Bug 22432 - Firefox 52.6
Summary: Firefox 52.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 22434
  Show dependency treegraph
 
Reported: 2018-01-20 19:14 CET by David Walser
Modified: 2018-01-26 19:51 CET (History)
7 users (show)

See Also:
Source RPM: rootcerts, nspr, firefox, firefox-l10n
CVE:
Status comment:


Attachments

Description David Walser 2018-01-20 19:14:55 CET
Mozilla has released Firefox 52.6 on January 19:
https://www.mozilla.org/en-US/firefox/52.6.0/releasenotes/

As of this posting, those release notes haven't been posted yet and neither have the security issues fixed:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

We also have an update to nspr 4.18, rootcerts 20180104, and nss rebuilds for the rootcerts update (Cauldron-only update to 3.35).

I need sysadmins to submit packages for Mageia 5.  They should be submitted in stages, waiting for each stage to finish before pushing the next:
- nspr, rootcerts
- nss
- firefox
- firefox-l10n
David Walser 2018-01-20 19:15:02 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2018-01-20 20:04:57 CET
Builds in progress for Mageia 6.

Updated packages in core/updates_testing:
========================
libnspr4-4.18-1.mga6
libnspr-devel-4.18-1.mga6
rootcerts-20180104.00-1.mga6
rootcerts-java-20180104.00-1.mga6
nss-3.28.6-1.3.mga6
nss-doc-3.28.6-1.3.mga6
libnss3-3.28.6-1.3.mga6
libnss-devel-3.28.6-1.3.mga6
libnss-static-devel-3.28.6-1.3.mga6
firefox-52.6.0-1.mga6
firefox-devel-52.6.0-1.mga6
firefox-af-52.6.0-1.mga6
firefox-an-52.6.0-1.mga6
firefox-ar-52.6.0-1.mga6
firefox-as-52.6.0-1.mga6
firefox-ast-52.6.0-1.mga6
firefox-az-52.6.0-1.mga6
firefox-bg-52.6.0-1.mga6
firefox-bn_IN-52.6.0-1.mga6
firefox-bn_BD-52.6.0-1.mga6
firefox-br-52.6.0-1.mga6
firefox-bs-52.6.0-1.mga6
firefox-ca-52.6.0-1.mga6
firefox-cs-52.6.0-1.mga6
firefox-cy-52.6.0-1.mga6
firefox-da-52.6.0-1.mga6
firefox-de-52.6.0-1.mga6
firefox-el-52.6.0-1.mga6
firefox-en_GB-52.6.0-1.mga6
firefox-en_US-52.6.0-1.mga6
firefox-en_ZA-52.6.0-1.mga6
firefox-eo-52.6.0-1.mga6
firefox-es_AR-52.6.0-1.mga6
firefox-es_CL-52.6.0-1.mga6
firefox-es_ES-52.6.0-1.mga6
firefox-es_MX-52.6.0-1.mga6
firefox-et-52.6.0-1.mga6
firefox-eu-52.6.0-1.mga6
firefox-fa-52.6.0-1.mga6
firefox-ff-52.6.0-1.mga6
firefox-fi-52.6.0-1.mga6
firefox-fr-52.6.0-1.mga6
firefox-fy_NL-52.6.0-1.mga6
firefox-ga_IE-52.6.0-1.mga6
firefox-gd-52.6.0-1.mga6
firefox-gl-52.6.0-1.mga6
firefox-gu_IN-52.6.0-1.mga6
firefox-he-52.6.0-1.mga6
firefox-hi_IN-52.6.0-1.mga6
firefox-hr-52.6.0-1.mga6
firefox-hsb-52.6.0-1.mga6
firefox-hu-52.6.0-1.mga6
firefox-hy_AM-52.6.0-1.mga6
firefox-id-52.6.0-1.mga6
firefox-is-52.6.0-1.mga6
firefox-it-52.6.0-1.mga6
firefox-ja-52.6.0-1.mga6
firefox-kk-52.6.0-1.mga6
firefox-km-52.6.0-1.mga6
firefox-kn-52.6.0-1.mga6
firefox-ko-52.6.0-1.mga6
firefox-lij-52.6.0-1.mga6
firefox-lt-52.6.0-1.mga6
firefox-lv-52.6.0-1.mga6
firefox-mai-52.6.0-1.mga6
firefox-mk-52.6.0-1.mga6
firefox-ml-52.6.0-1.mga6
firefox-mr-52.6.0-1.mga6
firefox-ms-52.6.0-1.mga6
firefox-nb_NO-52.6.0-1.mga6
firefox-nl-52.6.0-1.mga6
firefox-nn_NO-52.6.0-1.mga6
firefox-or-52.6.0-1.mga6
firefox-pa_IN-52.6.0-1.mga6
firefox-pl-52.6.0-1.mga6
firefox-pt_BR-52.6.0-1.mga6
firefox-pt_PT-52.6.0-1.mga6
firefox-ro-52.6.0-1.mga6
firefox-ru-52.6.0-1.mga6
firefox-si-52.6.0-1.mga6
firefox-sk-52.6.0-1.mga6
firefox-sl-52.6.0-1.mga6
firefox-sq-52.6.0-1.mga6
firefox-sr-52.6.0-1.mga6
firefox-sv_SE-52.6.0-1.mga6
firefox-ta-52.6.0-1.mga6
firefox-te-52.6.0-1.mga6
firefox-th-52.6.0-1.mga6
firefox-tr-52.6.0-1.mga6
firefox-uk-52.6.0-1.mga6
firefox-uz-52.6.0-1.mga6
firefox-vi-52.6.0-1.mga6
firefox-xh-52.6.0-1.mga6
firefox-zh_CN-52.6.0-1.mga6
firefox-zh_TW-52.6.0-1.mga6

from SRPMS:
nspr-4.18-1.mga6.src.rpm
rootcerts-20180104.00-1.mga6.src.rpm
nss-3.28.6-1.3.mga6.src.rpm
firefox-52.6.0-1.mga6.src.rpm
firefox-l10n-52.6.0-1.mga6.src.rpm
David Walser 2018-01-21 02:01:29 CET

Blocks: (none) => 22434

Comment 2 David Walser 2018-01-21 02:02:26 CET
Mageia 5 moved to Bug 22434.

QA can begin testing the Mageia 6 packages now.  Advisory to come later.

Assignee: sysadmin-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Thomas Backlund 2018-01-22 18:14:19 CET
Seems to work ok here on x86_64

CC: (none) => tmb

Comment 4 Brian Rockwell 2018-01-22 18:39:20 CET
$ uname -a
Linux localhost 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

This is a gnome instance


The following 10 packages are going to be installed:

- firefox-52.6.0-1.mga6.x86_64
- firefox-en_GB-52.6.0-1.mga6.noarch
- firefox-en_US-52.6.0-1.mga6.noarch
- firefox-en_ZA-52.6.0-1.mga6.noarch
- glibc-2.22-27.mga6.x86_64
- glibc-devel-2.22-27.mga6.x86_64
- lib64nspr4-4.18-1.mga6.x86_64
- lib64rpm7-4.13.0.2-3.2.mga6.x86_64
- python3-rpm-4.13.0.2-3.2.mga6.x86_64
- rpm-4.13.0.2-3.2.mga6.x86_64

4.3KB of additional disk space will be used.


Installed and rebooted

Able to get to Email, play youtube, etc.

Working as designed.

CC: (none) => brtians1

Comment 5 Len Lawrence 2018-01-22 20:04:48 CET
This has been running for several days on this 64-bit machine with Mageia 6.

CC: (none) => tarazed25

Comment 6 Thomas Andrews 2018-01-23 04:18:08 CET
Running fine on this 64-bit Intel Core2Duo-based machine.

Using it now to write this comment. Did a fine job on Facebook.

CC: (none) => andrewsfarm

Comment 7 Len Lawrence 2018-01-23 10:39:04 CET
Extra tests on Mageia 6 with local RPMs.

$ rpm -qilp oneplay-dvd-1.1.3-1.x86_64.rpm 
Name        : oneplay-dvd
Version     : 1.1.3
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : Applications/Internet
Size        : 26139454
License     : Proprietary
Signature   : (none)
Source RPM  : oneplay-dvd-1.1.3-1.src.rpm
Build Date  : Fri 05 Jun 2015 12:27:51 BST
Build Host  : ubuntu1004-64.vmbuild.lan
Relocations : /opt/oneplay-dvd 
Packager    : Fluendo S.A. <support@fluendo.com>
Vendor      : Fluendo S.A.
URL         : http://www.fluendo.com/
Summary     : ONEPLAY DVD player
Description :
Fluendo DVD Player is a software application specially designed to reproduce DVD on Linux/Unix platforms, which provides end users with high quality standards.
  * Full DVD Playback
  * DVD Menu support
.....................................

$ sudo rpm -i mplayer-skins-1.8-1.nodist.rf.noarch.rpm
seemed to go OK.

mga6 tkimg package already installed so this was expected to fail.
$ rpm -i --test tkimg-1.4-20.fc21.x86_64.rpm
	file /usr/lib64/tcl8.6/Img1.4/libjpegtcl8.2.so from install of tkimg-1.4-20.fc21.x86_64 conflicts with file from package tkimg-1.4-7.mga6.x86_64
	file /usr/lib64/tcl8.6/Img1.4/libpngtcl1.4.3.so from install of tkimg-1.4-20.fc21.x86_64 conflicts with file from package tkimg-1.4-7.mga6.x86_64
.....................................

OK for 64 bits.
Comment 8 Len Lawrence 2018-01-23 13:17:35 CET
What the ...!  Just noticed that this (comment 7) was posted on the wrong bug.
Apologies.
Comment 9 Thomas Andrews 2018-01-23 23:37:19 CET
Installed on real hardware, Athlon X2 7750, 8GB, nvidia340, Atheros wifi, 64-bit Plasma and server kernel.

Looks good here.
Comment 10 Thomas Andrews 2018-01-24 00:36:28 CET
Same hardware as Comment 9, this time a 32-bit Xfce system, server kernel.

Still looks good.
Comment 11 David Walser 2018-01-24 12:15:46 CET
RedHat has issued an advisory for this today (January 24):
https://access.redhat.com/errata/RHSA-2018:0122

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2018-5089, CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097,
CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104,
CVE-2018-5117).

To mitigate timing-based side-channel attacks similar to "Spectre" and
"Meltdown", the resolution of performance.now() has been reduced from 5μs to
20μs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2018:0122
Comment 12 PC LX 2018-01-25 12:10:40 CET
Installed and tested without regressions.

Tested multiple websites, including WebGL, flash, video/audio sites.

Installed packages:
- firefox-52.6.0-1.mga6.x86_64
- firefox-pt_PT-52.6.0-1.mga6.noarch
- lib64nspr-devel-4.18-1.mga6.x86_64
- lib64nspr4-4.18-1.mga6.x86_64
- lib64nss-devel-3.28.6-1.3.mga6.x86_64
- lib64nss3-3.28.6-1.3.mga6.x86_64
- nss-3.28.6-1.3.mga6.x86_64
- rootcerts-20180104.00-1.mga6.noarch
- rootcerts-java-20180104.00-1.mga6.noarch

System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => mageia

Comment 13 Lewis Smith 2018-01-25 13:01:42 CET
Testing M6/64
Real hardware with Radeon graphics.

 lib64nspr4-4.18-1.mga6
 rootcerts-20180104.00-1.mga6
 rootcerts-java-20180104.00-1.mga6
 nss-3.28.6-1.3.mga6
 lib64nss3-3.28.6-1.3.mga6
 firefox-52.6.0-1.mga6
 firefox-cy-52.6.0-1.mga6
 firefox-en_GB-52.6.0-1.mga6
Have used this for Bugzilla, BBC site including videos with sound, others not simple. Everything behaved well.
Indeed, I wonder whether the awful hesitations of the previous version have gone; which made it almost unusable. I have AdblockPlus, which may be the problem. No - they are still here, but much less evident.
OK for me.

In the light of all the +ve feedback for both architectures (tnaks TJ for the 32-bit), I am OKing them & validating the update.

Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2018-01-25 13:48:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0097.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 katnatek 2018-01-26 19:51:48 CET
This version still not put valid information in the lines id= and version= in the file /usr/lib/firefox/distribution/distribution.ini (/usr/lib64/firefox/distribution/distribution.ini for 64 bit systems)

https://bugs.mageia.org/show_bug.cgi?id=20617

CC: (none) => j.alberto.vc


Note You need to log in before you can comment on or make changes to this bug.