Firefox 38.3 has been released, fixing several security issues: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ It is building right now for Mageia 5. Assuming it builds successfully, testing can begin. Advisory and details will come later. Package list below. Updated packages in core/updates_testing: ======================== firefox-38.3.0-1.mga5 firefox-devel-38.3.0-1.mga5 firefox-af-38.3.0-1.mga5 firefox-an-38.3.0-1.mga5 firefox-ar-38.3.0-1.mga5 firefox-as-38.3.0-1.mga5 firefox-ast-38.3.0-1.mga5 firefox-az-38.3.0-1.mga5 firefox-be-38.3.0-1.mga5 firefox-bg-38.3.0-1.mga5 firefox-bn_IN-38.3.0-1.mga5 firefox-bn_BD-38.3.0-1.mga5 firefox-br-38.3.0-1.mga5 firefox-bs-38.3.0-1.mga5 firefox-ca-38.3.0-1.mga5 firefox-cs-38.3.0-1.mga5 firefox-cy-38.3.0-1.mga5 firefox-da-38.3.0-1.mga5 firefox-de-38.3.0-1.mga5 firefox-el-38.3.0-1.mga5 firefox-en_GB-38.3.0-1.mga5 firefox-en_US-38.3.0-1.mga5 firefox-en_ZA-38.3.0-1.mga5 firefox-eo-38.3.0-1.mga5 firefox-es_AR-38.3.0-1.mga5 firefox-es_CL-38.3.0-1.mga5 firefox-es_ES-38.3.0-1.mga5 firefox-es_MX-38.3.0-1.mga5 firefox-et-38.3.0-1.mga5 firefox-eu-38.3.0-1.mga5 firefox-fa-38.3.0-1.mga5 firefox-ff-38.3.0-1.mga5 firefox-fi-38.3.0-1.mga5 firefox-fr-38.3.0-1.mga5 firefox-fy_NL-38.3.0-1.mga5 firefox-ga_IE-38.3.0-1.mga5 firefox-gd-38.3.0-1.mga5 firefox-gl-38.3.0-1.mga5 firefox-gu_IN-38.3.0-1.mga5 firefox-he-38.3.0-1.mga5 firefox-hi_IN-38.3.0-1.mga5 firefox-hr-38.3.0-1.mga5 firefox-hsb-38.3.0-1.mga5 firefox-hu-38.3.0-1.mga5 firefox-hy_AM-38.3.0-1.mga5 firefox-id-38.3.0-1.mga5 firefox-is-38.3.0-1.mga5 firefox-it-38.3.0-1.mga5 firefox-ja-38.3.0-1.mga5 firefox-kk-38.3.0-1.mga5 firefox-km-38.3.0-1.mga5 firefox-kn-38.3.0-1.mga5 firefox-ko-38.3.0-1.mga5 firefox-lij-38.3.0-1.mga5 firefox-lt-38.3.0-1.mga5 firefox-lv-38.3.0-1.mga5 firefox-mai-38.3.0-1.mga5 firefox-mk-38.3.0-1.mga5 firefox-ml-38.3.0-1.mga5 firefox-mr-38.3.0-1.mga5 firefox-ms-38.3.0-1.mga5 firefox-nb_NO-38.3.0-1.mga5 firefox-nl-38.3.0-1.mga5 firefox-nn_NO-38.3.0-1.mga5 firefox-or-38.3.0-1.mga5 firefox-pa_IN-38.3.0-1.mga5 firefox-pl-38.3.0-1.mga5 firefox-pt_BR-38.3.0-1.mga5 firefox-pt_PT-38.3.0-1.mga5 firefox-ro-38.3.0-1.mga5 firefox-ru-38.3.0-1.mga5 firefox-si-38.3.0-1.mga5 firefox-sk-38.3.0-1.mga5 firefox-sl-38.3.0-1.mga5 firefox-sq-38.3.0-1.mga5 firefox-sr-38.3.0-1.mga5 firefox-sv_SE-38.3.0-1.mga5 firefox-ta-38.3.0-1.mga5 firefox-te-38.3.0-1.mga5 firefox-th-38.3.0-1.mga5 firefox-tr-38.3.0-1.mga5 firefox-uk-38.3.0-1.mga5 firefox-uz-38.3.0-1.mga5 firefox-vi-38.3.0-1.mga5 firefox-xh-38.3.0-1.mga5 firefox-zh_CN-38.3.0-1.mga5 firefox-zh_TW-38.3.0-1.mga5 Reproducible: Steps to Reproduce:
RedHat has issued an advisory for this today (September 22): https://rhn.redhat.com/errata/RHSA-2015-1834.html Their list of CVEs and MFSA's doesn't match upstream, and I'm not sure why. According to upstream, the references should be: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7180 https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ There's also CVE-2015-4506 which needs to be fixed in our libvpx package: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4506 https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/
(In reply to David Walser from comment #1) > There's also CVE-2015-4506 which needs to be fixed in our libvpx package: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4506 > https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/ This appears to just piggyback on the fix for CVE-2015-1258, lowering the size limit from 16384x16384 to 4000x3000.
Tested mga5-64 with the usual battery: Jetstream, youtube for flash, acid3, general browsing, javatester for java. No regressions noted. all OK.
CC: (none) => wrw105Whiteboard: (none) => has_procedure mga5-64-ok
(In reply to David Walser from comment #2) > (In reply to David Walser from comment #1) > > There's also CVE-2015-4506 which needs to be fixed in our libvpx package: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4506 > > https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/ > > This appears to just piggyback on the fix for CVE-2015-1258, lowering the > size limit from 16384x16384 to 4000x3000. Chrome (where we got the CVE-2015-1258 fix from) is still using 16384x16384. I wonder if the new CVE is for the same issue, just for its use in Firefox. I think we don't need to worry about this one.
Testing complete mga5 32
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-ok
Need an advisory please
Advisory: ======================== Updated firefox packages fix security vulnerabilities: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox that could cause memory corruption and crashes or potentially allow for arbitrary code execution (CVE-2015-4500). Using the Address Sanitizer tool, security researcher Atte Kettunen discovered a buffer overflow in the nestegg library when decoding a WebM format video with maliciously formatted headers. This leads to a potentially exploitable crash (CVE-2015-4511). An anonymous researcher reported, via HP's Zero Day Initiative, a use-after-free vulnerability with HTML media elements on a page during script manipulation of the URI table of these elements. This results in a potentially exploitable crash (CVE-2015-4509). Security researcher Mario Gomes reported that when a previously loaded image on a page is drag and dropped into content after a redirect, the redirected URL is available to scripts. This is a violation of the Fetch specification's defined behavior for "Atomic HTTP redirect handling" which states that redirected URLs are not exposed to any APIs. This can allow for information leakage (CVE-2015-4519). Mozilla developer Ehsan Akhgari reported two issues with Cross-origin resource sharing (CORS) "preflight" requests. The first issue is that in some circumstances the same cache key can be generated for two preflight requests on a site. As a result, if a second request is made that will match the cached key generated by an earlier request, CORS checks will be bypassed because the system will see the previously cached request as applicable (CVE-2015-4520). In the second issue, when some Access-Control- headers are missing from CORS responses, the values from different Access-Control- headers can be used that present in the same response. Security researcher Ronald Crane reported eight vulnerabilities affecting released code that were found through code inspection. These included several potential memory safety issues resulting from the use of snprintf, one use of unowned memory, one use of a string without overflow checks, and five memory safety bugs. These do not all have clear mechanisms to be exploited through web content but are vulnerable if a mechanism can be found to trigger them (CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7180 https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
LWN reference for some of the issues: http://lwn.net/Vulnerabilities/658201/
URL: (none) => http://lwn.net/Vulnerabilities/658199/
Thanks. SRPMs from changelog ML - firefox-38.3.0-1.mga5 - firefox-l10n-38.3.0-1.mga5 Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure advisory mga5-64-ok mga5-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0382.html
Status: NEW => RESOLVEDResolution: (none) => FIXED