MFSA corresponding to this update:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/

Whiteboard: (none) => MGA5TOO

Assigning to all packagers collectively, since there are no registered maintainers for those packages.

CC: (none) => marja11

(In reply to Marja van Waes from comment #2)
> Assigning to all packagers collectively, since there are no registered
> maintainers for those packages.

Now really assigning :-/

Assignee: bugsquad => pkg-bugs

seems it is on updates_testing  is all uploaded ?

CC: (none) => mageia

No, as I said, rootcerts in Cauldron failed to build.

RedHat has issued an advisory for this today (August 10):
https://access.redhat.com/errata/RHSA-2017:2456

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2017-7779, CVE-2017-7798, CVE-2017-7800, CVE-2017-7801, CVE-2017-7753,
CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7792,
CVE-2017-7802, CVE-2017-7807, CVE-2017-7809, CVE-2017-7791, CVE-2017-7803).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7809
https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2017:2456
========================

Updated packages in core/updates_testing:
========================
rootcerts-20170718.00-1.mga5
rootcerts-java-20170718.00-1.mga5
libnspr4-4.16-1.mga5
libnspr-devel-4.16-1.mga5
nss-3.28.5-1.1.mga5
nss-doc-3.28.5-1.1.mga5
libnss3-3.28.5-1.1.mga5
libnss-devel-3.28.5-1.1.mga5
libnss-static-devel-3.28.5-1.1.mga5
firefox-52.3.0-1.mga5
firefox-devel-52.3.0-1.mga5
firefox-af-52.3.0-1.mga5
firefox-an-52.3.0-1.mga5
firefox-ar-52.3.0-1.mga5
firefox-as-52.3.0-1.mga5
firefox-ast-52.3.0-1.mga5
firefox-az-52.3.0-1.mga5
firefox-bg-52.3.0-1.mga5
firefox-bn_IN-52.3.0-1.mga5
firefox-bn_BD-52.3.0-1.mga5
firefox-br-52.3.0-1.mga5
firefox-bs-52.3.0-1.mga5
firefox-ca-52.3.0-1.mga5
firefox-cs-52.3.0-1.mga5
firefox-cy-52.3.0-1.mga5
firefox-da-52.3.0-1.mga5
firefox-de-52.3.0-1.mga5
firefox-el-52.3.0-1.mga5
firefox-en_GB-52.3.0-1.mga5
firefox-en_US-52.3.0-1.mga5
firefox-en_ZA-52.3.0-1.mga5
firefox-eo-52.3.0-1.mga5
firefox-es_AR-52.3.0-1.mga5
firefox-es_CL-52.3.0-1.mga5
firefox-es_ES-52.3.0-1.mga5
firefox-es_MX-52.3.0-1.mga5
firefox-et-52.3.0-1.mga5
firefox-eu-52.3.0-1.mga5
firefox-fa-52.3.0-1.mga5
firefox-ff-52.3.0-1.mga5
firefox-fi-52.3.0-1.mga5
firefox-fr-52.3.0-1.mga5
firefox-fy_NL-52.3.0-1.mga5
firefox-ga_IE-52.3.0-1.mga5
firefox-gd-52.3.0-1.mga5
firefox-gl-52.3.0-1.mga5
firefox-gu_IN-52.3.0-1.mga5
firefox-he-52.3.0-1.mga5
firefox-hi_IN-52.3.0-1.mga5
firefox-hr-52.3.0-1.mga5
firefox-hsb-52.3.0-1.mga5
firefox-hu-52.3.0-1.mga5
firefox-hy_AM-52.3.0-1.mga5
firefox-id-52.3.0-1.mga5
firefox-is-52.3.0-1.mga5
firefox-it-52.3.0-1.mga5
firefox-ja-52.3.0-1.mga5
firefox-kk-52.3.0-1.mga5
firefox-km-52.3.0-1.mga5
firefox-kn-52.3.0-1.mga5
firefox-ko-52.3.0-1.mga5
firefox-lij-52.3.0-1.mga5
firefox-lt-52.3.0-1.mga5
firefox-lv-52.3.0-1.mga5
firefox-mai-52.3.0-1.mga5
firefox-mk-52.3.0-1.mga5
firefox-ml-52.3.0-1.mga5
firefox-mr-52.3.0-1.mga5
firefox-ms-52.3.0-1.mga5
firefox-nb_NO-52.3.0-1.mga5
firefox-nl-52.3.0-1.mga5
firefox-nn_NO-52.3.0-1.mga5
firefox-or-52.3.0-1.mga5
firefox-pa_IN-52.3.0-1.mga5
firefox-pl-52.3.0-1.mga5
firefox-pt_BR-52.3.0-1.mga5
firefox-pt_PT-52.3.0-1.mga5
firefox-ro-52.3.0-1.mga5
firefox-ru-52.3.0-1.mga5
firefox-si-52.3.0-1.mga5
firefox-sk-52.3.0-1.mga5
firefox-sl-52.3.0-1.mga5
firefox-sq-52.3.0-1.mga5
firefox-sr-52.3.0-1.mga5
firefox-sv_SE-52.3.0-1.mga5
firefox-ta-52.3.0-1.mga5
firefox-te-52.3.0-1.mga5
firefox-th-52.3.0-1.mga5
firefox-tr-52.3.0-1.mga5
firefox-uk-52.3.0-1.mga5
firefox-uz-52.3.0-1.mga5
firefox-vi-52.3.0-1.mga5
firefox-xh-52.3.0-1.mga5
firefox-zh_CN-52.3.0-1.mga5
firefox-zh_TW-52.3.0-1.mga5
rootcerts-20170718.00-1.mga6
rootcerts-java-20170718.00-1.mga6
libnspr4-4.16-1.mga6
libnspr-devel-4.16-1.mga6
nss-3.28.5-1.1.mga6
nss-doc-3.28.5-1.1.mga6
libnss3-3.28.5-1.1.mga6
libnss-devel-3.28.5-1.1.mga6
libnss-static-devel-3.28.5-1.1.mga6
firefox-52.3.0-1.mga6
firefox-devel-52.3.0-1.mga6
firefox-af-52.3.0-1.mga6
firefox-an-52.3.0-1.mga6
firefox-ar-52.3.0-1.mga6
firefox-as-52.3.0-1.mga6
firefox-ast-52.3.0-1.mga6
firefox-az-52.3.0-1.mga6
firefox-bg-52.3.0-1.mga6
firefox-bn_IN-52.3.0-1.mga6
firefox-bn_BD-52.3.0-1.mga6
firefox-br-52.3.0-1.mga6
firefox-bs-52.3.0-1.mga6
firefox-ca-52.3.0-1.mga6
firefox-cs-52.3.0-1.mga6
firefox-cy-52.3.0-1.mga6
firefox-da-52.3.0-1.mga6
firefox-de-52.3.0-1.mga6
firefox-el-52.3.0-1.mga6
firefox-en_GB-52.3.0-1.mga6
firefox-en_US-52.3.0-1.mga6
firefox-en_ZA-52.3.0-1.mga6
firefox-eo-52.3.0-1.mga6
firefox-es_AR-52.3.0-1.mga6
firefox-es_CL-52.3.0-1.mga6
firefox-es_ES-52.3.0-1.mga6
firefox-es_MX-52.3.0-1.mga6
firefox-et-52.3.0-1.mga6
firefox-eu-52.3.0-1.mga6
firefox-fa-52.3.0-1.mga6
firefox-ff-52.3.0-1.mga6
firefox-fi-52.3.0-1.mga6
firefox-fr-52.3.0-1.mga6
firefox-fy_NL-52.3.0-1.mga6
firefox-ga_IE-52.3.0-1.mga6
firefox-gd-52.3.0-1.mga6
firefox-gl-52.3.0-1.mga6
firefox-gu_IN-52.3.0-1.mga6
firefox-he-52.3.0-1.mga6
firefox-hi_IN-52.3.0-1.mga6
firefox-hr-52.3.0-1.mga6
firefox-hsb-52.3.0-1.mga6
firefox-hu-52.3.0-1.mga6
firefox-hy_AM-52.3.0-1.mga6
firefox-id-52.3.0-1.mga6
firefox-is-52.3.0-1.mga6
firefox-it-52.3.0-1.mga6
firefox-ja-52.3.0-1.mga6
firefox-kk-52.3.0-1.mga6
firefox-km-52.3.0-1.mga6
firefox-kn-52.3.0-1.mga6
firefox-ko-52.3.0-1.mga6
firefox-lij-52.3.0-1.mga6
firefox-lt-52.3.0-1.mga6
firefox-lv-52.3.0-1.mga6
firefox-mai-52.3.0-1.mga6
firefox-mk-52.3.0-1.mga6
firefox-ml-52.3.0-1.mga6
firefox-mr-52.3.0-1.mga6
firefox-ms-52.3.0-1.mga6
firefox-nb_NO-52.3.0-1.mga6
firefox-nl-52.3.0-1.mga6
firefox-nn_NO-52.3.0-1.mga6
firefox-or-52.3.0-1.mga6
firefox-pa_IN-52.3.0-1.mga6
firefox-pl-52.3.0-1.mga6
firefox-pt_BR-52.3.0-1.mga6
firefox-pt_PT-52.3.0-1.mga6
firefox-ro-52.3.0-1.mga6
firefox-ru-52.3.0-1.mga6
firefox-si-52.3.0-1.mga6
firefox-sk-52.3.0-1.mga6
firefox-sl-52.3.0-1.mga6
firefox-sq-52.3.0-1.mga6
firefox-sr-52.3.0-1.mga6
firefox-sv_SE-52.3.0-1.mga6
firefox-ta-52.3.0-1.mga6
firefox-te-52.3.0-1.mga6
firefox-th-52.3.0-1.mga6
firefox-tr-52.3.0-1.mga6
firefox-uk-52.3.0-1.mga6
firefox-uz-52.3.0-1.mga6
firefox-vi-52.3.0-1.mga6
firefox-xh-52.3.0-1.mga6
firefox-zh_CN-52.3.0-1.mga6
firefox-zh_TW-52.3.0-1.mga6

from SRPMS:
rootcerts-20170718.00-1.mga5.src.rpm
nspr-4.16-1.mga5.src.rpm
nss-3.28.5-1.1.mga5.src.rpm
firefox-52.3.0-1.mga5.src.rpm
firefox-l10n-52.3.0-1.mga5.src.rpm
rootcerts-20170718.00-1.mga6.src.rpm
nspr-4.16-1.mga6.src.rpm
nss-3.28.5-1.1.mga6.src.rpm
firefox-52.3.0-1.mga6.src.rpm
firefox-l10n-52.3.0-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Installed and tested without regressions. Tested a bunch of sites, including sites using audio, video, webgl and java applet.


$ rpm -qa | egrep 'firefox|nss-|rootcerts' | sort
firefox-52.3.0-1.mga5
firefox-pt_PT-52.3.0-1.mga5
lib64nss-devel-3.28.5-1.1.mga5
lib64nss-mdns2-0.10-15.mga5
nss-3.28.5-1.1.mga5
nss-myhostname-217-11.2.mga5
rootcerts-20170718.00-1.mga5
rootcerts-java-20170718.00-1.mga5

CC: (none) => mageia

In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
firefox firefox-en_US firefox-en_GB

default install of firefox firefox-en_US & firefox-en_GB

[root@localhost wilcal]# urpmi firefox
Package firefox-52.2.0-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.2.0-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.2.0-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com works fine.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

install firefox firefox-en_US & firefox-en_GB from updates_testing

[root@localhost wilcal]# urpmi firefox
Package firefox-52.3.0-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.3.0-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.3.0-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com does work.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

CC: (none) => wilcal.int

In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
firefox firefox-en_US firefox-en_GB

default install of firefox firefox-en_US & firefox-en_GB

[root@localhost wilcal]# urpmi firefox
Package firefox-52.2.0-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.2.0-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.2.0-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com works fine.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

install firefox firefox-en_US & firefox-en_GB from updates_testing

[root@localhost wilcal]# urpmi firefox
Package firefox-52.3.0-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.3.0-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.3.0-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com does work.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
firefox firefox-en_US firefox-en_GB

default install of firefox firefox-en_US & firefox-en_GB

[root@localhost wilcal]# urpmi firefox
Package firefox-52.2.0-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.2.0-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.2.0-1.mga5.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com works fine.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

install firefox firefox-en_US & firefox-en_GB from updates_testing

[root@localhost wilcal]# urpmi firefox
Package firefox-52.3.0-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.3.0-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.3.0-1.mga5.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com does work.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

In VirtualBox, M5.1, KDE, 32-bit

Package(s) under test:
firefox firefox-en_US firefox-en_GB

default install of firefox firefox-en_US & firefox-en_GB

[root@localhost wilcal]# urpmi firefox
Package firefox-52.2.0-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.2.0-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.2.0-1.mga5.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com works fine.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

install firefox firefox-en_US & firefox-en_GB from updates_testing

[root@localhost wilcal]# urpmi firefox
Package firefox-52.3.0-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-52.3.0-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-52.3.0-1.mga5.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com does work.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

I'm going to validate this in 24-hours unless someone beats me to it.

No problems with these updates on x86_64, mga5 and mga6.

Keeping an eye open for the minute-long lockups which used to happen quite frequently near the start of a user session.  So far so good.

CC: (none) => tarazed25

(In reply to Len Lawrence from comment #14)
> Keeping an eye open for the minute-long lockups which used to happen quite
> frequently near the start of a user session.  So far so good.

I don't know if what you are describing is the same but, for me, firefox freezes for 20 to 30 seconds a few seconds after it starts, with 150% core usage, and then continues normally. This only happen on my main profile (a profile with a bunch of add ons, large history, etc). On a clean profile these freezes do not happen or are too short to be noticeable.

These freezes have been happening since several version happen with version 52.3 and also happen with version 56.0b2 that I'm using to post this.

(In reply to Len Lawrence from comment #14)

> Keeping an eye open for the minute-long lockups which used to happen quite
> frequently near the start of a user session.  So far so good.

Try changing DNS server(s):

Google
------
8.8.8.8
8.8.4.4

opendns
-------
208.67.222.222
208.67.220.220

(In reply to PC LX from comment #15)

> I don't know if what you are describing is the same but, for me, firefox
> freezes for 20 to 30 seconds a few seconds after it starts, with 150% core
> usage, and then continues normally. This only happen on my main profile (a
> profile with a bunch of add ons, large history, etc). On a clean profile
> these freezes do not happen or are too short to be noticeable.
> 
> These freezes have been happening since several version happen with version
> 52.3 and also happen with version 56.0b2 that I'm using to post this.

I'm not so sure this is an issue with Mageia. This is a security update and, IMO, trying to get Mozilla to change something upstream is like shouting down an empty well. Note my Comment 16. I find that Firefox is susceptible to slow DNS servers and exhibit the performance issue you describe here.

$ uname -a
Linux localhost 4.4.79-desktop586-1.mga5 #1 SMP Fri Jul 28 01:45:13 UTC 2017 i686 i686 i686 GNU/Linux

The following 3 packages are going to be installed:

- firefox-52.3.0-1.mga5.i586
- firefox-en_GB-52.3.0-1.mga5.noarch
- firefox-en_ZA-52.3.0-1.mga5.noarch

145KB of additional disk space will be used.

52MB of packages will be retrieved.

Is it ok to continue?


$ firefox -v
Mozilla Firefox 52.3.0

I've tested several web-sites, seems to be working as designed.

CC: (none) => brtians1

Hardware: AMD Athlon X2 7750, nvidia340 graphics, Atheros wifi.

System: 64-bit Mageia 6 Plasma, server kernel.

Updated Firefox and the US English package. No regressions noted.

Also works after updating to the kernel just put up to be tested.

CC: (none) => andrewsfarm

Re comment 15.
In the case here there is only one profile.  The freezes seemed to last precisely one minute and occurred shortly after session startup without any user interaction but vanished after a while.  Not seen yet with this update.  But as wilcal says it is hard to see how a security update could fix this issue.  It may well have something to do with the user profile so a bit of a nightmare to track down.

Re comment 16: thanks wilcal - keeping that in mind.

MGA5-32 on Asus A6000VM with nVidia Geforce 7300 Xfce
No installation issues.
Firefox connects OK,no blockages. Video from newspaper site plays OK.
Seems OK AFAICS.

CC: (none) => herman.viaene

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

M5_64

I started testing this yetserday, but got stuck with a problem on a particular site - which was evident with other browsers - so could not OK it then. Today I can: the problem has gone, and all my usage of the updated Firefox was good.
So a retrospective OK.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0268.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

I tested it before I noticed it was already resolved but since it is tested and the comment is written here it is.

Installed and tested without regressions.

Tested with multiple websites, including WebGL, flash, video/audio.

Installed packages:
- firefox-52.6.0-1.mga6.x86_64
- firefox-pt_PT-52.6.0-1.mga6.noarch
- lib64nspr-devel-4.18-1.mga6.x86_64
- lib64nspr4-4.18-1.mga6.x86_64
- lib64nss-devel-3.28.6-1.3.mga6.x86_64
- lib64nss3-3.28.6-1.3.mga6.x86_64
- nss-3.28.6-1.3.mga6.x86_64
- rootcerts-20180104.00-1.mga6.noarch
- rootcerts-java-20180104.00-1.mga6.noarch

System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Oops, please ignore comment #26 (and this one while!), it should have been posted to another bug!