Bug 22434 - Firefox 52.6
Summary: Firefox 52.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on: 22432
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-21 02:01 CET by David Walser
Modified: 2018-01-25 14:37 CET (History)
2 users (show)

See Also:
Source RPM: rootcerts, nspr, firefox, firefox-l10n
CVE:
Status comment:


Attachments

Description David Walser 2018-01-21 02:01:29 CET
+++ This bug was initially created as a clone of Bug #22432 +++

Mozilla has released Firefox 52.6 on January 19:
https://www.mozilla.org/en-US/firefox/52.6.0/releasenotes/

As of this posting, those release notes haven't been posted yet and neither have the security issues fixed:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

We also have an update to nspr 4.18, rootcerts 20180104, and nss rebuilds for the rootcerts update (Cauldron-only update to 3.35).

I need sysadmins to submit packages for Mageia 5.  They should be submitted in stages, waiting for each stage to finish before pushing the next:
- nspr, rootcerts
- nss
- firefox
- firefox-l10n
Comment 1 David Walser 2018-01-21 15:07:32 CET
Builds in progress for Mageia 5.

Updated packages in core/updates_testing:
========================
libnspr4-4.18-1.mga5
libnspr-devel-4.18-1.mga5
rootcerts-20180104.00-1.mga5
rootcerts-java-20180104.00-1.mga5
nss-3.28.6-1.3.mga5
nss-doc-3.28.6-1.3.mga5
libnss3-3.28.6-1.3.mga5
libnss-devel-3.28.6-1.3.mga5
libnss-static-devel-3.28.6-1.3.mga5
firefox-52.6.0-1.mga5
firefox-devel-52.6.0-1.mga5
firefox-af-52.6.0-1.mga5
firefox-an-52.6.0-1.mga5
firefox-ar-52.6.0-1.mga5
firefox-as-52.6.0-1.mga5
firefox-ast-52.6.0-1.mga5
firefox-az-52.6.0-1.mga5
firefox-bg-52.6.0-1.mga5
firefox-bn_IN-52.6.0-1.mga5
firefox-bn_BD-52.6.0-1.mga5
firefox-br-52.6.0-1.mga5
firefox-bs-52.6.0-1.mga5
firefox-ca-52.6.0-1.mga5
firefox-cs-52.6.0-1.mga5
firefox-cy-52.6.0-1.mga5
firefox-da-52.6.0-1.mga5
firefox-de-52.6.0-1.mga5
firefox-el-52.6.0-1.mga5
firefox-en_GB-52.6.0-1.mga5
firefox-en_US-52.6.0-1.mga5
firefox-en_ZA-52.6.0-1.mga5
firefox-eo-52.6.0-1.mga5
firefox-es_AR-52.6.0-1.mga5
firefox-es_CL-52.6.0-1.mga5
firefox-es_ES-52.6.0-1.mga5
firefox-es_MX-52.6.0-1.mga5
firefox-et-52.6.0-1.mga5
firefox-eu-52.6.0-1.mga5
firefox-fa-52.6.0-1.mga5
firefox-ff-52.6.0-1.mga5
firefox-fi-52.6.0-1.mga5
firefox-fr-52.6.0-1.mga5
firefox-fy_NL-52.6.0-1.mga5
firefox-ga_IE-52.6.0-1.mga5
firefox-gd-52.6.0-1.mga5
firefox-gl-52.6.0-1.mga5
firefox-gu_IN-52.6.0-1.mga5
firefox-he-52.6.0-1.mga5
firefox-hi_IN-52.6.0-1.mga5
firefox-hr-52.6.0-1.mga5
firefox-hsb-52.6.0-1.mga5
firefox-hu-52.6.0-1.mga5
firefox-hy_AM-52.6.0-1.mga5
firefox-id-52.6.0-1.mga5
firefox-is-52.6.0-1.mga5
firefox-it-52.6.0-1.mga5
firefox-ja-52.6.0-1.mga5
firefox-kk-52.6.0-1.mga5
firefox-km-52.6.0-1.mga5
firefox-kn-52.6.0-1.mga5
firefox-ko-52.6.0-1.mga5
firefox-lij-52.6.0-1.mga5
firefox-lt-52.6.0-1.mga5
firefox-lv-52.6.0-1.mga5
firefox-mai-52.6.0-1.mga5
firefox-mk-52.6.0-1.mga5
firefox-ml-52.6.0-1.mga5
firefox-mr-52.6.0-1.mga5
firefox-ms-52.6.0-1.mga5
firefox-nb_NO-52.6.0-1.mga5
firefox-nl-52.6.0-1.mga5
firefox-nn_NO-52.6.0-1.mga5
firefox-or-52.6.0-1.mga5
firefox-pa_IN-52.6.0-1.mga5
firefox-pl-52.6.0-1.mga5
firefox-pt_BR-52.6.0-1.mga5
firefox-pt_PT-52.6.0-1.mga5
firefox-ro-52.6.0-1.mga5
firefox-ru-52.6.0-1.mga5
firefox-si-52.6.0-1.mga5
firefox-sk-52.6.0-1.mga5
firefox-sl-52.6.0-1.mga5
firefox-sq-52.6.0-1.mga5
firefox-sr-52.6.0-1.mga5
firefox-sv_SE-52.6.0-1.mga5
firefox-ta-52.6.0-1.mga5
firefox-te-52.6.0-1.mga5
firefox-th-52.6.0-1.mga5
firefox-tr-52.6.0-1.mga5
firefox-uk-52.6.0-1.mga5
firefox-uz-52.6.0-1.mga5
firefox-vi-52.6.0-1.mga5
firefox-xh-52.6.0-1.mga5
firefox-zh_CN-52.6.0-1.mga5
firefox-zh_TW-52.6.0-1.mga5

from SRPMS:
nspr-4.18-1.mga5.src.rpm
rootcerts-20180104.00-1.mga5.src.rpm
nss-3.28.6-1.3.mga5.src.rpm
firefox-52.6.0-1.mga5.src.rpm
firefox-l10n-52.6.0-1.mga5.src.rpm

Assignee: sysadmin-bugs => qa-bugs

Comment 2 David Walser 2018-01-21 16:42:43 CET
Works fine on Mageia 5 x86_64.  Advisory might not be available until Tuesday.

Whiteboard: (none) => MGA5-64-OK

Comment 3 Lewis Smith 2018-01-21 20:36:33 CET
Thanks for your rapid Mageia 5 tests, David. I keep M5 also, so do not feel compelled to do these.
Validating to get it off the main list, will do the advisory when that arrives.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 David Walser 2018-01-24 12:15:52 CET
RedHat has issued an advisory for this today (January 24):
https://access.redhat.com/errata/RHSA-2018:0122

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Multiple flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox
(CVE-2018-5089, CVE-2018-5091, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097,
CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5103, CVE-2018-5104,
CVE-2018-5117).

To mitigate timing-based side-channel attacks similar to "Spectre" and
"Meltdown", the resolution of performance.now() has been reduced from 5μs to
20μs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2018:0122
Lewis Smith 2018-01-25 12:25:20 CET

Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-01-25 14:37:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0099.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.