RedHat has issued advisories on September 28: https://access.redhat.com/errata/RHSA-2017:2832 https://access.redhat.com/errata/RHSA-2017:2831 The nss package needs to be patched to fix CVE-2017-7805. The upstream nss commit that fixed this issue is linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1471171 RedHat added this patch to fix it: https://git.centos.org/blob/rpms!nss.git/e0a76a37661e6c316262573f62d9550bb863aa26/SOURCES!nss-transcript.patch Upstream advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
Whiteboard: (none) => MGA6TOO, MGA5TOO
The fix for CVE-2017-7805 is in NSS 3.28.6. Update to that and nss 4.17 in progress.
(In reply to David Walser from comment #1) > The fix for CVE-2017-7805 is in NSS 3.28.6. Update to that and nss 4.17 in > progress. Thanks, I see you already pushed firefox. Assigning to you then :-)
Assignee: bugsquad => luigiwalserCC: (none) => marja11
Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application (CVE-2017-7805). Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2017-7810, CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824, CVE-2017-7814, CVE-2017-7823). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7818 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7819 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7824 https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://access.redhat.com/errata/RHSA-2017:2832 https://access.redhat.com/errata/RHSA-2017:2831 ======================== Updated packages in core/updates_testing: ======================== libnspr4-4.17-1.mga5 libnspr-devel-4.17-1.mga5 nss-3.28.6-1.mga5 nss-doc-3.28.6-1.mga5 libnss3-3.28.6-1.mga5 libnss-devel-3.28.6-1.mga5 libnss-static-devel-3.28.6-1.mga5 firefox-52.4.0-1.mga5 firefox-devel-52.4.0-1.mga5 firefox-af-52.4.0-1.mga5 firefox-an-52.4.0-1.mga5 firefox-ar-52.4.0-1.mga5 firefox-as-52.4.0-1.mga5 firefox-ast-52.4.0-1.mga5 firefox-az-52.4.0-1.mga5 firefox-bg-52.4.0-1.mga5 firefox-bn_IN-52.4.0-1.mga5 firefox-bn_BD-52.4.0-1.mga5 firefox-br-52.4.0-1.mga5 firefox-bs-52.4.0-1.mga5 firefox-ca-52.4.0-1.mga5 firefox-cs-52.4.0-1.mga5 firefox-cy-52.4.0-1.mga5 firefox-da-52.4.0-1.mga5 firefox-de-52.4.0-1.mga5 firefox-el-52.4.0-1.mga5 firefox-en_GB-52.4.0-1.mga5 firefox-en_US-52.4.0-1.mga5 firefox-en_ZA-52.4.0-1.mga5 firefox-eo-52.4.0-1.mga5 firefox-es_AR-52.4.0-1.mga5 firefox-es_CL-52.4.0-1.mga5 firefox-es_ES-52.4.0-1.mga5 firefox-es_MX-52.4.0-1.mga5 firefox-et-52.4.0-1.mga5 firefox-eu-52.4.0-1.mga5 firefox-fa-52.4.0-1.mga5 firefox-ff-52.4.0-1.mga5 firefox-fi-52.4.0-1.mga5 firefox-fr-52.4.0-1.mga5 firefox-fy_NL-52.4.0-1.mga5 firefox-ga_IE-52.4.0-1.mga5 firefox-gd-52.4.0-1.mga5 firefox-gl-52.4.0-1.mga5 firefox-gu_IN-52.4.0-1.mga5 firefox-he-52.4.0-1.mga5 firefox-hi_IN-52.4.0-1.mga5 firefox-hr-52.4.0-1.mga5 firefox-hsb-52.4.0-1.mga5 firefox-hu-52.4.0-1.mga5 firefox-hy_AM-52.4.0-1.mga5 firefox-id-52.4.0-1.mga5 firefox-is-52.4.0-1.mga5 firefox-it-52.4.0-1.mga5 firefox-ja-52.4.0-1.mga5 firefox-kk-52.4.0-1.mga5 firefox-km-52.4.0-1.mga5 firefox-kn-52.4.0-1.mga5 firefox-ko-52.4.0-1.mga5 firefox-lij-52.4.0-1.mga5 firefox-lt-52.4.0-1.mga5 firefox-lv-52.4.0-1.mga5 firefox-mai-52.4.0-1.mga5 firefox-mk-52.4.0-1.mga5 firefox-ml-52.4.0-1.mga5 firefox-mr-52.4.0-1.mga5 firefox-ms-52.4.0-1.mga5 firefox-nb_NO-52.4.0-1.mga5 firefox-nl-52.4.0-1.mga5 firefox-nn_NO-52.4.0-1.mga5 firefox-or-52.4.0-1.mga5 firefox-pa_IN-52.4.0-1.mga5 firefox-pl-52.4.0-1.mga5 firefox-pt_BR-52.4.0-1.mga5 firefox-pt_PT-52.4.0-1.mga5 firefox-ro-52.4.0-1.mga5 firefox-ru-52.4.0-1.mga5 firefox-si-52.4.0-1.mga5 firefox-sk-52.4.0-1.mga5 firefox-sl-52.4.0-1.mga5 firefox-sq-52.4.0-1.mga5 firefox-sr-52.4.0-1.mga5 firefox-sv_SE-52.4.0-1.mga5 firefox-ta-52.4.0-1.mga5 firefox-te-52.4.0-1.mga5 firefox-th-52.4.0-1.mga5 firefox-tr-52.4.0-1.mga5 firefox-uk-52.4.0-1.mga5 firefox-uz-52.4.0-1.mga5 firefox-vi-52.4.0-1.mga5 firefox-xh-52.4.0-1.mga5 firefox-zh_CN-52.4.0-1.mga5 firefox-zh_TW-52.4.0-1.mga5 libnspr4-4.17-1.mga6 libnspr-devel-4.17-1.mga6 nss-3.28.6-1.mga6 nss-doc-3.28.6-1.mga6 libnss3-3.28.6-1.mga6 libnss-devel-3.28.6-1.mga6 libnss-static-devel-3.28.6-1.mga6 firefox-52.4.0-1.mga6 firefox-devel-52.4.0-1.mga6 firefox-af-52.4.0-1.mga6 firefox-an-52.4.0-1.mga6 firefox-ar-52.4.0-1.mga6 firefox-as-52.4.0-1.mga6 firefox-ast-52.4.0-1.mga6 firefox-az-52.4.0-1.mga6 firefox-bg-52.4.0-1.mga6 firefox-bn_IN-52.4.0-1.mga6 firefox-bn_BD-52.4.0-1.mga6 firefox-br-52.4.0-1.mga6 firefox-bs-52.4.0-1.mga6 firefox-ca-52.4.0-1.mga6 firefox-cs-52.4.0-1.mga6 firefox-cy-52.4.0-1.mga6 firefox-da-52.4.0-1.mga6 firefox-de-52.4.0-1.mga6 firefox-el-52.4.0-1.mga6 firefox-en_GB-52.4.0-1.mga6 firefox-en_US-52.4.0-1.mga6 firefox-en_ZA-52.4.0-1.mga6 firefox-eo-52.4.0-1.mga6 firefox-es_AR-52.4.0-1.mga6 firefox-es_CL-52.4.0-1.mga6 firefox-es_ES-52.4.0-1.mga6 firefox-es_MX-52.4.0-1.mga6 firefox-et-52.4.0-1.mga6 firefox-eu-52.4.0-1.mga6 firefox-fa-52.4.0-1.mga6 firefox-ff-52.4.0-1.mga6 firefox-fi-52.4.0-1.mga6 firefox-fr-52.4.0-1.mga6 firefox-fy_NL-52.4.0-1.mga6 firefox-ga_IE-52.4.0-1.mga6 firefox-gd-52.4.0-1.mga6 firefox-gl-52.4.0-1.mga6 firefox-gu_IN-52.4.0-1.mga6 firefox-he-52.4.0-1.mga6 firefox-hi_IN-52.4.0-1.mga6 firefox-hr-52.4.0-1.mga6 firefox-hsb-52.4.0-1.mga6 firefox-hu-52.4.0-1.mga6 firefox-hy_AM-52.4.0-1.mga6 firefox-id-52.4.0-1.mga6 firefox-is-52.4.0-1.mga6 firefox-it-52.4.0-1.mga6 firefox-ja-52.4.0-1.mga6 firefox-kk-52.4.0-1.mga6 firefox-km-52.4.0-1.mga6 firefox-kn-52.4.0-1.mga6 firefox-ko-52.4.0-1.mga6 firefox-lij-52.4.0-1.mga6 firefox-lt-52.4.0-1.mga6 firefox-lv-52.4.0-1.mga6 firefox-mai-52.4.0-1.mga6 firefox-mk-52.4.0-1.mga6 firefox-ml-52.4.0-1.mga6 firefox-mr-52.4.0-1.mga6 firefox-ms-52.4.0-1.mga6 firefox-nb_NO-52.4.0-1.mga6 firefox-nl-52.4.0-1.mga6 firefox-nn_NO-52.4.0-1.mga6 firefox-or-52.4.0-1.mga6 firefox-pa_IN-52.4.0-1.mga6 firefox-pl-52.4.0-1.mga6 firefox-pt_BR-52.4.0-1.mga6 firefox-pt_PT-52.4.0-1.mga6 firefox-ro-52.4.0-1.mga6 firefox-ru-52.4.0-1.mga6 firefox-si-52.4.0-1.mga6 firefox-sk-52.4.0-1.mga6 firefox-sl-52.4.0-1.mga6 firefox-sq-52.4.0-1.mga6 firefox-sr-52.4.0-1.mga6 firefox-sv_SE-52.4.0-1.mga6 firefox-ta-52.4.0-1.mga6 firefox-te-52.4.0-1.mga6 firefox-th-52.4.0-1.mga6 firefox-tr-52.4.0-1.mga6 firefox-uk-52.4.0-1.mga6 firefox-uz-52.4.0-1.mga6 firefox-vi-52.4.0-1.mga6 firefox-xh-52.4.0-1.mga6 firefox-zh_CN-52.4.0-1.mga6 firefox-zh_TW-52.4.0-1.mga6 from SRPMS: nspr-4.17-1.mga5.src.rpm nss-3.28.6-1.mga5.src.rpm firefox-52.4.0-1.mga5.src.rpm firefox-l10n-52.4.0-1.mga5.src.rpm nspr-4.17-1.mga6.src.rpm nss-3.28.6-1.mga6.src.rpm firefox-52.4.0-1.mga6.src.rpm firefox-l10n-52.4.0-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6Assignee: luigiwalser => qa-bugs
Testing M6/64 Updated to:
CC: (none) => lewyssmith
Testing M6/64 [expletive deleted] lib64nspr4-4.17-1.mga6 nss-3.28.6-1.mga6 lib64nss3-3.28.6-1.mga6 firefox-en_GB-52.4.0-1.mga6 firefox-en_US-52.4.0-1.mga6 firefox-en_ZA-52.4.0-1.mga6 firefox-cy-52.4.0-1.mga6 firefox-52.4.0-1.mga6 Tried a good selection of things on the BBC site, our own updates system, even YouTube. No problems noted, OK for me, but this needs wider confirmation.
Keywords: (none) => advisory
MGA6-32 on Asus A6000VM MATE No installation issues. Bedside nl pack got also en-US and en-ZA packs as usual Tried newspaper, picture shows from it, googled for my favorite Muppet song manamana, it played well. If you need more laughs, google for "manamana trump". OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA6-32-OK
Testing M5/64 - firefox-52.4.0-1.mga5.x86_64 - firefox-cy-52.4.0-1.mga5.noarch - firefox-en_GB-52.4.0-1.mga5.noarch - firefox-fr-52.4.0-1.mga5.noarch - lib64nspr4-4.17-1.mga5.x86_64 - lib64nss3-3.28.6-1.mga5.x86_64 - nss-3.28.6-1.mga5.x86_64 (In reply to Herman Viaene from comment #6) > Bedside nl pack got also en-US and en-ZA packs as usual These seem to be installed by deafult; why the firefox-en_ZA heaven knows. I removed them. Tried a mixture of sites, some banking included; YouTube for video & sound. They all worked as normal *except* the BBC! Off-line, what an event. I tried it from another browser, in vain; so it was not Firefox's fault. Update OK for me, but others should try it.
Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK MGA6-64-OK
mga6 x86_64 Installed the updates and restarted firefox. Bookmarks OK. Browsed various sites, BBC News, STV, APOD, Weather Underground. Logged in to the router and checked client list. Watched a ZZ Top video on Youtube. Visited Voices of Music. Sound stream OK. No problems.
CC: (none) => tarazed25
mga5 x86_64 Updated from 52.3 to 52.4.0-1 with language packs for US, GB, ZA. Opened router web interface and updated firmware. Searched for 'alison balsom' and downloaded a video from Youtube. Looked at RadioTimes site, Guardian news, Slashdot, APOD. Used the menu to open a new window at Mageia Community Central. Commandline 'firefox localhost' opened the 'It works!' page. Opened Linux Weekly News and printed contents to a local PDF file. Endorsing the MGA5-64-OK.
Validating with 3/4 OKs.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0361.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
*** Bug 21878 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu