Mozilla has released Firefox 45.2.0 today (June 7): https://www.mozilla.org/en-US/firefox/45.2.0/releasenotes/ firefox is built and firefox-l10n is queued and should be in updates_testing within the next couple of hours. Advisory to come later. Updated packages in core/updates_testing: ================ firefox-45.2.0-1.mga5 firefox-af-45.2.0-1.mga5 firefox-an-45.2.0-1.mga5 firefox-ar-45.2.0-1.mga5 firefox-as-45.2.0-1.mga5 firefox-ast-45.2.0-1.mga5 firefox-az-45.2.0-1.mga5 firefox-be-45.2.0-1.mga5 firefox-bg-45.2.0-1.mga5 firefox-bn_BD-45.2.0-1.mga5 firefox-bn_IN-45.2.0-1.mga5 firefox-br-45.2.0-1.mga5 firefox-bs-45.2.0-1.mga5 firefox-ca-45.2.0-1.mga5 firefox-cs-45.2.0-1.mga5 firefox-cy-45.2.0-1.mga5 firefox-da-45.2.0-1.mga5 firefox-de-45.2.0-1.mga5 firefox-devel-45.2.0-2.mga5 firefox-el-45.2.0-1.mga5 firefox-en_GB-45.2.0-1.mga5 firefox-en_US-45.2.0-1.mga5 firefox-en_ZA-45.2.0-1.mga5 firefox-eo-45.2.0-1.mga5 firefox-es_AR-45.2.0-1.mga5 firefox-es_CL-45.2.0-1.mga5 firefox-es_ES-45.2.0-1.mga5 firefox-es_MX-45.2.0-1.mga5 firefox-et-45.2.0-1.mga5 firefox-eu-45.2.0-1.mga5 firefox-fa-45.2.0-1.mga5 firefox-ff-45.2.0-1.mga5 firefox-fi-45.2.0-1.mga5 firefox-fr-45.2.0-1.mga5 firefox-fy_NL-45.2.0-1.mga5 firefox-ga_IE-45.2.0-1.mga5 firefox-gd-45.2.0-1.mga5 firefox-gl-45.2.0-1.mga5 firefox-gu_IN-45.2.0-1.mga5 firefox-he-45.2.0-1.mga5 firefox-hi_IN-45.2.0-1.mga5 firefox-hr-45.2.0-1.mga5 firefox-hsb-45.2.0-1.mga5 firefox-hu-45.2.0-1.mga5 firefox-hy_AM-45.2.0-1.mga5 firefox-id-45.2.0-1.mga5 firefox-is-45.2.0-1.mga5 firefox-it-45.2.0-1.mga5 firefox-ja-45.2.0-1.mga5 firefox-kk-45.2.0-1.mga5 firefox-km-45.2.0-1.mga5 firefox-kn-45.2.0-1.mga5 firefox-ko-45.2.0-1.mga5 firefox-lij-45.2.0-1.mga5 firefox-lt-45.2.0-1.mga5 firefox-lv-45.2.0-1.mga5 firefox-mai-45.2.0-1.mga5 firefox-mk-45.2.0-1.mga5 firefox-ml-45.2.0-1.mga5 firefox-mr-45.2.0-1.mga5 firefox-ms-45.2.0-1.mga5 firefox-nb_NO-45.2.0-1.mga5 firefox-nl-45.2.0-1.mga5 firefox-nn_NO-45.2.0-1.mga5 firefox-or-45.2.0-1.mga5 firefox-pa_IN-45.2.0-1.mga5 firefox-pl-45.2.0-1.mga5 firefox-pt_BR-45.2.0-1.mga5 firefox-pt_PT-45.2.0-1.mga5 firefox-ro-45.2.0-1.mga5 firefox-ru-45.2.0-1.mga5 firefox-si-45.2.0-1.mga5 firefox-sk-45.2.0-1.mga5 firefox-sl-45.2.0-1.mga5 firefox-sq-45.2.0-1.mga5 firefox-sr-45.2.0-1.mga5 firefox-sv_SE-45.2.0-1.mga5 firefox-ta-45.2.0-1.mga5 firefox-te-45.2.0-1.mga5 firefox-th-45.2.0-1.mga5 firefox-tr-45.2.0-1.mga5 firefox-uk-45.2.0-1.mga5 firefox-uz-45.2.0-1.mga5 firefox-vi-45.2.0-1.mga5 firefox-xh-45.2.0-1.mga5 firefox-zh_CN-45.2.0-1.mga5 firefox-zh_TW-45.2.0-1.mga5 from SRPMS: firefox-45.2.0-1.mga5.src.rpm firefox-l10n-45.2.0-1.mga5.src.rpm
Adding myself to the CC - I'm going to test it.
CC: (none) => shlomif
References for security issues fixed in 45.2: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2818 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2819 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2821 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2822 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2828 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2831 https://www.mozilla.org/en-US/security/advisories/mfsa2016-49/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-50/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-51/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-52/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-56/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-58/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
FYI, nss 3.24 will be added to this once it has been pushed in Cauldron.
On my Acer laptop (real hardware; Mageia 5 x86-64) the new Firefox updates fine using urpmi and runs fine - tested on http://fc-solve.shlomifish.org/ ; http://www.shlomifish.org/Files/files/music/mp3-ogg/ ; YouTube ; installed the ChatZilla addon, used it, and removed it . Used an HTML 5 demo from http://www.hongkiat.com/blog/48-excellent-html5-demos/ - everything seems fine.
I restored Firefox 38.8 to simulate what most users would experience. Updated Firefox and the en-US language package, and everything installed cleanly. Basic functions on Facebook, weather.com, eBay, Zap2it, and here seem fine. One minor niggle: all "remember me" log-ins had to be restored. Bugzilla, Facebook, eBay, Zap2it's local TV schedule. Fortunately, usernames and passwords that I had asked Firefox to remember were retained. I realize that it's not a good security practice to leave sites like these, even Bugzilla, without logging out, but I suspect almost everybody does it with at least some sites, and people will be annoyed at needing to log in again, especially if they didn't save usernames/passwords.
CC: (none) => andrewsfarm
(In reply to Thomas Andrews from comment #5) > I restored Firefox 38.8 to simulate what most users would experience. > Updated Firefox and the en-US language package, and everything installed > cleanly. > > Basic functions on Facebook, weather.com, eBay, Zap2it, and here seem fine. > One minor niggle: all "remember me" log-ins had to be restored. Bugzilla, > Facebook, eBay, Zap2it's local TV schedule. Fortunately, usernames and > passwords that I had asked Firefox to remember were retained. I realize that > it's not a good security practice to leave sites like these, even Bugzilla, > without logging out, but I suspect almost everybody does it with at least > some sites, and people will be annoyed at needing to log in again, > especially if they didn't save usernames/passwords. Forgot to mention this was 64-bit. Sigh. Ever wish you could edit your own previously-posted comment?
On mga5-32 # urpmi firefox A requested package cannot be installed: firefox-45.2.0-1.mga5.i586 (due to unsatisfied libpng16.so.16(PNG16_0)) $ locate libpng16.so.16 /usr/lib/libpng16.so.16 /usr/lib/libpng16.so.16.20.0 Is this a packaging error, or should I be looking at my system for the explanation?
CC: (none) => jim
(In reply to Thomas Andrews from comment #5) > I restored Firefox 38.8 to simulate what most users would experience. > Updated Firefox and the en-US language package, and everything installed > cleanly. > > Basic functions on Facebook, weather.com, eBay, Zap2it, and here seem fine. > One minor niggle: all "remember me" log-ins had to be restored. Bugzilla, > Facebook, eBay, Zap2it's local TV schedule. Fortunately, usernames and > passwords that I had asked Firefox to remember were retained. I realize that > it's not a good security practice to leave sites like these, even Bugzilla, > without logging out, but I suspect almost everybody does it with at least > some sites, and people will be annoyed at needing to log in again, > especially if they didn't save usernames/passwords. Firefox did not log me out from my web sites' accounts after the update, so the problem may be limited to your system.
(In reply to James Kerr from comment #7) > On mga5-32 > > # urpmi firefox > A requested package cannot be installed: > firefox-45.2.0-1.mga5.i586 (due to unsatisfied libpng16.so.16(PNG16_0)) > > $ locate libpng16.so.16 > /usr/lib/libpng16.so.16 > /usr/lib/libpng16.so.16.20.0 > > > Is this a packaging error, or should I be looking at my system for the > explanation? Installing firefox-45.2.0 using urpmi worked fine for me on my i586 mgav5 VM. One thing you can try is disabling the "Updates Testing" repos, running "urpmi.update -a" and "urpmi --auto --auto-select" and then reenabling Testing and installing firefox again. What is your mirror? mirror.isoc.org.il is fine here.
(In reply to James Kerr from comment #7) > On mga5-32 > > # urpmi firefox > A requested package cannot be installed: > firefox-45.2.0-1.mga5.i586 (due to unsatisfied libpng16.so.16(PNG16_0)) > > $ locate libpng16.so.16 > /usr/lib/libpng16.so.16 > /usr/lib/libpng16.so.16.20.0 > > > Is this a packaging error, or should I be looking at my system for the > explanation? If your system was fully up to date, this won't happen. It's looking for the libpng update that was shipped with the chromium update yesterday.
Yes. My bad. I had forgotten to execute "urpmi --auto-update" before enabling the testing repo.
(In reply to Shlomi Fish from comment #8) > > Firefox did not log me out from my web sites' accounts after the update, so > the problem may be limited to your system. Could be. I've had several versions of Firefox the last month or so, including Mozilla's FF46. It easily could have altered my local preferences. It's done that before.
Testing on mga5-32 (after applying updates) Packages installed cleanly: firefox-en_GB-45.2.0-1.mga5 firefox-45.2.0-1.mga5 No regressions noted. OK for mga5-32
nss 3.24 pushed to the build system. Please also test Firefox with the updated nss packages.
RedHat has issued an advisory for this today (June 8): https://rhn.redhat.com/errata/RHSA-2016-1217.html Advisory: ================ Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2828, CVE-2016-2831). This update provides the next stable branch of Firefox, version 45.2.0. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2818 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2819 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2821 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2822 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2828 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2831 https://www.mozilla.org/en-US/security/advisories/mfsa2016-49/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-50/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-51/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-52/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-56/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-58/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/firefox/45.2.0/releasenotes/ https://rhn.redhat.com/errata/RHSA-2016-1217.html ================ Updated packages in core/updates_testing: ================ nss-3.24.0-1.mga5 nss-doc-3.24.0-1.mga5 libnss3-3.24.0-1.mga5 libnss-devel-3.24.0-1.mga5 libnss-static-devel-3.24.0-1.mga5 firefox-45.2.0-1.mga5 firefox-af-45.2.0-1.mga5 firefox-an-45.2.0-1.mga5 firefox-ar-45.2.0-1.mga5 firefox-as-45.2.0-1.mga5 firefox-ast-45.2.0-1.mga5 firefox-az-45.2.0-1.mga5 firefox-be-45.2.0-1.mga5 firefox-bg-45.2.0-1.mga5 firefox-bn_BD-45.2.0-1.mga5 firefox-bn_IN-45.2.0-1.mga5 firefox-br-45.2.0-1.mga5 firefox-bs-45.2.0-1.mga5 firefox-ca-45.2.0-1.mga5 firefox-cs-45.2.0-1.mga5 firefox-cy-45.2.0-1.mga5 firefox-da-45.2.0-1.mga5 firefox-de-45.2.0-1.mga5 firefox-devel-45.2.0-2.mga5 firefox-el-45.2.0-1.mga5 firefox-en_GB-45.2.0-1.mga5 firefox-en_US-45.2.0-1.mga5 firefox-en_ZA-45.2.0-1.mga5 firefox-eo-45.2.0-1.mga5 firefox-es_AR-45.2.0-1.mga5 firefox-es_CL-45.2.0-1.mga5 firefox-es_ES-45.2.0-1.mga5 firefox-es_MX-45.2.0-1.mga5 firefox-et-45.2.0-1.mga5 firefox-eu-45.2.0-1.mga5 firefox-fa-45.2.0-1.mga5 firefox-ff-45.2.0-1.mga5 firefox-fi-45.2.0-1.mga5 firefox-fr-45.2.0-1.mga5 firefox-fy_NL-45.2.0-1.mga5 firefox-ga_IE-45.2.0-1.mga5 firefox-gd-45.2.0-1.mga5 firefox-gl-45.2.0-1.mga5 firefox-gu_IN-45.2.0-1.mga5 firefox-he-45.2.0-1.mga5 firefox-hi_IN-45.2.0-1.mga5 firefox-hr-45.2.0-1.mga5 firefox-hsb-45.2.0-1.mga5 firefox-hu-45.2.0-1.mga5 firefox-hy_AM-45.2.0-1.mga5 firefox-id-45.2.0-1.mga5 firefox-is-45.2.0-1.mga5 firefox-it-45.2.0-1.mga5 firefox-ja-45.2.0-1.mga5 firefox-kk-45.2.0-1.mga5 firefox-km-45.2.0-1.mga5 firefox-kn-45.2.0-1.mga5 firefox-ko-45.2.0-1.mga5 firefox-lij-45.2.0-1.mga5 firefox-lt-45.2.0-1.mga5 firefox-lv-45.2.0-1.mga5 firefox-mai-45.2.0-1.mga5 firefox-mk-45.2.0-1.mga5 firefox-ml-45.2.0-1.mga5 firefox-mr-45.2.0-1.mga5 firefox-ms-45.2.0-1.mga5 firefox-nb_NO-45.2.0-1.mga5 firefox-nl-45.2.0-1.mga5 firefox-nn_NO-45.2.0-1.mga5 firefox-or-45.2.0-1.mga5 firefox-pa_IN-45.2.0-1.mga5 firefox-pl-45.2.0-1.mga5 firefox-pt_BR-45.2.0-1.mga5 firefox-pt_PT-45.2.0-1.mga5 firefox-ro-45.2.0-1.mga5 firefox-ru-45.2.0-1.mga5 firefox-si-45.2.0-1.mga5 firefox-sk-45.2.0-1.mga5 firefox-sl-45.2.0-1.mga5 firefox-sq-45.2.0-1.mga5 firefox-sr-45.2.0-1.mga5 firefox-sv_SE-45.2.0-1.mga5 firefox-ta-45.2.0-1.mga5 firefox-te-45.2.0-1.mga5 firefox-th-45.2.0-1.mga5 firefox-tr-45.2.0-1.mga5 firefox-uk-45.2.0-1.mga5 firefox-uz-45.2.0-1.mga5 firefox-vi-45.2.0-1.mga5 firefox-xh-45.2.0-1.mga5 firefox-zh_CN-45.2.0-1.mga5 firefox-zh_TW-45.2.0-1.mga5 from SRPMS: nss-3.24.0-1.mga5.src.rpm firefox-45.2.0-1.mga5.src.rpm firefox-l10n-45.2.0-1.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/690400/
Tested mga5-64 with general browsing, jetstream for javascript, javatester for java plugin, youtube video (currently as html5), flash game for flash, acid3. all OK
CC: (none) => wrw105Whiteboard: (none) => has_procedure mga5-64-ok
32-bit working OK here.
Tested mga5-32 in VM as above. All seems OK. Validating. Ready for push when advisory uploaded to SVN.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-okCC: (none) => sysadmin-bugs
Depends on: (none) => 18648
Hi, ff 45.2.0 in Mga5 is also affected by bug 18648. Maybe we should wait a bit before pushing the update? Best regards, Nico.
CC: (none) => nicolas.salguero
Removing the blocker as it's apparently an old issue and has a known workaround.
Depends on: 18648 => (none)
Advisory uploaded.
Whiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure advisory mga5-64-ok mga5-32-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0220.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: (none) => 18264