Upstream has released version 38.4 today (November 3): https://www.mozilla.org/en-US/firefox/38.4.0/releasenotes/ Details are not available yet. This update will also include updates for nspr, rootcerts, and nss. It is building right now for Mageia 5. Assuming it builds successfully, testing can begin. Advisory and details will come later. Package list below. Updated packages in core/updates_testing: ======================== libnspr4-4.10.10-1.mga5 libnspr-devel-4.10.10-1.mga5 rootcerts-20151029.00-1.mga5 rootcerts-java-20151029.00-1.mga5 nss-3.20.1-1.mga5 nss-doc-3.20.1-1.mga5 libnss3-3.20.1-1.mga5 libnss-devel-3.20.1-1.mga5 libnss-static-devel-3.20.1-1.mga5 firefox-38.4.0-1.mga5 firefox-devel-38.4.0-1.mga5 firefox-af-38.4.0-1.mga5 firefox-an-38.4.0-1.mga5 firefox-ar-38.4.0-1.mga5 firefox-as-38.4.0-1.mga5 firefox-ast-38.4.0-1.mga5 firefox-az-38.4.0-1.mga5 firefox-be-38.4.0-1.mga5 firefox-bg-38.4.0-1.mga5 firefox-bn_IN-38.4.0-1.mga5 firefox-bn_BD-38.4.0-1.mga5 firefox-br-38.4.0-1.mga5 firefox-bs-38.4.0-1.mga5 firefox-ca-38.4.0-1.mga5 firefox-cs-38.4.0-1.mga5 firefox-cy-38.4.0-1.mga5 firefox-da-38.4.0-1.mga5 firefox-de-38.4.0-1.mga5 firefox-el-38.4.0-1.mga5 firefox-en_GB-38.4.0-1.mga5 firefox-en_US-38.4.0-1.mga5 firefox-en_ZA-38.4.0-1.mga5 firefox-eo-38.4.0-1.mga5 firefox-es_AR-38.4.0-1.mga5 firefox-es_CL-38.4.0-1.mga5 firefox-es_ES-38.4.0-1.mga5 firefox-es_MX-38.4.0-1.mga5 firefox-et-38.4.0-1.mga5 firefox-eu-38.4.0-1.mga5 firefox-fa-38.4.0-1.mga5 firefox-ff-38.4.0-1.mga5 firefox-fi-38.4.0-1.mga5 firefox-fr-38.4.0-1.mga5 firefox-fy_NL-38.4.0-1.mga5 firefox-ga_IE-38.4.0-1.mga5 firefox-gd-38.4.0-1.mga5 firefox-gl-38.4.0-1.mga5 firefox-gu_IN-38.4.0-1.mga5 firefox-he-38.4.0-1.mga5 firefox-hi_IN-38.4.0-1.mga5 firefox-hr-38.4.0-1.mga5 firefox-hsb-38.4.0-1.mga5 firefox-hu-38.4.0-1.mga5 firefox-hy_AM-38.4.0-1.mga5 firefox-id-38.4.0-1.mga5 firefox-is-38.4.0-1.mga5 firefox-it-38.4.0-1.mga5 firefox-ja-38.4.0-1.mga5 firefox-kk-38.4.0-1.mga5 firefox-km-38.4.0-1.mga5 firefox-kn-38.4.0-1.mga5 firefox-ko-38.4.0-1.mga5 firefox-lij-38.4.0-1.mga5 firefox-lt-38.4.0-1.mga5 firefox-lv-38.4.0-1.mga5 firefox-mai-38.4.0-1.mga5 firefox-mk-38.4.0-1.mga5 firefox-ml-38.4.0-1.mga5 firefox-mr-38.4.0-1.mga5 firefox-ms-38.4.0-1.mga5 firefox-nb_NO-38.4.0-1.mga5 firefox-nl-38.4.0-1.mga5 firefox-nn_NO-38.4.0-1.mga5 firefox-or-38.4.0-1.mga5 firefox-pa_IN-38.4.0-1.mga5 firefox-pl-38.4.0-1.mga5 firefox-pt_BR-38.4.0-1.mga5 firefox-pt_PT-38.4.0-1.mga5 firefox-ro-38.4.0-1.mga5 firefox-ru-38.4.0-1.mga5 firefox-si-38.4.0-1.mga5 firefox-sk-38.4.0-1.mga5 firefox-sl-38.4.0-1.mga5 firefox-sq-38.4.0-1.mga5 firefox-sr-38.4.0-1.mga5 firefox-sv_SE-38.4.0-1.mga5 firefox-ta-38.4.0-1.mga5 firefox-te-38.4.0-1.mga5 firefox-th-38.4.0-1.mga5 firefox-tr-38.4.0-1.mga5 firefox-uk-38.4.0-1.mga5 firefox-uz-38.4.0-1.mga5 firefox-vi-38.4.0-1.mga5 firefox-xh-38.4.0-1.mga5 firefox-zh_CN-38.4.0-1.mga5 firefox-zh_TW-38.4.0-1.mga5 from SRPMS: nspr-4.10.10-1.mga5.src.rpm rootcerts-20151029.00-1.mga5.src.rpm nss-3.20.1-1.mga5.src.rpm firefox-38.4.0-1.mga5.src.rpm firefox-l10n-38.4.0-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Sorry, the following package cannot be selected: - firefox-en_GB-38.4.0-1.mga5.noarch (due to unsatisfied firefox[== 0:38.4.0])
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #1) > Sorry, the following package cannot be selected: > - firefox-en_GB-38.4.0-1.mga5.noarch (due to unsatisfied firefox[== > 0:38.4.0]) You tried too early. l10n was built before firefox finished. They're all uploaded now.
No advisory from RedHat yet, but upstream advisories are up. There are gobs of security fixes included in nspr, nss, and firefox. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7200 https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-122/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-128/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-130/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Working fine on Mageia 5 i586.
Whiteboard: (none) => MGA5-32-OK
Installed on x86-64 with Mate desktop. Running fine here - recovered saved tabs. html5 player and sound working as before on Youtube videos. Interactive JPEG on APOD (Astronomy Picture Of The Day).
CC: (none) => tarazed25
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Installed on i586 with Kde desktop. Running fine here - recovered saved tabs. html5 player and sound working
CC: (none) => westel
Works fine on Mageia 5 x86_64, KDE4, intel graphics. I tried typical browsing on youtube, facebook, github, etc., and had no issue. I can't test flash player integration as I nuked this glorified bundle of flaws out of my desktop experience.
RedHat has issued advisories for these today (November 4): https://rhn.redhat.com/errata/RHSA-2015-1981.html https://rhn.redhat.com/errata/RHSA-2015-1982.html Advisory: ======================== Updated nspr, nss, and firefox packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196, CVE-2015-7198, CVE-2015-7197) A same-origin policy bypass flaw was found in the way Firefox handled certain cross-origin resource sharing (CORS) requests. A web page containing malicious content could cause Firefox to disclose sensitive information. (CVE-2015-7193) A same-origin policy bypass flaw was found in the way Firefox handled URLs containing IP addresses with white-space characters. This could lead to cross-site scripting attacks. (CVE-2015-7188) A use-after-poison flaw and a heap-based buffer overflow flaw were found in the way NSS parsed certain ASN.1 structures. An attacker could use these flaws to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. (CVE-2015-7181, CVE-2015-7182) A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. (CVE-2015-7183) Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE, PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuilt against the fixed nspr packages to completely resolve the CVE-2015-7183 issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7198 https://www.mozilla.org/en-US/security/advisories/mfsa2015-116/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-122/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-123/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-127/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-128/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-130/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-131/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-132/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2015-1981.html https://rhn.redhat.com/errata/RHSA-2015-1982.html
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0427.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for nspr/nss issues: http://lwn.net/Vulnerabilities/663060/
URL: (none) => http://lwn.net/Vulnerabilities/663061/