga4
firefox-cy-38.2.0-1.mga4
firefox-da-38.2.0-1.mga4
firefox-de-38.2.0-1.mga4
firefox-el-38.2.0-1.mga4
firefox-en_GB-38.2.0-1.mga4
firefox-en_US-38.2.0-1.mga4
firefox-en_ZA-38.2.0-1.mga4
firefox-eo-38.2.0-1.mga4
firefox-es_AR-38.2.0-1.mga4
firefox-es_CL-38.2.0-1.mga4
firefox-es_ES-38.2.0-1.mga4
firefox-es_MX-38.2.0-1.mga4
firefox-et-38.2.0-1.mga4
firefox-eu-38.2.0-1.mga4
firefox-fa-38.2.0-1.mga4
firefox-ff-38.2.0-1.mga4
firefox-fi-38.2.0-1.mga4
firefox-fr-38.2.0-1.mga4
firefox-fy_NL-38.2.0-1.mga4
firefox-ga_IE-38.2.0-1.mga4
firefox-gd-38.2.0-1.mga4
firefox-gl-38.2.0-1.mga4
firefox-gu_IN-38.2.0-1.mga4
firefox-he-38.2.0-1.mga4
firefox-hi_IN-38.2.0-1.mga4
firefox-hr-38.2.0-1.mga4
firefox-hsb-38.2.0-1.mga4
firefox-hu-38.2.0-1.mga4
firefox-hy_AM-38.2.0-1.mga4
firefox-id-38.2.0-1.mga4
firefox-is-38.2.0-1.mga4
firefox-it-38.2.0-1.mga4
firefox-ja-38.2.0-1.mga4
firefox-kk-38.2.0-1.mga4
firefox-km-38.2.0-1.mga4
firefox-kn-38.2.0-1.mga4
firefox-ko-38.2.0-1.mga4
firefox-lij-38.2.0-1.mga4
firefox-lt-38.2.0-1.mga4
firefox-lv-38.2.0-1.mga4
firefox-mai-38.2.0-1.mga4
firefox-mk-38.2.0-1.mga4
firefox-ml-38.2.0-1.mga4
firefox-mr-38.2.0-1.mga4
firefox-ms-38.2.0-1.mga4
firefox-nb_NO-38.2.0-1.mga4
firefox-nl-38.2.0-1.mga4
firefox-nn_NO-38.2.0-1.mga4
firefox-or-38.2.0-1.mga4
firefox-pa_IN-38.2.0-1.mga4
firefox-pl-38.2.0-1.mga4
firefox-pt_BR-38.2.0-1.mga4
firefox-pt_PT-38.2.0-1.mga4
firefox-ro-38.2.0-1.mga4
firefox-ru-38.2.0-1.mga4
firefox-si-38.2.0-1.mga4
firefox-sk-38.2.0-1.mga4
firefox-sl-38.2.0-1.mga4
firefox-sq-38.2.0-1.mga4
firefox-sr-38.2.0-1.mga4
firefox-sv_SE-38.2.0-1.mga4
firefox-ta-38.2.0-1.mga4
firefox-te-38.2.0-1.mga4
firefox-th-38.2.0-1.mga4
firefox-tr-38.2.0-1.mga4
firefox-uk-38.2.0-1.mga4
firefox-uz-38.2.0-1.mga4
firefox-vi-38.2.0-1.mga4
firefox-xh-38.2.0-1.mga4
firefox-zh_CN-38.2.0-1.mga4
firefox-zh_TW-38.2.0-1.mga4
rootcerts-20150709.00-1.mga5
rootcerts-java-20150709.00-1.mga5
nss-3.19.3-1.mga5
nss-doc-3.19.3-1.mga5
libnss3-3.19.3-1.mga5
libnss-devel-3.19.3-1.mga5
libnss-static-devel-3.19.3-1.mga5
firefox-38.2.0-1.mga5
firefox-devel-38.2.0-1.mga5
firefox-af-38.2.0-1.mga5
firefox-an-38.2.0-1.mga5
firefox-ar-38.2.0-1.mga5
firefox-as-38.2.0-1.mga5
firefox-ast-38.2.0-1.mga5
firefox-az-38.2.0-1.mga5
firefox-be-38.2.0-1.mga5
firefox-bg-38.2.0-1.mga5
firefox-bn_IN-38.2.0-1.mga5
firefox-bn_BD-38.2.0-1.mga5
firefox-br-38.2.0-1.mga5
firefox-bs-38.2.0-1.mga5
firefox-ca-38.2.0-1.mga5
firefox-cs-38.2.0-1.mga5
firefox-cy-38.2.0-1.mga5
firefox-da-38.2.0-1.mga5
firefox-de-38.2.0-1.mga5
firefox-el-38.2.0-1.mga5
firefox-en_GB-38.2.0-1.mga5
firefox-en_US-38.2.0-1.mga5
firefox-en_ZA-38.2.0-1.mga5
firefox-eo-38.2.0-1.mga5
firefox-es_AR-38.2.0-1.mga5
firefox-es_CL-38.2.0-1.mga5
firefox-es_ES-38.2.0-1.mga5
firefox-es_MX-38.2.0-1.mga5
firefox-et-38.2.0-1.mga5
firefox-eu-38.2.0-1.mga5
firefox-fa-38.2.0-1.mga5
firefox-ff-38.2.0-1.mga5
firefox-fi-38.2.0-1.mga5
firefox-fr-38.2.0-1.mga5
firefox-fy_NL-38.2.0-1.mga5
firefox-ga_IE-38.2.0-1.mga5
firefox-gd-38.2.0-1.mga5
firefox-gl-38.2.0-1.mga5
firefox-gu_IN-38.2.0-1.mga5
firefox-he-38.2.0-1.mga5
firefox-hi_IN-38.2.0-1.mga5
firefox-hr-38.2.0-1.mga5
firefox-hsb-38.2.0-1.mga5
firefox-hu-38.2.0-1.mga5
firefox-hy_AM-38.2.0-1.mga5
firefox-id-38.2.0-1.mga5
firefox-is-38.2.0-1.mga5
firefox-it-38.2.0-1.mga5
firefox-ja-38.2.0-1.mga5
firefox-kk-38.2.0-1.mga5
firefox-km-38.2.0-1.mga5
firefox-kn-38.2.0-1.mga5
firefox-ko-38.2.0-1.mga5
firefox-lij-38.2.0-1.mga5
firefox-lt-38.2.0-1.mga5
firefox-lv-38.2.0-1.mga5
firefox-mai-38.2.0-1.mga5
firefox-mk-38.2.0-1.mga5
firefox-ml-38.2.0-1.mga5
firefox-mr-38.2.0-1.mga5
firefox-ms-38.2.0-1.mga5
firefox-nb_NO-38.2.0-1.mga5
firefox-nl-38.2.0-1.mga5
firefox-nn_NO-38.2.0-1.mga5
firefox-or-38.2.0-1.mga5
firefox-pa_IN-38.2.0-1.mga5
firefox-pl-38.2.0-1.mga5
firefox-pt_BR-38.2.0-1.mga5
firefox-pt_PT-38.2.0-1.mga5
firefox-ro-38.2.0-1.mga5
firefox-ru-38.2.0-1.mga5
firefox-si-38.2.0-1.mga5
firefox-sk-38.2.0-1.mga5
firefox-sl-38.2.0-1.mga5
firefox-sq-38.2.0-1.mga5
firefox-sr-38.2.0-1.mga5
firefox-sv_SE-38.2.0-1.mga5
firefox-ta-38.2.0-1.mga5
firefox-te-38.2.0-1.mga5
firefox-th-38.2.0-1.mga5
firefox-tr-38.2.0-1.mga5
firefox-uk-38.2.0-1.mga5
firefox-uz-38.2.0-1.mga5
firefox-vi-38.2.0-1.mga5
firefox-xh-38.2.0-1.mga5
firefox-zh_CN-38.2.0-1.mga5
firefox-zh_TW-38.2.0-1.mga5

from SRPMS:
rootcerts-20150709.00-1.mga4.src.rpm
nss-3.19.3-1.mga4.src.rpm
firefox-38.2.0-1.mga4.src.rpm
firefox-l10n-38.2.0-1.mga4.src.rpm
rootcerts-20150709.00-1.mga5.src.rpm
nss-3.19.3-1.mga5.src.rpm
firefox-38.2.0-1.mga5.src.rpm
firefox-l10n-38.2.0-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2015-08-11 17:23:41 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-08-11 19:19:19 CEST

The upstream advisories have been posted:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

None of the issues are listed as affecting Thunderbird, so I guess there won't be a Thunderbird 38.2.

I'll post the advisory when RedHat posts their update.

I was concerned about MFSA2015-89, since it says the issue is with libvpx, but there are no changes in the bundled libvpx code between Firefox 38.1 and 38.2, so I guess the fixes must have gone into the Firefox code itself.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4493
https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

Comment 2 David Walser 2015-08-11 19:20:15 CEST

Working fine for me, Mageia 4 and Mageia 5 i586.

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK MGA5-32-OK

David Walser 2015-08-11 19:23:53 CEST

Severity: normal => critical

Comment 3 Bill Wilkinson 2015-08-11 20:07:06 CEST

mga5-64, usual battery but with JetStream in place of sunspider, javatester, general browsing, youtube for flash, all OK.

CC: (none) => wrw105
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok

Dave Hodgins 2015-08-11 20:58:07 CEST

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Dave Hodgins 2015-08-11 21:11:35 CEST

Removing the advisory tag. Updated the wrong bug. I'll fix that shortly.

Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok

Comment 5 Dave Hodgins 2015-08-11 21:16:11 CEST

Also removing the validated_update update keyword until the advisory is
available.

Keywords: validated_update => (none)

Comment 6 David Walser 2015-08-11 21:28:18 CEST

RedHat has issued an advisory for this today (August 11):
https://rhn.redhat.com/errata/RHSA-2015-1586.html

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479,
CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485,
CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4493
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2015-1586.html

Dave Hodgins 2015-08-11 21:40:50 CEST

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok advisory

Comment 7 Mageia Robot 2015-08-11 22:23:47 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0312.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-12 20:05:20 CEST

URL: (none) => http://lwn.net/Vulnerabilities/654275/

Note You need to log in before you can comment on or make changes to this bug.