RedHat has issued an advisory today (March 15): https://access.redhat.com/errata/RHSA-2018:0527 nspr also needs to be updated to 4.19. nss (in Cauldron *only*) also needs to be updated to 3.36: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36_release_notes No rootcerts update is needed for this update.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for firefox nor for nspr (nor for nss) (In reply to David Walser from comment #0) > RedHat has issued an advisory today (March 15): > https://access.redhat.com/errata/RHSA-2018:0527 > > nspr also needs to be updated to 4.19. > > nss (in Cauldron *only*) also needs to be updated to 3.36: > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3. > 36_release_notes > > No rootcerts update is needed for this update. I don't see nss or nspr were updated in Cauldron, changing version for this report, even if FF is already on version 59.0 there.
Version: 6 => CauldronWhiteboard: MGA5TOO => MGA5TOO, MGA6TOOCC: (none) => marja11Source RPM: nspr, firefox => nspr, firefox, nss
Summary: Firefox 52.7 => Firefox 52.7, nspr and (only for cauldron) nss
The main crux of the bug is for Firefox, which isn't on the 52.x branch in Cauldron. We'll deal with it all together though. I'd have started on it already if I had access to SVN.
Summary: Firefox 52.7, nspr and (only for cauldron) nss => Firefox 52.7Version: Cauldron => 6Whiteboard: MGA5TOO, MGA6TOO => MGA5TOO
(In reply to David Walser from comment #2) > The main crux of the bug is for Firefox, which isn't on the 52.x branch in > Cauldron. We'll deal with it all together though. I'd have started on it > already if I had access to SVN. Do you still not have access? :-( :-( :-( Please send your id_rsa.pub to tmb or attach it to a bug report, that you assign to sysadmin team while CC'ing tmb
CC: (none) => tmb
Thanks. I had e-mailed tmb this morning. He just replied that it has been added and it works now :D
nspr updates built: libnspr4-4.19-1.mga5 libnspr-devel-4.19-1.mga5 libnspr4-4.19-1.mga6 libnspr-devel-4.19-1.mga6 nss update also built for Cauldron. Firefox failed to build, and it's not apparent from the build logs why. It could be that the build system blew up: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20180315190450.luigiwalser.duvel.12432/log/firefox-52.7.0-1.mga5/build.0.20180315191734.log http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20180315190337.luigiwalser.duvel.12264/log/firefox-52.7.0-1.mga6/build.0.20180315190635.log RedHat didn't have to make any special adjustments to make 52.7.0 build.
Status comment: (none) => Update checked into SVN, Firefox failed to build
The builds seem to be failing with: virtual memory exhausted: Operation not permitted /home/iurt/rpmbuild/BUILD/firefox-52.7.0esr/config/rules.mk:951: recipe for target 'UnifiedBindings21.o' failed after the last g++ command which is trying to build firefox-52.7.0esr/objdir/media/webrtc/trunk/webrtc/modules/modules_neteq/Unified_cpp_webrtc_modules0.cpp
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=20617
(In reply to David Walser from comment #6) > The builds seem to be failing with: > Don't know if help, but maybe you can check https://forums.gentoo.org/viewtopic-p-7907754.html?sid=5de1fdc938300c197bf436f902476dcd#7907754 and https://www.linuxquestions.org/questions/linux-from-scratch-13/firefox-error-compilling-4175562649/
Doesn't look like any of that is directly relevant, but it does sound like the build system may be running out of memory, as was the case in that last link.
See Also: https://bugs.mageia.org/show_bug.cgi?id=20617 => (none)
Same error while trying to build 52.7.1, which apparently only fixes an issue with firefox-it: https://www.mozilla.org/en-US/firefox/52.7.1/releasenotes/
Firefox 52.7.2 has been released today (March 16): https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/ It includes additional fixes for libvorbis (and libtremor on ARM): https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ The libtremor fix required adding an additional patch (Mageia 6 only): http://openwall.com/lists/oss-security/2018/03/16/3 That's all checked into SVN. We'll need to update the system libvorbis as well, which I've built: libvorbis0-1.3.5-1.3.mga5 libvorbis-devel-1.3.5-1.3.mga5 libvorbisenc2-1.3.5-1.3.mga5 libvorbisfile3-1.3.5-1.3.mga5 libvorbis0-1.3.5-2.3.mga6 libvorbis-devel-1.3.5-2.3.mga6 libvorbisenc2-1.3.5-2.3.mga6 libvorbisfile3-1.3.5-2.3.mga6 from SRPMS: libvorbis-1.3.5-1.3.mga5.src.rpm libvorbis-1.3.5-2.3.mga6.src.rpm
Summary: Firefox 52.7 => Firefox 52.7.2 (and libvorbis new security issue CVE-2018-5146)Source RPM: nspr, firefox, nss => nspr, firefox, libvorbis-1.3.5-3.mga7.src.rpm
Moving libvorbis to Bug 22788.
Source RPM: nspr, firefox, libvorbis-1.3.5-3.mga7.src.rpm => nspr, firefoxSummary: Firefox 52.7.2 (and libvorbis new security issue CVE-2018-5146) => Firefox 52.7.2
Depends on: (none) => 22788
(In reply to David Walser from comment #10) > Firefox 52.7.2 has been released today (March 16): > https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/ > > It includes additional fixes for libvorbis (and libtremor on ARM): > https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ > > The libtremor fix required adding an additional patch (Mageia 6 only): > http://openwall.com/lists/oss-security/2018/03/16/3 > > That's all checked into SVN. > Now really assigning to all packagers collectively. Atm, firefox-52.7.1-1.mga6 is still in the "builds in progress:" list for arm.
Assignee: bugsquad => pkg-bugsStatus comment: Update checked into SVN, Firefox failed to build => Update checked into SVN, Firefox-52.7.1 and 52.7.0 failed to build
I've also checked a rediffed patch for sqlite3's CVE-2018-8740 (Bug 22792) in to Mageia 5 SVN for the firefox package, as it builds with the bundled sqlite3 (Mageia 6 uses the system sqlite3).
Status comment: Update checked into SVN, Firefox-52.7.1 and 52.7.0 failed to build => Update checked into SVN, Firefox failed to buildAssignee: pkg-bugs => sysadmin-bugs
RedHat has issued an advisory for Firefox 52.7.2 today (March 19): https://access.redhat.com/errata/RHSA-2018:0549
Firefox 52.7.3 has been released today (March 26): https://www.mozilla.org/en-US/firefox/52.7.3/releasenotes/ It fixes one additional issue: https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ It has been checked into SVN.
Summary: Firefox 52.7.2 => Firefox 52.7.3
firefox-52.7.3-2.mga6 in now built on i586, x86_64 build is still in progress... The needed fixes from Cauldron firefox was: --- firefox.spec 2018-04-13 11:24:02.702645518 +0300 +++ firefox.spec.new 2018-04-13 10:59:26.432716546 +0300 @@ -293,6 +302,14 @@ # See also https://fedoraproject.org/wiki/Changes/Harden_All_Packages MOZ_OPT_FLAGS="$MOZ_OPT_FLAGS -Wformat-security -Wformat -Werror=format-security" MOZ_OPT_FLAGS="$MOZ_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now" +%ifnarch x86_64 +MOZ_OPT_FLAGS=$(echo "$MOZ_OPT_FLAGS" | %{__sed} -e 's/-g/-g1/') +# If MOZ_DEBUG_FLAGS is empty, firefox's build will default it to "-g" which +# overrides the -g1 from line above and breaks building on s390 +# (OOM when linking, rhbz#1238225) +export MOZ_DEBUG_FLAGS=" " +%endif + %ifarch %{arm} MOZ_LINK_FLAGS="-Wl,--no-keep-memory -Wl,--reduce-memory-overheads" %endif @@ -310,7 +327,9 @@ %ifarch %{ix86} x86_64 ppc ppc64 ppc64le aarch64 [ -z "$RPM_BUILD_NCPUS" ] && \ RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`" -MOZ_SMP_FLAGS=-j$RPM_BUILD_NCPUS +[ "$RPM_BUILD_NCPUS" -ge 2 ] && MOZ_SMP_FLAGS=-j2 +[ "$RPM_BUILD_NCPUS" -ge 4 ] && MOZ_SMP_FLAGS=-j4 +[ "$RPM_BUILD_NCPUS" -ge 8 ] && MOZ_SMP_FLAGS=-j8 %endif make -f client.mk build STRIP="/bin/true" MOZ_MAKE_FLAGS="$MOZ_SMP_FLAGS" MOZ_SERVICES_SYNC="1"
Maybe you got lucky, because even with those changes it failed to build with the same error in Mageia 5: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20180413142204.luigiwalser.duvel.25073/log/firefox-52.7.3-2.mga5/build.0.20180413142311.log
Yeah well, I tried limiting it more, but it fails in other places... And its not memory problems as such on the build nodes as ecosse has 32GB and rabbit 48GB of ram ... It just is something in the build process triggering g++ to try and allocate more than 2GB process, and it fails... Maybe it exposes a bug in gcc, maybe not... But I dont see any point in wasting time on debugging it on mga5 anymore, so lets clone the bug then for mga5 if someone cares, and get the mga6 update out...
Blocks: (none) => 22904
SRPMS: nspr-4.19-1.mga6.src.rpm firefox-52.7.3-2.mga6.src.rpm firefox-l10n-52.7.3-1.mga6.src.rpm Advisory: ======================== Updated firefox packages fix security vulnerabilities: Memory safety bugs fixed in Firefox ESR 52.7 (CVE-2018-5125). Buffer overflow manipulating SVG animatedPathSegList (CVE-2018-5127). Out-of-bounds write with malformed IPC messages (CVE-2018-5129). Mismatched RTP payload type can trigger memory corruption (CVE-2018-5130). Fetch API improperly returns cached copies of no-store/no-cache resources (CVE-2018-5131). Integer overflow during Unicode conversion (CVE-2018-5144). Memory safety bugs fixed in Firefox ESR 52.7 (CVE-2018-5145). A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash (CVE-2018-5148). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5148 https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ https://access.redhat.com/errata/RHSA-2018:0527
Status comment: Update checked into SVN, Firefox failed to build => (none)Assignee: sysadmin-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
Tested mga6-64 general browsing, Acid3, jetstream, video play tested, all OK
CC: (none) => wrw105Whiteboard: (none) => mga4-64-ok has_procedure
Whiteboard: mga4-64-ok has_procedure => mga6-64-ok has_procedure
Keywords: (none) => has_procedureWhiteboard: mga6-64-ok has_procedure => MGA6-64-OK
Mageia 6, x86_64 Working fine here. General browsing, examination of local directories and viewing PDF. Checking localhost informed me that hiawatha might be running. It was; stopped hiawatha, started apache and re-launched firefox. Watched a Youtube NASA video in theatre mode. $ sudo localhost:631 launched the CUPS management interface in a separate window. $ php -S localhost:8000 -t /home/lcl/dev/php Addressing localhost:8000/sample.php displayed the string encoded in sample.php.
CC: (none) => tarazed25
mageia 6, 32-bit $ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux The following 5 packages are going to be installed: - firefox-52.7.3-2.mga6.i586 - firefox-en_GB-52.7.3-1.mga6.noarch - firefox-en_US-52.7.3-1.mga6.noarch - firefox-en_ZA-52.7.3-1.mga6.noarch - libnspr4-4.19-1.mga6.i586 121KB of additional disk space will be used. 52MB of packages will be retrieved. Is it ok to continue? --- started firefox checked version 52.7.3 (32-bit) -Bookmarks are intact -Able to connect to my preferred sites and pull up pdf and ppt documents without an issues working as designed.
Whiteboard: MGA6-64-OK => MGA6-64-OK mga6-32-okCC: (none) => brtians1
Looking good here on both arches, 64-bit Plasma 5.12.2, and 32-bit Xfce. Using it to make this comment.
CC: (none) => andrewsfarm
Testing ok here, including with the latest flash update. Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0202.html
Status: NEW => RESOLVEDResolution: (none) => FIXED