+++ This bug was initially created as a clone of Bug #22432 +++ Mozilla has released Firefox 52.6 on January 19: https://www.mozilla.org/en-US/firefox/52.6.0/releasenotes/ As of this posting, those release notes haven't been posted yet and neither have the security issues fixed: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ We also have an update to nspr 4.18, rootcerts 20180104, and nss rebuilds for the rootcerts update (Cauldron-only update to 3.35). I need sysadmins to submit packages for Mageia 5. They should be submitted in stages, waiting for each stage to finish before pushing the next: - nspr, rootcerts - nss - firefox - firefox-l10n
Builds in progress for Mageia 5. Updated packages in core/updates_testing: ======================== libnspr4-4.18-1.mga5 libnspr-devel-4.18-1.mga5 rootcerts-20180104.00-1.mga5 rootcerts-java-20180104.00-1.mga5 nss-3.28.6-1.3.mga5 nss-doc-3.28.6-1.3.mga5 libnss3-3.28.6-1.3.mga5 libnss-devel-3.28.6-1.3.mga5 libnss-static-devel-3.28.6-1.3.mga5 firefox-52.6.0-1.mga5 firefox-devel-52.6.0-1.mga5 firefox-af-52.6.0-1.mga5 firefox-an-52.6.0-1.mga5 firefox-ar-52.6.0-1.mga5 firefox-as-52.6.0-1.mga5 firefox-ast-52.6.0-1.mga5 firefox-az-52.6.0-1.mga5 firefox-bg-52.6.0-1.mga5 firefox-bn_IN-52.6.0-1.mga5 firefox-bn_BD-52.6.0-1.mga5 firefox-br-52.6.0-1.mga5 firefox-bs-52.6.0-1.mga5 firefox-ca-52.6.0-1.mga5 firefox-cs-52.6.0-1.mga5 firefox-cy-52.6.0-1.mga5 firefox-da-52.6.0-1.mga5 firefox-de-52.6.0-1.mga5 firefox-el-52.6.0-1.mga5 firefox-en_GB-52.6.0-1.mga5 firefox-en_US-52.6.0-1.mga5 firefox-en_ZA-52.6.0-1.mga5 firefox-eo-52.6.0-1.mga5 firefox-es_AR-52.6.0-1.mga5 firefox-es_CL-52.6.0-1.mga5 firefox-es_ES-52.6.0-1.mga5 firefox-es_MX-52.6.0-1.mga5 firefox-et-52.6.0-1.mga5 firefox-eu-52.6.0-1.mga5 firefox-fa-52.6.0-1.mga5 firefox-ff-52.6.0-1.mga5 firefox-fi-52.6.0-1.mga5 firefox-fr-52.6.0-1.mga5 firefox-fy_NL-52.6.0-1.mga5 firefox-ga_IE-52.6.0-1.mga5 firefox-gd-52.6.0-1.mga5 firefox-gl-52.6.0-1.mga5 firefox-gu_IN-52.6.0-1.mga5 firefox-he-52.6.0-1.mga5 firefox-hi_IN-52.6.0-1.mga5 firefox-hr-52.6.0-1.mga5 firefox-hsb-52.6.0-1.mga5 firefox-hu-52.6.0-1.mga5 firefox-hy_AM-52.6.0-1.mga5 firefox-id-52.6.0-1.mga5 firefox-is-52.6.0-1.mga5 firefox-it-52.6.0-1.mga5 firefox-ja-52.6.0-1.mga5 firefox-kk-52.6.0-1.mga5 firefox-km-52.6.0-1.mga5 firefox-kn-52.6.0-1.mga5 firefox-ko-52.6.0-1.mga5 firefox-lij-52.6.0-1.mga5 firefox-lt-52.6.0-1.mga5 firefox-lv-52.6.0-1.mga5 firefox-mai-52.6.0-1.mga5 firefox-mk-52.6.0-1.mga5 firefox-ml-52.6.0-1.mga5 firefox-mr-52.6.0-1.mga5 firefox-ms-52.6.0-1.mga5 firefox-nb_NO-52.6.0-1.mga5 firefox-nl-52.6.0-1.mga5 firefox-nn_NO-52.6.0-1.mga5 firefox-or-52.6.0-1.mga5 firefox-pa_IN-52.6.0-1.mga5 firefox-pl-52.6.0-1.mga5 firefox-pt_BR-52.6.0-1.mga5 firefox-pt_PT-52.6.0-1.mga5 firefox-ro-52.6.0-1.mga5 firefox-ru-52.6.0-1.mga5 firefox-si-52.6.0-1.mga5 firefox-sk-52.6.0-1.mga5 firefox-sl-52.6.0-1.mga5 firefox-sq-52.6.0-1.mga5 firefox-sr-52.6.0-1.mga5 firefox-sv_SE-52.6.0-1.mga5 firefox-ta-52.6.0-1.mga5 firefox-te-52.6.0-1.mga5 firefox-th-52.6.0-1.mga5 firefox-tr-52.6.0-1.mga5 firefox-uk-52.6.0-1.mga5 firefox-uz-52.6.0-1.mga5 firefox-vi-52.6.0-1.mga5 firefox-xh-52.6.0-1.mga5 firefox-zh_CN-52.6.0-1.mga5 firefox-zh_TW-52.6.0-1.mga5 from SRPMS: nspr-4.18-1.mga5.src.rpm rootcerts-20180104.00-1.mga5.src.rpm nss-3.28.6-1.3.mga5.src.rpm firefox-52.6.0-1.mga5.src.rpm firefox-l10n-52.6.0-1.mga5.src.rpm
Assignee: sysadmin-bugs => qa-bugs
Works fine on Mageia 5 x86_64. Advisory might not be available until Tuesday.
Whiteboard: (none) => MGA5-64-OK
Thanks for your rapid Mageia 5 tests, David. I keep M5 also, so do not feel compelled to do these. Validating to get it off the main list, will do the advisory when that arrives.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
RedHat has issued an advisory for this today (January 24): https://access.redhat.com/errata/RHSA-2018:0122 Advisory: ======================== Updated firefox packages fix security vulnerabilities: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2018-5089, CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104, CVE-2018-5117). To mitigate timing-based side-channel attacks similar to "Spectre" and "Meltdown", the resolution of performance.now() has been reduced from 5μs to 20μs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117 https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://access.redhat.com/errata/RHSA-2018:0122
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0099.html
Status: NEW => RESOLVEDResolution: (none) => FIXED