Firefox 45.7.0 has been released today (January 24): https://www.mozilla.org/en-US/firefox/45.7.0/releasenotes/ It fixes one set of security issues: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ While NSS 3.28.1 is available, we will not be updating it at this time as it causes regressions and incompatibilities. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396 https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ Updated packages in core/updates_testing: ================ firefox-45.7.0-1.mga5 firefox-af-45.7.0-1.mga5 firefox-an-45.7.0-1.mga5 firefox-ar-45.7.0-1.mga5 firefox-as-45.7.0-1.mga5 firefox-ast-45.7.0-1.mga5 firefox-az-45.7.0-1.mga5 firefox-be-45.7.0-1.mga5 firefox-bg-45.7.0-1.mga5 firefox-bn_BD-45.7.0-1.mga5 firefox-bn_IN-45.7.0-1.mga5 firefox-br-45.7.0-1.mga5 firefox-bs-45.7.0-1.mga5 firefox-ca-45.7.0-1.mga5 firefox-cs-45.7.0-1.mga5 firefox-cy-45.7.0-1.mga5 firefox-da-45.7.0-1.mga5 firefox-de-45.7.0-1.mga5 firefox-devel-45.7.0-1.mga5 firefox-el-45.7.0-1.mga5 firefox-en_GB-45.7.0-1.mga5 firefox-en_US-45.7.0-1.mga5 firefox-en_ZA-45.7.0-1.mga5 firefox-eo-45.7.0-1.mga5 firefox-es_AR-45.7.0-1.mga5 firefox-es_CL-45.7.0-1.mga5 firefox-es_ES-45.7.0-1.mga5 firefox-es_MX-45.7.0-1.mga5 firefox-et-45.7.0-1.mga5 firefox-eu-45.7.0-1.mga5 firefox-fa-45.7.0-1.mga5 firefox-ff-45.7.0-1.mga5 firefox-fi-45.7.0-1.mga5 firefox-fr-45.7.0-1.mga5 firefox-fy_NL-45.7.0-1.mga5 firefox-ga_IE-45.7.0-1.mga5 firefox-gd-45.7.0-1.mga5 firefox-gl-45.7.0-1.mga5 firefox-gu_IN-45.7.0-1.mga5 firefox-he-45.7.0-1.mga5 firefox-hi_IN-45.7.0-1.mga5 firefox-hr-45.7.0-1.mga5 firefox-hsb-45.7.0-1.mga5 firefox-hu-45.7.0-1.mga5 firefox-hy_AM-45.7.0-1.mga5 firefox-id-45.7.0-1.mga5 firefox-is-45.7.0-1.mga5 firefox-it-45.7.0-1.mga5 firefox-ja-45.7.0-1.mga5 firefox-kk-45.7.0-1.mga5 firefox-km-45.7.0-1.mga5 firefox-kn-45.7.0-1.mga5 firefox-ko-45.7.0-1.mga5 firefox-lij-45.7.0-1.mga5 firefox-lt-45.7.0-1.mga5 firefox-lv-45.7.0-1.mga5 firefox-mai-45.7.0-1.mga5 firefox-mk-45.7.0-1.mga5 firefox-ml-45.7.0-1.mga5 firefox-mr-45.7.0-1.mga5 firefox-ms-45.7.0-1.mga5 firefox-nb_NO-45.7.0-1.mga5 firefox-nl-45.7.0-1.mga5 firefox-nn_NO-45.7.0-1.mga5 firefox-or-45.7.0-1.mga5 firefox-pa_IN-45.7.0-1.mga5 firefox-pl-45.7.0-1.mga5 firefox-pt_BR-45.7.0-1.mga5 firefox-pt_PT-45.7.0-1.mga5 firefox-ro-45.7.0-1.mga5 firefox-ru-45.7.0-1.mga5 firefox-si-45.7.0-1.mga5 firefox-sk-45.7.0-1.mga5 firefox-sl-45.7.0-1.mga5 firefox-sq-45.7.0-1.mga5 firefox-sr-45.7.0-1.mga5 firefox-sv_SE-45.7.0-1.mga5 firefox-ta-45.7.0-1.mga5 firefox-te-45.7.0-1.mga5 firefox-th-45.7.0-1.mga5 firefox-tr-45.7.0-1.mga5 firefox-uk-45.7.0-1.mga5 firefox-uz-45.7.0-1.mga5 firefox-vi-45.7.0-1.mga5 firefox-xh-45.7.0-1.mga5 firefox-zh_CN-45.7.0-1.mga5 firefox-zh_TW-45.7.0-1.mga5 from SRPMS: firefox-45.7.0-1.mga5.src.rpm firefox-l10n-45.7.0-1.mga5.src.rpm
Tested mga5-64 Plugins: Java & flash (Twisted little flash game) Jetstream for javascript, acid 3 for general use, youtube for html5 video, and general browsing, all OK
CC: (none) => wrw105Whiteboard: (none) => has_procedure mga5-64-ok
RedHat has issued an advisory for this today (January 25): https://rhn.redhat.com/errata/RHSA-2017-0190.html Advisory: ================ Updated firefox packages fix security vulnerabilities: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396 https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2017-0190.html
On mga5-32 Packages installed: $ rpm -qa | grep firefox firefox-en_GB-45.7.0-1.mga5 firefox-45.7.0-1.mga5 Packages installed cleanly. Java, flash, html5 all OK No regressions noted. OK for mga5-32
CC: (none) => jim
On mga5-64 Packages installed: - firefox-45.7.0-1.mga5.x86_64 - firefox-en_GB-45.7.0-1.mga5.noarch Packages installed cleanly. Java, flash, html5 all OK No regressions noted. OK for mga5-64
James, thanks for testing. Please post the OK's to the whiteboard when you do.
URL: (none) => https://lwn.net/Vulnerabilities/712491/Whiteboard: has_procedure mga5-64-ok => has_procedure MGA5-32-OK MGA5-64-OK
I thought that we usually wanted more than one test on each arch for important applications like Firefox. I must have mis-remembered.
(In reply to James Kerr from comment #6) > I thought that we usually wanted more than one test on each arch for > important applications like Firefox. I must have mis-remembered. On the contrary, highly critical ones that are usually trivial to test, that we need to get out in a timely manner, you need to not be afraid to OK and validate. The ones where we want multiple testers mostly tend to be highly hardware-dependent ones like the kernel or some drivers, or where many different configurations need to be tested and have been volatile in the past like virtualbox.
Validated. Advisory from comments 0 & 2.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0023.html
Status: NEW => RESOLVEDResolution: (none) => FIXED