The fix for CVE-2017-7805 is in NSS 3.28.6.  Update to that and nss 4.17 in progress.

(In reply to David Walser from comment #1)
> The fix for CVE-2017-7805 is in NSS 3.28.6.  Update to that and nss 4.17 in
> progress.

Thanks, I see you already pushed firefox. Assigning to you then :-)

Assignee: bugsquad => luigiwalser
CC: (none) => marja11

Advisory:
========================

Updated nss and firefox packages fix security vulnerabilities:

A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library
when client authentication was used. A malicious client could use this flaw to
cause an application compiled against NSS to crash or, potentially, execute
arbitrary code with the permission of the user running the application
(CVE-2017-7805).

Multiple flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2017-7810, CVE-2017-7793, CVE-2017-7818, CVE-2017-7819, CVE-2017-7824,
CVE-2017-7814, CVE-2017-7823).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7818
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7819
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7824
https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2017:2832
https://access.redhat.com/errata/RHSA-2017:2831
========================

Updated packages in core/updates_testing:
========================
libnspr4-4.17-1.mga5
libnspr-devel-4.17-1.mga5
nss-3.28.6-1.mga5
nss-doc-3.28.6-1.mga5
libnss3-3.28.6-1.mga5
libnss-devel-3.28.6-1.mga5
libnss-static-devel-3.28.6-1.mga5
firefox-52.4.0-1.mga5
firefox-devel-52.4.0-1.mga5
firefox-af-52.4.0-1.mga5
firefox-an-52.4.0-1.mga5
firefox-ar-52.4.0-1.mga5
firefox-as-52.4.0-1.mga5
firefox-ast-52.4.0-1.mga5
firefox-az-52.4.0-1.mga5
firefox-bg-52.4.0-1.mga5
firefox-bn_IN-52.4.0-1.mga5
firefox-bn_BD-52.4.0-1.mga5
firefox-br-52.4.0-1.mga5
firefox-bs-52.4.0-1.mga5
firefox-ca-52.4.0-1.mga5
firefox-cs-52.4.0-1.mga5
firefox-cy-52.4.0-1.mga5
firefox-da-52.4.0-1.mga5
firefox-de-52.4.0-1.mga5
firefox-el-52.4.0-1.mga5
firefox-en_GB-52.4.0-1.mga5
firefox-en_US-52.4.0-1.mga5
firefox-en_ZA-52.4.0-1.mga5
firefox-eo-52.4.0-1.mga5
firefox-es_AR-52.4.0-1.mga5
firefox-es_CL-52.4.0-1.mga5
firefox-es_ES-52.4.0-1.mga5
firefox-es_MX-52.4.0-1.mga5
firefox-et-52.4.0-1.mga5
firefox-eu-52.4.0-1.mga5
firefox-fa-52.4.0-1.mga5
firefox-ff-52.4.0-1.mga5
firefox-fi-52.4.0-1.mga5
firefox-fr-52.4.0-1.mga5
firefox-fy_NL-52.4.0-1.mga5
firefox-ga_IE-52.4.0-1.mga5
firefox-gd-52.4.0-1.mga5
firefox-gl-52.4.0-1.mga5
firefox-gu_IN-52.4.0-1.mga5
firefox-he-52.4.0-1.mga5
firefox-hi_IN-52.4.0-1.mga5
firefox-hr-52.4.0-1.mga5
firefox-hsb-52.4.0-1.mga5
firefox-hu-52.4.0-1.mga5
firefox-hy_AM-52.4.0-1.mga5
firefox-id-52.4.0-1.mga5
firefox-is-52.4.0-1.mga5
firefox-it-52.4.0-1.mga5
firefox-ja-52.4.0-1.mga5
firefox-kk-52.4.0-1.mga5
firefox-km-52.4.0-1.mga5
firefox-kn-52.4.0-1.mga5
firefox-ko-52.4.0-1.mga5
firefox-lij-52.4.0-1.mga5
firefox-lt-52.4.0-1.mga5
firefox-lv-52.4.0-1.mga5
firefox-mai-52.4.0-1.mga5
firefox-mk-52.4.0-1.mga5
firefox-ml-52.4.0-1.mga5
firefox-mr-52.4.0-1.mga5
firefox-ms-52.4.0-1.mga5
firefox-nb_NO-52.4.0-1.mga5
firefox-nl-52.4.0-1.mga5
firefox-nn_NO-52.4.0-1.mga5
firefox-or-52.4.0-1.mga5
firefox-pa_IN-52.4.0-1.mga5
firefox-pl-52.4.0-1.mga5
firefox-pt_BR-52.4.0-1.mga5
firefox-pt_PT-52.4.0-1.mga5
firefox-ro-52.4.0-1.mga5
firefox-ru-52.4.0-1.mga5
firefox-si-52.4.0-1.mga5
firefox-sk-52.4.0-1.mga5
firefox-sl-52.4.0-1.mga5
firefox-sq-52.4.0-1.mga5
firefox-sr-52.4.0-1.mga5
firefox-sv_SE-52.4.0-1.mga5
firefox-ta-52.4.0-1.mga5
firefox-te-52.4.0-1.mga5
firefox-th-52.4.0-1.mga5
firefox-tr-52.4.0-1.mga5
firefox-uk-52.4.0-1.mga5
firefox-uz-52.4.0-1.mga5
firefox-vi-52.4.0-1.mga5
firefox-xh-52.4.0-1.mga5
firefox-zh_CN-52.4.0-1.mga5
firefox-zh_TW-52.4.0-1.mga5
libnspr4-4.17-1.mga6
libnspr-devel-4.17-1.mga6
nss-3.28.6-1.mga6
nss-doc-3.28.6-1.mga6
libnss3-3.28.6-1.mga6
libnss-devel-3.28.6-1.mga6
libnss-static-devel-3.28.6-1.mga6
firefox-52.4.0-1.mga6
firefox-devel-52.4.0-1.mga6
firefox-af-52.4.0-1.mga6
firefox-an-52.4.0-1.mga6
firefox-ar-52.4.0-1.mga6
firefox-as-52.4.0-1.mga6
firefox-ast-52.4.0-1.mga6
firefox-az-52.4.0-1.mga6
firefox-bg-52.4.0-1.mga6
firefox-bn_IN-52.4.0-1.mga6
firefox-bn_BD-52.4.0-1.mga6
firefox-br-52.4.0-1.mga6
firefox-bs-52.4.0-1.mga6
firefox-ca-52.4.0-1.mga6
firefox-cs-52.4.0-1.mga6
firefox-cy-52.4.0-1.mga6
firefox-da-52.4.0-1.mga6
firefox-de-52.4.0-1.mga6
firefox-el-52.4.0-1.mga6
firefox-en_GB-52.4.0-1.mga6
firefox-en_US-52.4.0-1.mga6
firefox-en_ZA-52.4.0-1.mga6
firefox-eo-52.4.0-1.mga6
firefox-es_AR-52.4.0-1.mga6
firefox-es_CL-52.4.0-1.mga6
firefox-es_ES-52.4.0-1.mga6
firefox-es_MX-52.4.0-1.mga6
firefox-et-52.4.0-1.mga6
firefox-eu-52.4.0-1.mga6
firefox-fa-52.4.0-1.mga6
firefox-ff-52.4.0-1.mga6
firefox-fi-52.4.0-1.mga6
firefox-fr-52.4.0-1.mga6
firefox-fy_NL-52.4.0-1.mga6
firefox-ga_IE-52.4.0-1.mga6
firefox-gd-52.4.0-1.mga6
firefox-gl-52.4.0-1.mga6
firefox-gu_IN-52.4.0-1.mga6
firefox-he-52.4.0-1.mga6
firefox-hi_IN-52.4.0-1.mga6
firefox-hr-52.4.0-1.mga6
firefox-hsb-52.4.0-1.mga6
firefox-hu-52.4.0-1.mga6
firefox-hy_AM-52.4.0-1.mga6
firefox-id-52.4.0-1.mga6
firefox-is-52.4.0-1.mga6
firefox-it-52.4.0-1.mga6
firefox-ja-52.4.0-1.mga6
firefox-kk-52.4.0-1.mga6
firefox-km-52.4.0-1.mga6
firefox-kn-52.4.0-1.mga6
firefox-ko-52.4.0-1.mga6
firefox-lij-52.4.0-1.mga6
firefox-lt-52.4.0-1.mga6
firefox-lv-52.4.0-1.mga6
firefox-mai-52.4.0-1.mga6
firefox-mk-52.4.0-1.mga6
firefox-ml-52.4.0-1.mga6
firefox-mr-52.4.0-1.mga6
firefox-ms-52.4.0-1.mga6
firefox-nb_NO-52.4.0-1.mga6
firefox-nl-52.4.0-1.mga6
firefox-nn_NO-52.4.0-1.mga6
firefox-or-52.4.0-1.mga6
firefox-pa_IN-52.4.0-1.mga6
firefox-pl-52.4.0-1.mga6
firefox-pt_BR-52.4.0-1.mga6
firefox-pt_PT-52.4.0-1.mga6
firefox-ro-52.4.0-1.mga6
firefox-ru-52.4.0-1.mga6
firefox-si-52.4.0-1.mga6
firefox-sk-52.4.0-1.mga6
firefox-sl-52.4.0-1.mga6
firefox-sq-52.4.0-1.mga6
firefox-sr-52.4.0-1.mga6
firefox-sv_SE-52.4.0-1.mga6
firefox-ta-52.4.0-1.mga6
firefox-te-52.4.0-1.mga6
firefox-th-52.4.0-1.mga6
firefox-tr-52.4.0-1.mga6
firefox-uk-52.4.0-1.mga6
firefox-uz-52.4.0-1.mga6
firefox-vi-52.4.0-1.mga6
firefox-xh-52.4.0-1.mga6
firefox-zh_CN-52.4.0-1.mga6
firefox-zh_TW-52.4.0-1.mga6

from SRPMS:
nspr-4.17-1.mga5.src.rpm
nss-3.28.6-1.mga5.src.rpm
firefox-52.4.0-1.mga5.src.rpm
firefox-l10n-52.4.0-1.mga5.src.rpm
nspr-4.17-1.mga6.src.rpm
nss-3.28.6-1.mga6.src.rpm
firefox-52.4.0-1.mga6.src.rpm
firefox-l10n-52.4.0-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6
Assignee: luigiwalser => qa-bugs

Testing M6/64

Updated to:

CC: (none) => lewyssmith

Testing M6/64 [expletive deleted]

lib64nspr4-4.17-1.mga6
nss-3.28.6-1.mga6
lib64nss3-3.28.6-1.mga6
firefox-en_GB-52.4.0-1.mga6
firefox-en_US-52.4.0-1.mga6
firefox-en_ZA-52.4.0-1.mga6
firefox-cy-52.4.0-1.mga6
firefox-52.4.0-1.mga6

Tried a good selection of things on the BBC site, our own updates system, even YouTube. No problems noted, OK for me, but this needs wider confirmation.

MGA6-32 on Asus A6000VM MATE
No installation issues.
Bedside nl pack got also en-US and en-ZA packs as usual
Tried newspaper, picture shows from it, googled for my favorite Muppet song manamana, it played well. If you need more laughs, google for "manamana trump".
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK

Testing M5/64

- firefox-52.4.0-1.mga5.x86_64
- firefox-cy-52.4.0-1.mga5.noarch
- firefox-en_GB-52.4.0-1.mga5.noarch
- firefox-fr-52.4.0-1.mga5.noarch
- lib64nspr4-4.17-1.mga5.x86_64
- lib64nss3-3.28.6-1.mga5.x86_64
- nss-3.28.6-1.mga5.x86_64

(In reply to Herman Viaene from comment #6)
> Bedside nl pack got also en-US and en-ZA packs as usual
These seem to be installed by deafult; why the firefox-en_ZA heaven knows. I removed them.

Tried a mixture of sites, some banking included; YouTube for video & sound. They all worked as normal *except* the BBC! Off-line, what an event. I tried it from another browser, in vain; so it was not Firefox's fault.

Update OK for me, but others should try it.

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK MGA6-64-OK

mga6  x86_64

Installed the updates and restarted firefox.  Bookmarks OK.  Browsed various sites, BBC News, STV, APOD, Weather Underground.  Logged in to the router and checked client list.  Watched a ZZ Top video on Youtube.  Visited Voices of Music.  Sound stream OK.  No problems.

CC: (none) => tarazed25

mga5  x86_64

Updated from 52.3 to 52.4.0-1 with language packs for US, GB, ZA.
Opened  router web interface and updated firmware.  Searched for 'alison balsom' and downloaded a video from Youtube.  Looked at RadioTimes site, Guardian news, Slashdot, APOD.  Used the menu to open a new window at Mageia Community Central.
Commandline 'firefox localhost' opened the 'It works!' page.  Opened Linux Weekly News and printed contents to a local PDF file.

Endorsing the MGA5-64-OK.

Validating with 3/4 OKs.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0361.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

*** Bug 21878 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu