One of the NSS security issues that was supposed to have been fixed in the previous Firefox update Bug 17900 was actually fixed in the next NSS version *after* the one we shipped in that update. This error was made due to a mistake in Mozilla's advisory. The nss update also comes with a rootcerts update. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated rootcerts and nss packages fix security vulnerability: A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library (CVE-2016-1950). This issue was supposed to have been fixed in MGASA-2016-0105, but Mozilla did not include the fix until the following nss releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950 https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/ https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes http://advisories.mageia.org/MGASA-2016-0105.html ======================== Updated packages in core/updates_testing: ======================== rootcerts-20160225.00-1.mga5 rootcerts-java-20160225.00-1.mga5 nss-3.23.0-1.mga5 nss-doc-3.23.0-1.mga5 libnss3-3.23.0-1.mga5 libnss-devel-3.23.0-1.mga5 libnss-static-devel-3.23.0-1.mga5 from SRPMS: rootcerts-20160225.00-1.mga5.src.rpm nss-3.23.0-1.mga5.src.rpm
Firefox working fine with the updated packages.
Whiteboard: (none) => MGA5-32-OK
Blocks: (none) => 18006
Adding OK mga5 64 as Len tested with Thunderbird in bug 18006
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok
Validating. Advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK mga5-64-ok => advisory MGA5-32-OK mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0114.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2016-2834: http://lwn.net/Vulnerabilities/692857/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/