Upstream has released version 38.7.0 today (March 7). No details are available yet. The nspr and nss packages are also being updated this time. Updated packages uploaded for Mageia 5. Updated packages in core/updates_testing: ======================== libnspr4-4.12-1.mga5 libnspr-devel-4.12-1.mga5 nss-3.21.1-1.mga5 nss-doc-3.21.1-1.mga5 libnss3-3.21.1-1.mga5 libnss-devel-3.21.1-1.mga5 libnss-static-devel-3.21.1-1.mga5 firefox-38.7.0-1.mga5 firefox-devel-38.7.0-1.mga5 firefox-af-38.7.0-1.mga5 firefox-an-38.7.0-1.mga5 firefox-ar-38.7.0-1.mga5 firefox-as-38.7.0-1.mga5 firefox-ast-38.7.0-1.mga5 firefox-az-38.7.0-1.mga5 firefox-be-38.7.0-1.mga5 firefox-bg-38.7.0-1.mga5 firefox-bn_IN-38.7.0-1.mga5 firefox-bn_BD-38.7.0-1.mga5 firefox-br-38.7.0-1.mga5 firefox-bs-38.7.0-1.mga5 firefox-ca-38.7.0-1.mga5 firefox-cs-38.7.0-1.mga5 firefox-cy-38.7.0-1.mga5 firefox-da-38.7.0-1.mga5 firefox-de-38.7.0-1.mga5 firefox-el-38.7.0-1.mga5 firefox-en_GB-38.7.0-1.mga5 firefox-en_US-38.7.0-1.mga5 firefox-en_ZA-38.7.0-1.mga5 firefox-eo-38.7.0-1.mga5 firefox-es_AR-38.7.0-1.mga5 firefox-es_CL-38.7.0-1.mga5 firefox-es_ES-38.7.0-1.mga5 firefox-es_MX-38.7.0-1.mga5 firefox-et-38.7.0-1.mga5 firefox-eu-38.7.0-1.mga5 firefox-fa-38.7.0-1.mga5 firefox-ff-38.7.0-1.mga5 firefox-fi-38.7.0-1.mga5 firefox-fr-38.7.0-1.mga5 firefox-fy_NL-38.7.0-1.mga5 firefox-ga_IE-38.7.0-1.mga5 firefox-gd-38.7.0-1.mga5 firefox-gl-38.7.0-1.mga5 firefox-gu_IN-38.7.0-1.mga5 firefox-he-38.7.0-1.mga5 firefox-hi_IN-38.7.0-1.mga5 firefox-hr-38.7.0-1.mga5 firefox-hsb-38.7.0-1.mga5 firefox-hu-38.7.0-1.mga5 firefox-hy_AM-38.7.0-1.mga5 firefox-id-38.7.0-1.mga5 firefox-is-38.7.0-1.mga5 firefox-it-38.7.0-1.mga5 firefox-ja-38.7.0-1.mga5 firefox-kk-38.7.0-1.mga5 firefox-km-38.7.0-1.mga5 firefox-kn-38.7.0-1.mga5 firefox-ko-38.7.0-1.mga5 firefox-lij-38.7.0-1.mga5 firefox-lt-38.7.0-1.mga5 firefox-lv-38.7.0-1.mga5 firefox-mai-38.7.0-1.mga5 firefox-mk-38.7.0-1.mga5 firefox-ml-38.7.0-1.mga5 firefox-mr-38.7.0-1.mga5 firefox-ms-38.7.0-1.mga5 firefox-nb_NO-38.7.0-1.mga5 firefox-nl-38.7.0-1.mga5 firefox-nn_NO-38.7.0-1.mga5 firefox-or-38.7.0-1.mga5 firefox-pa_IN-38.7.0-1.mga5 firefox-pl-38.7.0-1.mga5 firefox-pt_BR-38.7.0-1.mga5 firefox-pt_PT-38.7.0-1.mga5 firefox-ro-38.7.0-1.mga5 firefox-ru-38.7.0-1.mga5 firefox-si-38.7.0-1.mga5 firefox-sk-38.7.0-1.mga5 firefox-sl-38.7.0-1.mga5 firefox-sq-38.7.0-1.mga5 firefox-sr-38.7.0-1.mga5 firefox-sv_SE-38.7.0-1.mga5 firefox-ta-38.7.0-1.mga5 firefox-te-38.7.0-1.mga5 firefox-th-38.7.0-1.mga5 firefox-tr-38.7.0-1.mga5 firefox-uk-38.7.0-1.mga5 firefox-uz-38.7.0-1.mga5 firefox-vi-38.7.0-1.mga5 firefox-xh-38.7.0-1.mga5 firefox-zh_CN-38.7.0-1.mga5 firefox-zh_TW-38.7.0-1.mga5 from SRPMS: nspr-4.12-1.mga5.src.rpm nss-3.21.1-1.mga5.src.rpm firefox-38.7.0-1.mga5.src.rpm firefox-l10n-38.7.0-1.mga5.src.rpm
Updated English packages for both 64-bit and 32-bit systems on two different sets of hardware, as well as in VirtualBox. Visited different websites, including Facebook, my local newspaper, the local NOAA weather forecast. No problems noted.
CC: (none) => andrewsfarm
Everything working fine Mageia 5 i586 too. Hopefully we'll have an advisory tomorrow.
Whiteboard: (none) => MGA5-32-OK
Testing mga5-32 Packages installed from testing: - firefox-38.7.0-1.mga5.i586 - firefox-en_GB-38.7.0-1.mga5.noarch - libnspr4-4.12-1.mga5.i586 - libnss3-3.21.1-1.mga5.i586 - nss-3.21.1-1.mga5.i586 Packages installed cleanly Everything working OK OK for mga5-32
Testing on mga5-64 (two systems) Packages installed from testing: - firefox-38.7.0-1.mga5.x86_64 - firefox-en_GB-38.7.0-1.mga5.noarch - lib64nspr4-4.12-1.mga5.x86_64 - lib64nss3-3.21.1-1.mga5.x86_64 - nss-3.21.1-1.mga5.x86_64 Packages installed cleanly Everything working OK OK for mga5-64
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Upstream details are now available: https://www.mozilla.org/en-US/firefox/38.7.0/releasenotes/ Still waiting on RedHat's advisory. The nss 3.21.1 update fixes CVE-2016-1950: https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/ That one won't be in RedHat's advisory, so I'll have to remember to add it myself. Security researcher Francis Gabriel reported a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute arbitrary code with the permissions of the user (CVE-2016-1950). Above is the advisory blurb for the NSS CVE. We already fixed the graphite2 CVEs in that package, but Firefox bundles it, so it'll fix those here too and should be listed in RedHat's advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1952 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1965 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802 https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-136/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-21/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-25/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Severity: normal => critical
RedHat has issued advisories for this today (March 9): https://rhn.redhat.com/errata/RHSA-2016-0370.html https://rhn.redhat.com/errata/RHSA-2016-0373.html I excluded CVE-2016-1973 from their advisory, because the upstream advisory says it was only fixed in Firefox 45: https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/ I added CVE-2016-1979, which was also fixed in NSS 3.21.1: https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/ Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: Security researcher SkyLined reported a use-after-free issue in how audio is handled through the Web Audio API during MediaStream playback through interactions with the Web Audio API. This results in a potentially exploitable crash (CVE-2015-4477). Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if performance.getEntries() is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of going to the original location. This is a same-origin policy violation and could allow for data theft (CVE-2015-7207). A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library (CVE-2016-1950). Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services (NSS) libraries. The vulnerability overwrites the freed memory with zeroes (CVE-2016-1979). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2016-1952, CVE-2016-1954, CVE-2016-1957, CVE-2016-1958, CVE-2016-1960, CVE-2016-1961, CVE-2016-1962, CVE-2016-1974, CVE-2016-1964, CVE-2016-1965, CVE-2016-1966). Multiple security flaws were found in the graphite2 font library shipped with Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1952 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1961 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1964 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1965 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1979 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2802 https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-136/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-21/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-25/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2016-0370.html https://rhn.redhat.com/errata/RHSA-2016-0373.html
Thanks David. Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
LWN reference for CVE-2016-1950: http://lwn.net/Vulnerabilities/679401/
URL: (none) => http://lwn.net/Vulnerabilities/679400/
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0105.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-1979: http://lwn.net/Vulnerabilities/679618/
nspr 4.12 fixed CVE-2016-1951: http://lwn.net/Vulnerabilities/691095/