16666 – Firefox 38.2.1

Bug 16666 - Firefox 38.2.1

Summary: Firefox 38.2.1

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/655993/
Whiteboard:	MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-08-28 21:46 CEST by David Walser
Modified:	2015-08-29 09:53 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	nspr, nss, firefox
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-08-28 21:46:30 CEST

RedHat has issued an advisory on August 27:
https://rhn.redhat.com/errata/RHSA-2015-1693.html

This is an emergency out-of-band release to fix a zero-day denial of service issue and an issue where the browser could be tricked into automatically installing extensions.

New versions of nspr and nss are also available:
http://mozilla.6506.n7.nabble.com/ANNOUNCE-NSPR-4-10-9-Release-td343441.html
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A flaw was found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2015-4497).

A flaw was found in the way Firefox handled installation of add-ons.
An attacker could use this flaw to bypass the add-on installation prompt,
and trick the user into installing an add-on from a malicious source
(CVE-2015-4498).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4498
http://mozilla.6506.n7.nabble.com/ANNOUNCE-NSPR-4-10-9-Release-td343441.html
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://rhn.redhat.com/errata/RHSA-2015-1693.html
========================

Updated packages in core/updates_testing:
========================
libnspr4-4.10.9-1.mga4
libnspr-devel-4.10.9-1.mga4
nss-3.20.0-1.mga4
nss-doc-3.20.0-1.mga4
libnss3-3.20.0-1.mga4
libnss-devel-3.20.0-1.mga4
libnss-static-devel-3.20.0-1.mga4
firefox-38.2.1-1.mga4
firefox-devel-38.2.1-1.mga4
firefox-af-38.2.1-1.mga4
firefox-an-38.2.1-1.mga4
firefox-ar-38.2.1-1.mga4
firefox-as-38.2.1-1.mga4
firefox-ast-38.2.1-1.mga4
firefox-az-38.2.1-1.mga4
firefox-be-38.2.1-1.mga4
firefox-bg-38.2.1-1.mga4
firefox-bn_IN-38.2.1-1.mga4
firefox-bn_BD-38.2.1-1.mga4
firefox-br-38.2.1-1.mga4
firefox-bs-38.2.1-1.mga4
firefox-ca-38.2.1-1.mga4
firefox-cs-38.2.1-1.mga4
firefox-cy-38.2.1-1.mga4
firefox-da-38.2.1-1.mga4
firefox-de-38.2.1-1.mga4
firefox-el-38.2.1-1.mga4
firefox-en_GB-38.2.1-1.mga4
firefox-en_US-38.2.1-1.mga4
firefox-en_ZA-38.2.1-1.mga4
firefox-eo-38.2.1-1.mga4
firefox-es_AR-38.2.1-1.mga4
firefox-es_CL-38.2.1-1.mga4
firefox-es_ES-38.2.1-1.mga4
firefox-es_MX-38.2.1-1.mga4
firefox-et-38.2.1-1.mga4
firefox-eu-38.2.1-1.mga4
firefox-fa-38.2.1-1.mga4
firefox-ff-38.2.1-1.mga4
firefox-fi-38.2.1-1.mga4
firefox-fr-38.2.1-1.mga4
firefox-fy_NL-38.2.1-1.mga4
firefox-ga_IE-38.2.1-1.mga4
firefox-gd-38.2.1-1.mga4
firefox-gl-38.2.1-1.mga4
firefox-gu_IN-38.2.1-1.mga4
firefox-he-38.2.1-1.mga4
firefox-hi_IN-38.2.1-1.mga4
firefox-hr-38.2.1-1.mga4
firefox-hsb-38.2.1-1.mga4
firefox-hu-38.2.1-1.mga4
firefox-hy_AM-38.2.1-1.mga4
firefox-id-38.2.1-1.mga4
firefox-is-38.2.1-1.mga4
firefox-it-38.2.1-1.mga4
firefox-ja-38.2.1-1.mga4
firefox-kk-38.2.1-1.mga4
firefox-km-38.2.1-1.mga4
firefox-kn-38.2.1-1.mga4
firefox-ko-38.2.1-1.mga4
firefox-lij-38.2.1-1.mga4
firefox-lt-38.2.1-1.mga4
firefox-lv-38.2.1-1.mga4
firefox-mai-38.2.1-1.mga4
firefox-mk-38.2.1-1.mga4
firefox-ml-38.2.1-1.mga4
firefox-mr-38.2.1-1.mga4
firefox-ms-38.2.1-1.mga4
firefox-nb_NO-38.2.1-1.mga4
firefox-nl-38.2.1-1.mga4
firefox-nn_NO-38.2.1-1.mga4
firefox-or-38.2.1-1.mga4
firefox-pa_IN-38.2.1-1.mga4
firefox-pl-38.2.1-1.mga4
firefox-pt_BR-38.2.1-1.mga4
firefox-pt_PT-38.2.1-1.mga4
firefox-ro-38.2.1-1.mga4
firefox-ru-38.2.1-1.mga4
firefox-si-38.2.1-1.mga4
firefox-sk-38.2.1-1.mga4
firefox-sl-38.2.1-1.mga4
firefox-sq-38.2.1-1.mga4
firefox-sr-38.2.1-1.mga4
firefox-sv_SE-38.2.1-1.mga4
firefox-ta-38.2.1-1.mga4
firefox-te-38.2.1-1.mga4
firefox-th-38.2.1-1.mga4
firefox-tr-38.2.1-1.mga4
firefox-uk-38.2.1-1.mga4
firefox-uz-38.2.1-1.mga4
firefox-vi-38.2.1-1.mga4
firefox-xh-38.2.1-1.mga4
firefox-zh_CN-38.2.1-1.mga4
firefox-zh_TW-38.2.1-1.mga4
libnspr4-4.10.9-1.mga5
libnspr-devel-4.10.9-1.mga5
nss-3.20.0-1.mga5
nss-doc-3.20.0-1.mga5
libnss3-3.20.0-1.mga5
libnss-devel-3.20.0-1.mga5
libnss-static-devel-3.20.0-1.mga5
firefox-38.2.1-1.mga5
firefox-devel-38.2.1-1.mga5
firefox-af-38.2.1-1.mga5
firefox-an-38.2.1-1.mga5
firefox-ar-38.2.1-1.mga5
firefox-as-38.2.1-1.mga5
firefox-ast-38.2.1-1.mga5
firefox-az-38.2.1-1.mga5
firefox-be-38.2.1-1.mga5
firefox-bg-38.2.1-1.mga5
firefox-bn_IN-38.2.1-1.mga5
firefox-bn_BD-38.2.1-1.mga5
firefox-br-38.2.1-1.mga5
firefox-bs-38.2.1-1.mga5
firefox-ca-38.2.1-1.mga5
firefox-cs-38.2.1-1.mga5
firefox-cy-38.2.1-1.mga5
firefox-da-38.2.1-1.mga5
firefox-de-38.2.1-1.mga5
firefox-el-38.2.1-1.mga5
firefox-en_GB-38.2.1-1.mga5
firefox-en_US-38.2.1-1.mga5
firefox-en_ZA-38.2.1-1.mga5
firefox-eo-38.2.1-1.mga5
firefox-es_AR-38.2.1-1.mga5
firefox-es_CL-38.2.1-1.mga5
firefox-es_ES-38.2.1-1.mga5
firefox-es_MX-38.2.1-1.mga5
firefox-et-38.2.1-1.mga5
firefox-eu-38.2.1-1.mga5
firefox-fa-38.2.1-1.mga5
firefox-ff-38.2.1-1.mga5
firefox-fi-38.2.1-1.mga5
firefox-fr-38.2.1-1.mga5
firefox-fy_NL-38.2.1-1.mga5
firefox-ga_IE-38.2.1-1.mga5
firefox-gd-38.2.1-1.mga5
firefox-gl-38.2.1-1.mga5
firefox-gu_IN-38.2.1-1.mga5
firefox-he-38.2.1-1.mga5
firefox-hi_IN-38.2.1-1.mga5
firefox-hr-38.2.1-1.mga5
firefox-hsb-38.2.1-1.mga5
firefox-hu-38.2.1-1.mga5
firefox-hy_AM-38.2.1-1.mga5
firefox-id-38.2.1-1.mga5
firefox-is-38.2.1-1.mga5
firefox-it-38.2.1-1.mga5
firefox-ja-38.2.1-1.mga5
firefox-kk-38.2.1-1.mga5
firefox-km-38.2.1-1.mga5
firefox-kn-38.2.1-1.mga5
firefox-ko-38.2.1-1.mga5
firefox-lij-38.2.1-1.mga5
firefox-lt-38.2.1-1.mga5
firefox-lv-38.2.1-1.mga5
firefox-mai-38.2.1-1.mga5
firefox-mk-38.2.1-1.mga5
firefox-ml-38.2.1-1.mga5
firefox-mr-38.2.1-1.mga5
firefox-ms-38.2.1-1.mga5
firefox-nb_NO-38.2.1-1.mga5
firefox-nl-38.2.1-1.mga5
firefox-nn_NO-38.2.1-1.mga5
firefox-or-38.2.1-1.mga5
firefox-pa_IN-38.2.1-1.mga5
firefox-pl-38.2.1-1.mga5
firefox-pt_BR-38.2.1-1.mga5
firefox-pt_PT-38.2.1-1.mga5
firefox-ro-38.2.1-1.mga5
firefox-ru-38.2.1-1.mga5
firefox-si-38.2.1-1.mga5
firefox-sk-38.2.1-1.mga5
firefox-sl-38.2.1-1.mga5
firefox-sq-38.2.1-1.mga5
firefox-sr-38.2.1-1.mga5
firefox-sv_SE-38.2.1-1.mga5
firefox-ta-38.2.1-1.mga5
firefox-te-38.2.1-1.mga5
firefox-th-38.2.1-1.mga5
firefox-tr-38.2.1-1.mga5
firefox-uk-38.2.1-1.mga5
firefox-uz-38.2.1-1.mga5
firefox-vi-38.2.1-1.mga5
firefox-xh-38.2.1-1.mga5
firefox-zh_CN-38.2.1-1.mga5
firefox-zh_TW-38.2.1-1.mga5

from SRPMS:
nspr-4.10.9-1.mga4.src.rpm
nss-3.20.0-1.mga4.src.rpm
firefox-38.2.1-1.mga4.src.rpm
firefox-l10n-38.2.1-1.mga4.src.rpm
nspr-4.10.9-1.mga5.src.rpm
nss-3.20.0-1.mga5.src.rpm
firefox-38.2.1-1.mga5.src.rpm
firefox-l10n-38.2.1-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2015-08-28 21:46:37 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Lewis Smith 2015-08-28 22:39:33 CEST

Any use of Updates Testing wanted to take out my 3 Firefox language packs (cy, en_GB, en_ZA [whatever that is]). In spite of which, I installed this Firefox update
 firefox-38.2.1-1.mga4
and it *did* take them out.
Trying to install them explicitly urpmi with normal or update testing repos enabled complained that they were older:
 firefox-cy-38.2.0-1.mga4     firefox-en_GB-38.2.0-1.mga4
so I did nothing.
I guess all the language packs cited in Comment 0 should be in updates Testing.

CC: (none) => lewyssmith

Comment 2 David Walser 2015-08-28 22:41:01 CEST

(In reply to Lewis Smith from comment #1)
> Any use of Updates Testing wanted to take out my 3 Firefox language packs
> (cy, en_GB, en_ZA [whatever that is]). In spite of which, I installed this
> Firefox update
>  firefox-38.2.1-1.mga4
> and it *did* take them out.
> Trying to install them explicitly urpmi with normal or update testing repos
> enabled complained that they were older:
>  firefox-cy-38.2.0-1.mga4     firefox-en_GB-38.2.0-1.mga4
> so I did nothing.
> I guess all the language packs cited in Comment 0 should be in updates
> Testing.

Your mirror is behind.  l10n (the language packs) was the last package pushed, so it hasn't made it to your mirror.  Try another one or wait an hour.

Comment 3 David Walser 2015-08-28 23:22:04 CEST

Working fine on my Mageia 4 i586 machine in my office at work, and already deployed on the Mageia 5 i586 machines in the classroom, working fine there.

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK MGA5-32-OK

Comment 4 Bill Wilkinson 2015-08-29 04:55:26 CEST

Tested mga5-64, usual battery: Jetstream for javascript, javatester for java plugin, youtube for flash, general browsing, all OK

CC: (none) => wrw105
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok

Comment 5 Bill Wilkinson 2015-08-29 05:40:23 CEST

Tested mga4-64 as above. all OK.

Validating.  Ready for push when advisory added to svn.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2015-08-29 09:45:41 CEST

 advisory added

CC: (none) => tmb
Whiteboard: MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok mga4-64-ok => MGA4TOO MGA4-32-OK MGA5-32-OK mga5-64-ok mga4-64-ok advisory

Comment 7 Mageia Robot 2015-08-29 09:53:47 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0331.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.