Firefox 52.1.0 has been released today (April 19): https://www.mozilla.org/en-US/firefox/52.1.0/releasenotes/ (Actually the tarball was available yesterday, April 18.) An updated nspr 4.14 was pushed to Cauldron this morning, which should also be pushed to Mageia 5 before Firefox is built (nspr is checked into SVN).
CC: (none) => mramboWhiteboard: (none) => MGA5TOO
RedHat has issued an advisory tomorrow (April 20): https://rhn.redhat.com/errata/RHSA-2017-1100.html This updates NSS for a security issue, CVE-2017-5461, from MFSA2017-12: https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/ There's a rootcerts update as well (in SVN), but the patch still needs to be rediffed. RedHat marked the NSS update as "urgent," so we should probably issue the nspr, rootcerts, nss (to be built in that order) update ASAP and Firefox when it's ready.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
RedHat has issued an advisory for Firefox today (April 20): https://rhn.redhat.com/errata/RHSA-2017-1106.html
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5CC: (none) => mageia
sent on updates_testing: src.rpm: nspr-4.14-1.mga5 rootcerts-20170404.00-1.mga5 nss-3.28.4-1.mga5 firefox-52.1.0-1.mga5
Assignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated nss and firefox packages fix security issues: An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library (CVE-2017-5461). Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2017-5429, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5459, CVE-2017-5460, CVE-2017-5464, CVE-2017-5465, CVE-2017-5469). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5433 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5435 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5441 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5469 https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://rhn.redhat.com/errata/RHSA-2017-1100.html https://rhn.redhat.com/errata/RHSA-2017-1106.html ======================== Updated packages in core/updates_testing: ======================== libnspr4-4.14-1.mga5 libnspr-devel-4.14-1.mga5 rootcerts-20170404.00-1.mga5 rootcerts-java-20170404.00-1.mga5 nss-3.28.4-1.mga5 nss-doc-3.28.4-1.mga5 libnss3-3.28.4-1.mga5 libnss-devel-3.28.4-1.mga5 libnss-static-devel-3.28.4-1.mga5 firefox-52.1.0-1.mga5 firefox-devel-52.1.0-1.mga5 firefox-af-52.1.0-1.mga5 firefox-an-52.1.0-1.mga5 firefox-ar-52.1.0-1.mga5 firefox-as-52.1.0-1.mga5 firefox-ast-52.1.0-1.mga5 firefox-az-52.1.0-1.mga5 firefox-bg-52.1.0-1.mga5 firefox-bn_IN-52.1.0-1.mga5 firefox-bn_BD-52.1.0-1.mga5 firefox-br-52.1.0-1.mga5 firefox-bs-52.1.0-1.mga5 firefox-ca-52.1.0-1.mga5 firefox-cs-52.1.0-1.mga5 firefox-cy-52.1.0-1.mga5 firefox-da-52.1.0-1.mga5 firefox-de-52.1.0-1.mga5 firefox-el-52.1.0-1.mga5 firefox-en_GB-52.1.0-1.mga5 firefox-en_US-52.1.0-1.mga5 firefox-en_ZA-52.1.0-1.mga5 firefox-eo-52.1.0-1.mga5 firefox-es_AR-52.1.0-1.mga5 firefox-es_CL-52.1.0-1.mga5 firefox-es_ES-52.1.0-1.mga5 firefox-es_MX-52.1.0-1.mga5 firefox-et-52.1.0-1.mga5 firefox-eu-52.1.0-1.mga5 firefox-fa-52.1.0-1.mga5 firefox-ff-52.1.0-1.mga5 firefox-fi-52.1.0-1.mga5 firefox-fr-52.1.0-1.mga5 firefox-fy_NL-52.1.0-1.mga5 firefox-ga_IE-52.1.0-1.mga5 firefox-gd-52.1.0-1.mga5 firefox-gl-52.1.0-1.mga5 firefox-gu_IN-52.1.0-1.mga5 firefox-he-52.1.0-1.mga5 firefox-hi_IN-52.1.0-1.mga5 firefox-hr-52.1.0-1.mga5 firefox-hsb-52.1.0-1.mga5 firefox-hu-52.1.0-1.mga5 firefox-hy_AM-52.1.0-1.mga5 firefox-id-52.1.0-1.mga5 firefox-is-52.1.0-1.mga5 firefox-it-52.1.0-1.mga5 firefox-ja-52.1.0-1.mga5 firefox-kk-52.1.0-1.mga5 firefox-km-52.1.0-1.mga5 firefox-kn-52.1.0-1.mga5 firefox-ko-52.1.0-1.mga5 firefox-lij-52.1.0-1.mga5 firefox-lt-52.1.0-1.mga5 firefox-lv-52.1.0-1.mga5 firefox-mai-52.1.0-1.mga5 firefox-mk-52.1.0-1.mga5 firefox-ml-52.1.0-1.mga5 firefox-mr-52.1.0-1.mga5 firefox-ms-52.1.0-1.mga5 firefox-nb_NO-52.1.0-1.mga5 firefox-nl-52.1.0-1.mga5 firefox-nn_NO-52.1.0-1.mga5 firefox-or-52.1.0-1.mga5 firefox-pa_IN-52.1.0-1.mga5 firefox-pl-52.1.0-1.mga5 firefox-pt_BR-52.1.0-1.mga5 firefox-pt_PT-52.1.0-1.mga5 firefox-ro-52.1.0-1.mga5 firefox-ru-52.1.0-1.mga5 firefox-si-52.1.0-1.mga5 firefox-sk-52.1.0-1.mga5 firefox-sl-52.1.0-1.mga5 firefox-sq-52.1.0-1.mga5 firefox-sr-52.1.0-1.mga5 firefox-sv_SE-52.1.0-1.mga5 firefox-ta-52.1.0-1.mga5 firefox-te-52.1.0-1.mga5 firefox-th-52.1.0-1.mga5 firefox-tr-52.1.0-1.mga5 firefox-uk-52.1.0-1.mga5 firefox-uz-52.1.0-1.mga5 firefox-vi-52.1.0-1.mga5 firefox-xh-52.1.0-1.mga5 firefox-zh_CN-52.1.0-1.mga5 firefox-zh_TW-52.1.0-1.mga5 from SRPMS: nspr-4.14-1.mga5.src.rpm rootcerts-20170404.00-1.mga5.src.rpm nss-3.28.4-1.mga5.src.rpm firefox-52.1.0-1.mga5.src.rpm firefox-l10n-52.1.0-1.mga5.src.rpm
Source RPM: firefox => nss, firefox
It won't play sound, saying I need PulseAudio. My understand was that was only supposed to happen in non-ESR builds. Is there a configure option we need to enable ALSA support?
Whiteboard: (none) => feedback
No issues or regressions found on a fully up-to-date on a x86_64 Mageia 5 system. Pages, sound (pulseaudio) and WebGL (nVidia proprietary drivers) work.
CC: (none) => mageia
It also won't run the Java plugin: https://www.java.com/en/download/installed8.jsp?detect=jre which I also thought was not supposed to be the case for ESR builds.
On mga5-64 Packages installed cleanly: - firefox-52.1.0-1.mga5.x86_64 - firefox-en_GB-52.1.0-1.mga5.noarch - lib64nspr4-4.14-1.mga5.x86_64 - lib64nss3-3.28.4-1.mga5.x86_64 - nss-3.28.4-1.mga5.x86_64 - rootcerts-20170404.00-1.mga5.noarch No regressions noted other than, as reported in comment#8, https://www.java.com/en/download/installed8.jsp?detect=jre reports that plugins are not supported. Flashplayer and html5 are OK, including audio. The Java applets that I've been able to test do load and execute correctly.
CC: (none) => jim
(In reply to David Walser from comment #6) > It won't play sound, saying I need PulseAudio. My understand was that was > only supposed to happen in non-ESR builds. Is there a configure option we > need to enable ALSA support? see: https://groups.google.com/forum/#!topic/mozilla.dev.platform/jRAqSTri66I
For the sound issue, please test next firefox rpm, i tried to enable alsa
MGA5-64 Lenovo B50 KDE No installation issues. Update page plays OK, internet radio plays OK.No immediate problem.
Whiteboard: feedback => feedback MGA5-64-OKCC: (none) => herman.viaene
Thanks, sound works now. Sorry for the delay.
Whiteboard: feedback MGA5-64-OK => MGA5-64-OK
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Fine on i586 under vb. Advisory committed to svn. Validating the update.
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0118.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This also fixed CVE-2017-5462 in NSS: https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/