Upstream has released version 45.6 esr for Firefox on December 13 : https://www.mozilla.org/en-US/firefox/45.6.0/releasenotes/ This fixes these CVE : CVE-2016-9899 - Critical CVE-2016-9895 - High CVE-2016-9897 - High CVE-2016-9898 - High CVE-2016-9900 - High CVE-2016-9904 - High CVE-2016-9905 - High CVE-2016-9901 - Moderate CVE-2016-9902 - Moderate CVE-2016-9893 - Critical Mageia 5 and Cauldron are vulnerable. Given the number of critical and high vulnerabilities, it would be great to update.
Thanks for the report. Update in progress.
CC: (none) => luigiwalserSummary: firefox esr new security issues fixed in 45.6 => firefox new security issues fixed in 45.6Severity: major => critical
RedHat has issued an advisory for this today (December 14): https://rhn.redhat.com/errata/RHSA-2016-2946.html Advisory for the pending update will be as follows. Advisory: ======================== Updated firefox packages fix security vulnerabilities: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2016-9893, CVE-2016-9899, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9904, CVE-2016-9905). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9893 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9895 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9900 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9901 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9902 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9904 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9905 https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2016-2946.html ======================== Updated packages in core/updates_testing: ================ firefox-45.6.0-1.mga5 firefox-af-45.6.0-1.mga5 firefox-an-45.6.0-1.mga5 firefox-ar-45.6.0-1.mga5 firefox-as-45.6.0-1.mga5 firefox-ast-45.6.0-1.mga5 firefox-az-45.6.0-1.mga5 firefox-be-45.6.0-1.mga5 firefox-bg-45.6.0-1.mga5 firefox-bn_BD-45.6.0-1.mga5 firefox-bn_IN-45.6.0-1.mga5 firefox-br-45.6.0-1.mga5 firefox-bs-45.6.0-1.mga5 firefox-ca-45.6.0-1.mga5 firefox-cs-45.6.0-1.mga5 firefox-cy-45.6.0-1.mga5 firefox-da-45.6.0-1.mga5 firefox-de-45.6.0-1.mga5 firefox-devel-45.6.0-1.mga5 firefox-el-45.6.0-1.mga5 firefox-en_GB-45.6.0-1.mga5 firefox-en_US-45.6.0-1.mga5 firefox-en_ZA-45.6.0-1.mga5 firefox-eo-45.6.0-1.mga5 firefox-es_AR-45.6.0-1.mga5 firefox-es_CL-45.6.0-1.mga5 firefox-es_ES-45.6.0-1.mga5 firefox-es_MX-45.6.0-1.mga5 firefox-et-45.6.0-1.mga5 firefox-eu-45.6.0-1.mga5 firefox-fa-45.6.0-1.mga5 firefox-ff-45.6.0-1.mga5 firefox-fi-45.6.0-1.mga5 firefox-fr-45.6.0-1.mga5 firefox-fy_NL-45.6.0-1.mga5 firefox-ga_IE-45.6.0-1.mga5 firefox-gd-45.6.0-1.mga5 firefox-gl-45.6.0-1.mga5 firefox-gu_IN-45.6.0-1.mga5 firefox-he-45.6.0-1.mga5 firefox-hi_IN-45.6.0-1.mga5 firefox-hr-45.6.0-1.mga5 firefox-hsb-45.6.0-1.mga5 firefox-hu-45.6.0-1.mga5 firefox-hy_AM-45.6.0-1.mga5 firefox-id-45.6.0-1.mga5 firefox-is-45.6.0-1.mga5 firefox-it-45.6.0-1.mga5 firefox-ja-45.6.0-1.mga5 firefox-kk-45.6.0-1.mga5 firefox-km-45.6.0-1.mga5 firefox-kn-45.6.0-1.mga5 firefox-ko-45.6.0-1.mga5 firefox-lij-45.6.0-1.mga5 firefox-lt-45.6.0-1.mga5 firefox-lv-45.6.0-1.mga5 firefox-mai-45.6.0-1.mga5 firefox-mk-45.6.0-1.mga5 firefox-ml-45.6.0-1.mga5 firefox-mr-45.6.0-1.mga5 firefox-ms-45.6.0-1.mga5 firefox-nb_NO-45.6.0-1.mga5 firefox-nl-45.6.0-1.mga5 firefox-nn_NO-45.6.0-1.mga5 firefox-or-45.6.0-1.mga5 firefox-pa_IN-45.6.0-1.mga5 firefox-pl-45.6.0-1.mga5 firefox-pt_BR-45.6.0-1.mga5 firefox-pt_PT-45.6.0-1.mga5 firefox-ro-45.6.0-1.mga5 firefox-ru-45.6.0-1.mga5 firefox-si-45.6.0-1.mga5 firefox-sk-45.6.0-1.mga5 firefox-sl-45.6.0-1.mga5 firefox-sq-45.6.0-1.mga5 firefox-sr-45.6.0-1.mga5 firefox-sv_SE-45.6.0-1.mga5 firefox-ta-45.6.0-1.mga5 firefox-te-45.6.0-1.mga5 firefox-th-45.6.0-1.mga5 firefox-tr-45.6.0-1.mga5 firefox-uk-45.6.0-1.mga5 firefox-uz-45.6.0-1.mga5 firefox-vi-45.6.0-1.mga5 firefox-xh-45.6.0-1.mga5 firefox-zh_CN-45.6.0-1.mga5 firefox-zh_TW-45.6.0-1.mga5 from SRPMS: firefox-45.6.0-1.mga5.src.rpm firefox-l10n-45.6.0-1.mga5.src.rpm
URL: (none) => https://lwn.net/Vulnerabilities/709140/
Builds are in progress. Packages should be available by the end of the day. Advisory and package list in Comment 2.
Assignee: bugsquad => qa-bugs
MGA5-64 & MGA5-32 real hardware and virtualbox machines. Packages installed : 32 bit : firefox-45.5.1-1.mga5.i586.rpm firefox-fr-45.5.1-1.mga5 64 bit : firefox-45.5.1-1.mga5.x86_64.rpm firefox-fr-45.5.1-1.mga5 both arch are working fine, here's my procedure : Launch the application Try some menus and modify options (home page, bookmarks ...) play some video from website Do a HTML5 and performance test to check if there is a regression. Install some extensions (adblock, noscript ...) Sync with an online accounts my previous tabs, preferences, bookmarks ... (firefox sync) Packages updated : 32 bit : firefox-45.6.0-1.mga5.i586.rpm firefox-fr-45.6.0-1.mga5 64 bit : firefox-45.6.0-1.mga5.x86_64.rpm firefox-fr-45.6.0-1.mga5 Everything is working fine, the performance and HTML5 tests are successfull and give good results. It's ok for me on 32 & 64 bits. rpm -qa | grep firefox firefox-45.6.0-1.mga5 firefox-fr-45.6.0-1.mga5
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0420.html
Status: NEW => RESOLVEDResolution: (none) => FIXED