Firefox 45.5.0 is out. It should be announced today: https://www.mozilla.org/en-US/firefox/45.5.0/releasenotes/ There is also an nspr/rootcerts/nss update with this, which will hopefully fix issues some users have had with non-browser apps that use the ca-bundle.crt certificates file. Advisory to come later. Update is currently building, the package list will be the following. Updated packages in core/updates_testing: ================ libnspr4-4.13.1-1.mga5 libnspr-devel-4.13.1-1.mga5 rootcerts-20160922.00-1.mga5 rootcerts-java-20160922.00-1.mga5 nss-3.27.1-1.mga5 nss-doc-3.27.1-1.mga5 libnss3-3.27.1-1.mga5 libnss-devel-3.27.1-1.mga5 libnss-static-devel-3.27.1-1.mga5 firefox-45.5.0-1.mga5 firefox-af-45.5.0-1.mga5 firefox-an-45.5.0-1.mga5 firefox-ar-45.5.0-1.mga5 firefox-as-45.5.0-1.mga5 firefox-ast-45.5.0-1.mga5 firefox-az-45.5.0-1.mga5 firefox-be-45.5.0-1.mga5 firefox-bg-45.5.0-1.mga5 firefox-bn_BD-45.5.0-1.mga5 firefox-bn_IN-45.5.0-1.mga5 firefox-br-45.5.0-1.mga5 firefox-bs-45.5.0-1.mga5 firefox-ca-45.5.0-1.mga5 firefox-cs-45.5.0-1.mga5 firefox-cy-45.5.0-1.mga5 firefox-da-45.5.0-1.mga5 firefox-de-45.5.0-1.mga5 firefox-devel-45.5.0-1.mga5 firefox-el-45.5.0-1.mga5 firefox-en_GB-45.5.0-1.mga5 firefox-en_US-45.5.0-1.mga5 firefox-en_ZA-45.5.0-1.mga5 firefox-eo-45.5.0-1.mga5 firefox-es_AR-45.5.0-1.mga5 firefox-es_CL-45.5.0-1.mga5 firefox-es_ES-45.5.0-1.mga5 firefox-es_MX-45.5.0-1.mga5 firefox-et-45.5.0-1.mga5 firefox-eu-45.5.0-1.mga5 firefox-fa-45.5.0-1.mga5 firefox-ff-45.5.0-1.mga5 firefox-fi-45.5.0-1.mga5 firefox-fr-45.5.0-1.mga5 firefox-fy_NL-45.5.0-1.mga5 firefox-ga_IE-45.5.0-1.mga5 firefox-gd-45.5.0-1.mga5 firefox-gl-45.5.0-1.mga5 firefox-gu_IN-45.5.0-1.mga5 firefox-he-45.5.0-1.mga5 firefox-hi_IN-45.5.0-1.mga5 firefox-hr-45.5.0-1.mga5 firefox-hsb-45.5.0-1.mga5 firefox-hu-45.5.0-1.mga5 firefox-hy_AM-45.5.0-1.mga5 firefox-id-45.5.0-1.mga5 firefox-is-45.5.0-1.mga5 firefox-it-45.5.0-1.mga5 firefox-ja-45.5.0-1.mga5 firefox-kk-45.5.0-1.mga5 firefox-km-45.5.0-1.mga5 firefox-kn-45.5.0-1.mga5 firefox-ko-45.5.0-1.mga5 firefox-lij-45.5.0-1.mga5 firefox-lt-45.5.0-1.mga5 firefox-lv-45.5.0-1.mga5 firefox-mai-45.5.0-1.mga5 firefox-mk-45.5.0-1.mga5 firefox-ml-45.5.0-1.mga5 firefox-mr-45.5.0-1.mga5 firefox-ms-45.5.0-1.mga5 firefox-nb_NO-45.5.0-1.mga5 firefox-nl-45.5.0-1.mga5 firefox-nn_NO-45.5.0-1.mga5 firefox-or-45.5.0-1.mga5 firefox-pa_IN-45.5.0-1.mga5 firefox-pl-45.5.0-1.mga5 firefox-pt_BR-45.5.0-1.mga5 firefox-pt_PT-45.5.0-1.mga5 firefox-ro-45.5.0-1.mga5 firefox-ru-45.5.0-1.mga5 firefox-si-45.5.0-1.mga5 firefox-sk-45.5.0-1.mga5 firefox-sl-45.5.0-1.mga5 firefox-sq-45.5.0-1.mga5 firefox-sr-45.5.0-1.mga5 firefox-sv_SE-45.5.0-1.mga5 firefox-ta-45.5.0-1.mga5 firefox-te-45.5.0-1.mga5 firefox-th-45.5.0-1.mga5 firefox-tr-45.5.0-1.mga5 firefox-uk-45.5.0-1.mga5 firefox-uz-45.5.0-1.mga5 firefox-vi-45.5.0-1.mga5 firefox-xh-45.5.0-1.mga5 firefox-zh_CN-45.5.0-1.mga5 firefox-zh_TW-45.5.0-1.mga5 from SRPMS: nspr-4.13.1-1.mga5.src.rpm rootcerts-20160922.00-1.mga5.src.rpm nss-3.27.1-1.mga5.src.rpm firefox-45.5.0-1.mga5.src.rpm firefox-l10n-45.5.0-1.mga5.src.rpm
FYI it's built and upstream release notes are posted. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5250 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5257 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5261 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5276 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5277 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5278 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5280 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5284 https://www.mozilla.org/en-US/security/advisories/mfsa2016-86/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
lib64nspr4-4.13.1-1.mga5 lib64nspr-devel-4.13.1-1.mga5 rootcerts-20160922.00-1.mga5 rootcerts-java-20160922.00-1.mga5 nss-3.27.1-1.mga5 nss-doc-3.27.1-1.mga5 lib64nss3-3.27.1-1.mga5 lib64nss-devel-3.27.1-1.mga5 lib64nss-static-devel-3.27.1-1.mga5 noarch packages: firefox-en_GB-45.5.0-1.mga5 firefox-uk-45.5.0-1.mga5 firefox-en_ZA-45.5.0-1.mga5 firefox-45.5.0-1.mga5 Installed and running on x86_64.
CC: (none) => tarazed25
RedHat has issued an advisory for this today (November 16): https://rhn.redhat.com/errata/RHSA-2016-2780.html The references in Comment 1 were wrong, they should be: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5296 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066 https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
I believe the nss update also fixed CVE-2016-9074 from the MFSA referenced above.
Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290). A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update (CVE-2016-9064). An existing mitigation of timing side-channel attacks in NSS before 3.26.1 is insufficient in some circumstances (CVE-2016-9074). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5296 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074 https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2016-2780.html
Working fine on my x86_64 workstation at work and my i586 laptop. I even managed to get Pidgin working on my laptop again, though the rootcerts don't appear to have been the real issue. I had to copy the certs in ~/.purple/certificates/x509/tls_peers/ from a computer where it was working (which fixed AIM) and set the Connect server to talk.google.com for my Google Talk account.
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
URL: (none) => http://lwn.net/Vulnerabilities/706580/
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
can you fix firefox-l10n version in the advisory ? thanks
CC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0379.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-9074: http://lwn.net/Vulnerabilities/706734/