Bug 20419 - Firefox 45.8
Summary: Firefox 45.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks: 20053 20420
  Show dependency treegraph
 
Reported: 2017-03-08 12:14 CET by David Walser
Modified: 2017-03-23 22:22 CET (History)
10 users (show)

See Also:
Source RPM: rootcerts, nss, firefox, firefox-l10n
CVE:
Status comment:


Attachments
Crash backtrace (7.29 KB, text/plain)
2017-03-20 12:10 CET, Nikita Krupenko
Details

Description David Walser 2017-03-08 12:14:36 CET
RedHat has issued an advisory today (March 8):
https://rhn.redhat.com/errata/RHSA-2017-0461.html

They have also updated nss:
https://rhn.redhat.com/errata/RHEA-2017-0460.html

We'll have a rootcerts update to go with that as well.

Currently this is stuck because nss failed to build:
https://bugs.mageia.org/show_bug.cgi?id=20053
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20170307221222.akien.duvel.43725/log/nss-3.28.3-2.mga6/build.0.20170307221302.log

All of the updates are in SVN except for nss in Mageia 5.
Comment 1 Marja van Waes 2017-03-09 16:49:51 CET
(In reply to David Walser from comment #0)
> RedHat has issued an advisory today (March 8):
> https://rhn.redhat.com/errata/RHSA-2017-0461.html
> 
> They have also updated nss:
> https://rhn.redhat.com/errata/RHEA-2017-0460.html
> 
> We'll have a rootcerts update to go with that as well.
> 
> Currently this is stuck because nss failed to build:
> https://bugs.mageia.org/show_bug.cgi?id=20053
> http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/
> 20170307221222.akien.duvel.43725/log/nss-3.28.3-2.mga6/build.0.
> 20170307221302.log
> 
> All of the updates are in SVN except for nss in Mageia 5.

Assigning to all packagers collectively, since there are no registered maintainer for those packages.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2017-03-09 19:49:30 CET
David, I just submitted the update for 5/rootcerts which looks like it built ok - but is just sitting in updates/testing now. It is basically the same update we did for cauldron.

Same question for 5/sqlite3. An update for 5 was needed to build the new nss so I made it to 3.17.0 which will be needed for firefox 52.

I have the nss-3.28.3 update ready (which itself should be a good test for whether rootcerts works right) but I can't push it until both rootcerts and sqlite3 is there.

Please advise - Is the correct procedure to open a bug and run these through QA like usual?

CC: (none) => mrambo

Comment 3 Rémi Verschelde 2017-03-09 21:32:12 CET
When you push packages in core/updates_testing, they will build against packages of core/release, core/updates AND core/updates_testing. It means that you should push them all in turn to core/updates_testing, and get them all validated together as part of the Firefox update.
Comment 4 Mike Rambo 2017-03-17 14:41:07 CET
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated firefox package fixes multiple security issues:

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405).

Updated packages in core/updates_testing:
========================
firefox-45.8.0-1.mga5

from firefox-45.8.0-1.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 5 José Jorge 2017-03-17 17:52:03 CET
Tested on MGA5 i586. All seems Ok, except that as rootcerts are updated, minitube fails again...

CC: (none) => lists.jjorge

David Walser 2017-03-17 22:25:25 CET

Blocks: (none) => 20053

Comment 6 David Walser 2017-03-17 22:40:11 CET
Advisory:
========================

Updated nss and firefox packages fix security issues:

Multiple flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2017-5398, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5404, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5405).

Also, the nss package has been updated to version 3.28.3, in which the Next
Protocol Negotiation (NPN) extension has been replaced by the Application-Layer
Protocol Negotiation (ALPN) extension and which now supports the Finite Field
Diffie-Hellman Ephemeral Parameters (FFDHE) negotiation.

Due to the nss update, the sqlite3 package has been updated to version 3.10.2.

Additionally, an error in the nss package has been corrected, where it was
failing to build against the system rootcerts package and instead was using a
bundled version, which could have caused the rootcerts that NSS used to be
outdated at times (mga#20053).  The nss package has now been built against
the latest rootcerts, which have also been updated.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410
https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
http://www.sqlite.org/releaselog/3_8_11_1.html
http://www.sqlite.org/releaselog/3_9_2.html
http://www.sqlite.org/releaselog/3_10_2.html
https://rhn.redhat.com/errata/RHSA-2017-0461.html
https://rhn.redhat.com/errata/RHEA-2017-0460.html
https://bugs.mageia.org/show_bug.cgi?id=20053
https://bugs.mageia.org/show_bug.cgi?id=20419
========================

Updated packages in core/updates_testing:
========================
rootcerts-20170209.00-1.mga5
rootcerts-java-20170209.00-1.mga5
lemon-3.10.2-1.mga5
libsqlite3_0-3.10.2-1.mga5
libsqlite3-devel-3.10.2-1.mga5
libsqlite3-static-devel-3.10.2-1.mga5
sqlite3-debuginfo-3.10.2-1.mga5
sqlite3-tcl-3.10.2-1.mga5
sqlite3-tools-3.10.2-1.mga5
nss-doc-3.28.3-1.mga5
libnss3-3.28.3-1.mga5
libnss-devel-3.28.3-1.mga5
libnss-static-devel-3.28.3-1.mga5
nss-3.28.3-1.mga5
nss-debuginfo-3.28.3-1.mga5
firefox-45.8.0-1.mga5
firefox-af-45.8.0-1.mga5
firefox-an-45.8.0-1.mga5
firefox-ar-45.8.0-1.mga5
firefox-as-45.8.0-1.mga5
firefox-ast-45.8.0-1.mga5
firefox-az-45.8.0-1.mga5
firefox-be-45.8.0-1.mga5
firefox-bg-45.8.0-1.mga5
firefox-bn_BD-45.8.0-1.mga5
firefox-bn_IN-45.8.0-1.mga5
firefox-br-45.8.0-1.mga5
firefox-bs-45.8.0-1.mga5
firefox-ca-45.8.0-1.mga5
firefox-cs-45.8.0-1.mga5
firefox-cy-45.8.0-1.mga5
firefox-da-45.8.0-1.mga5
firefox-de-45.8.0-1.mga5
firefox-devel-45.8.0-1.mga5
firefox-el-45.8.0-1.mga5
firefox-en_GB-45.8.0-1.mga5
firefox-en_US-45.8.0-1.mga5
firefox-en_ZA-45.8.0-1.mga5
firefox-eo-45.8.0-1.mga5
firefox-es_AR-45.8.0-1.mga5
firefox-es_CL-45.8.0-1.mga5
firefox-es_ES-45.8.0-1.mga5
firefox-es_MX-45.8.0-1.mga5
firefox-et-45.8.0-1.mga5
firefox-eu-45.8.0-1.mga5
firefox-fa-45.8.0-1.mga5
firefox-ff-45.8.0-1.mga5
firefox-fi-45.8.0-1.mga5
firefox-fr-45.8.0-1.mga5
firefox-fy_NL-45.8.0-1.mga5
firefox-ga_IE-45.8.0-1.mga5
firefox-gd-45.8.0-1.mga5
firefox-gl-45.8.0-1.mga5
firefox-gu_IN-45.8.0-1.mga5
firefox-he-45.8.0-1.mga5
firefox-hi_IN-45.8.0-1.mga5
firefox-hr-45.8.0-1.mga5
firefox-hsb-45.8.0-1.mga5
firefox-hu-45.8.0-1.mga5
firefox-hy_AM-45.8.0-1.mga5
firefox-id-45.8.0-1.mga5
firefox-is-45.8.0-1.mga5
firefox-it-45.8.0-1.mga5
firefox-ja-45.8.0-1.mga5
firefox-kk-45.8.0-1.mga5
firefox-km-45.8.0-1.mga5
firefox-kn-45.8.0-1.mga5
firefox-ko-45.8.0-1.mga5
firefox-lij-45.8.0-1.mga5
firefox-lt-45.8.0-1.mga5
firefox-lv-45.8.0-1.mga5
firefox-mai-45.8.0-1.mga5
firefox-mk-45.8.0-1.mga5
firefox-ml-45.8.0-1.mga5
firefox-mr-45.8.0-1.mga5
firefox-ms-45.8.0-1.mga5
firefox-nb_NO-45.8.0-1.mga5
firefox-nl-45.8.0-1.mga5
firefox-nn_NO-45.8.0-1.mga5
firefox-or-45.8.0-1.mga5
firefox-pa_IN-45.8.0-1.mga5
firefox-pl-45.8.0-1.mga5
firefox-pt_BR-45.8.0-1.mga5
firefox-pt_PT-45.8.0-1.mga5
firefox-ro-45.8.0-1.mga5
firefox-ru-45.8.0-1.mga5
firefox-si-45.8.0-1.mga5
firefox-sk-45.8.0-1.mga5
firefox-sl-45.8.0-1.mga5
firefox-sq-45.8.0-1.mga5
firefox-sr-45.8.0-1.mga5
firefox-sv_SE-45.8.0-1.mga5
firefox-ta-45.8.0-1.mga5
firefox-te-45.8.0-1.mga5
firefox-th-45.8.0-1.mga5
firefox-tr-45.8.0-1.mga5
firefox-uk-45.8.0-1.mga5
firefox-uz-45.8.0-1.mga5
firefox-vi-45.8.0-1.mga5
firefox-xh-45.8.0-1.mga5
firefox-zh_CN-45.8.0-1.mga5
firefox-zh_TW-45.8.0-1.mga5

from SRPMS:
rootcerts-20170209.00-1.mga5.src.rpm
sqlite3-3.10.2-1.mga5.src.rpm
nss-3.28.2-1.mga5.src.rpm
firefox-45.8.0-1.mga5.src.rpm
firefox-l10n-45.8.0-1.mga5.src.rpm
Comment 7 David Walser 2017-03-18 23:55:48 CET
There was a report on IRC that Thunderbird (in Cauldron) is crashing with the updated NSS (but Mageia 5 would probably also be affected), so it may be that TB 45.8 needs to go out with this, or that the following fix in NSS from upstream will take care of that issue:
http://pkgs.fedoraproject.org/cgit/rpms/nss.git/commit/?h=f24&id=51ea22c0ae95bbc2c76f4c0b1166ca646402a122
Comment 8 James Kerr 2017-03-19 16:10:11 CET
On mga5-64 

Packages updated cleanly:
- firefox-45.8.0-1.mga5.x86_64
- firefox-en_GB-45.8.0-1.mga5.noarch
- lib64nss3-3.28.3-1.mga5.x86_64
- lib64sqlite3_0-3.10.2-1.mga5.x86_64
- nss-3.28.3-1.mga5.x86_64
- rootcerts-20170209.00-1.mga5.noarch
- sqlite3-tools-3.10.2-1.mga5.x86_64

All seems to be OK

TB has not crashed as yet, but it is not heavily used on my test platform.

CC: (none) => jim

Comment 9 Len Lawrence 2017-03-19 23:43:29 CET
x86_64 real harware.  Installed all of those packages referred to in comment 8 and: 
- lib64nss-devel
- sqlite3-tcl
- lib64sqlite3-devel
- lib64sqlite3-static-devel
- lemon
- rootcerts-java-20170209.00-1

Restarted firefox and all seems to be well.  Will see how it goes.

CC: (none) => tarazed25

Comment 10 Lewis Smith 2017-03-20 09:22:32 CET
M5 x64 real hardware with AMD/ATI/Radeon video

Updated all the packages from the list already installed on my system (like Comment 8, + a couple). Ran Firefox through its paces on the BBC site, videos with sound. Using it now. Looks OK.

CC: (none) => lewyssmith

Comment 11 Samuel Verschelde 2017-03-20 09:29:50 CET
FYI Mozilla just released Firefox 52.0.1 with the following security fix:

https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/

I've seen no 45.8.1esr so either 45 is not affected or there's a patch to backport.
Comment 12 David Walser 2017-03-20 10:49:37 CET
(In reply to Samuel Verschelde from comment #11)
> FYI Mozilla just released Firefox 52.0.1 with the following security fix:
> 
> https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/
> 
> I've seen no 45.8.1esr so either 45 is not affected or there's a patch to
> backport.

What I heard is that issue was a regression in 52, so 45 isn't affected.
Comment 13 Nikita Krupenko 2017-03-20 12:10:46 CET
Created attachment 9121 [details]
Crash backtrace

I updated Firefox to 45.8.0-1.mga6 and it always crashes on start now.

CC: (none) => krnekit

David Walser 2017-03-20 17:46:18 CET

Blocks: (none) => 20420

Comment 14 Frédéric Buclin 2017-03-20 18:59:48 CET
(In reply to Nikita Krupenko from comment #13)
> I updated Firefox to 45.8.0-1.mga6 and it always crashes on start now.

Same problem here, with firefox-45.8.0-2.mga6.
Comment 15 Rémi Verschelde 2017-03-20 19:15:53 CET
(In reply to Nikita Krupenko from comment #13)
> Created attachment 9121 [details]
> Crash backtrace
> 
> I updated Firefox to 45.8.0-1.mga6 and it always crashes on start now.

Please report this in a new bug report. This one is about the Mageia 5 update candidate.
Comment 16 Nikita Krupenko 2017-03-20 19:21:37 CET
(In reply to Rémi Verschelde from comment #15)
> (In reply to Nikita Krupenko from comment #13)
> > Created attachment 9121 [details]
> > Crash backtrace
> > 
> > I updated Firefox to 45.8.0-1.mga6 and it always crashes on start now.
> 
> Please report this in a new bug report. This one is about the Mageia 5
> update candidate.

Done, bug 20542
Comment 17 Thomas Andrews 2017-03-22 21:56:50 CET
Checked this out with the 64-bit server kernel on an Athlon X2/nvidia340 machine, both before and after updating to the proposed 4.4.55 kernel.

Looks good, no issues noted.

CC: (none) => andrewsfarm

Comment 18 Thomas Andrews 2017-03-22 21:58:57 CET
Checked this out on a Sempron 3100+/nvidia304 machine, both in 64-bit and 32-bit, both before and after updating to the proposed 4.4.55 server kernels.

Looks good, no issues noted.
Dave Hodgins 2017-03-23 18:54:45 CET

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 19 Mageia Robot 2017-03-23 22:22:13 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0081.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.