Bug 23653 - firefox esr update 60.2.2
Summary: firefox esr update 60.2.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-08 16:31 CEST by José Jorge
Modified: 2018-10-14 02:59 CEST (History)
6 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:


Attachments

Description José Jorge 2018-10-08 16:31:16 CEST
This new version brings security fixes, so should be provided to users fastly.

I have submit it to updates testing.
Comment 1 José Jorge 2018-10-08 17:10:56 CEST
RPMS:
firefox-60.2.2-1.mga6.{i586|x86_64}.rpm
firefox-*-60.2.2-1.mga6.noarch.rpm

firefox-60.2.2-1.mga6.srpm
firefox-l10n-60.2.2-1.mga6.srpm
Comment 2 José Jorge 2018-10-08 17:12:44 CEST
Suggested advisory :

Firefox ESR 60.2.2 adresses two security fixes : CVE-2018-12386 and CVE-2018-12387.

Status: NEW => ASSIGNED

Comment 3 Thomas Backlund 2018-10-08 17:37:56 CEST
_way_ too little info in the advisory...

A better one would be something like:

Updated firefox packages fix security vulnerabilities:

A vulnerability in register allocation in JavaScript can lead to type
confusion, allowing for an arbitrary read and write. This leads to remote
code execution inside the sandboxed content process when triggered
(CVE-2018-12386).


A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push
with multiple arguments that results in the stack pointer being off by 8 bytes
after a bailout. This leaks a memory address to the calling function which can
be used as part of an exploit inside the sandboxed content process
(CVE-2018-12386).

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/

CC: (none) => tmb

Comment 4 José Jorge 2018-10-08 18:32:14 CEST
Build succeeded, so it is ready to test.

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge

Comment 5 David Walser 2018-10-10 00:51:54 CEST
RedHat has issued an advisory for this on October 8:
https://access.redhat.com/errata/RHSA-2018:2884

Watch for the typo in tmb's advisory, one of the CVE's ends in a 7.

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 6 José Jorge 2018-10-10 09:54:26 CEST
Tested in x86_64, no regressions found.

Whiteboard: (none) => MGA6-64-OK

Comment 7 Len Lawrence 2018-10-10 11:53:40 CEST
Mageia 6, x86_64

Running fine here.  Open tabs recovered.  Ran Adobe flash video from APOD a few days back.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2018-10-10 11:58:43 CEST
Re comment #7

Having said that, th Acid tests did not do so well; 2 was almost correct but 3  showed two grey rectangles.

http://acid3.acidtests.org/
Comment 9 James Kerr 2018-10-10 19:34:47 CEST
On mga6-64

packages installed cleanly:
- firefox-60.2.2-1.mga6.x86_64
- firefox-en_GB-60.2.2-1.mga6.noarch

no regressions noted.

Looks OK for mga6-64

CC: (none) => jim

Comment 10 James Kerr 2018-10-10 19:52:26 CEST
on mga6-32  in a vbox VM

packages installed cleanly
- firefox-60.2.2-1.mga6.i586
- firefox-en_GB-60.2.2-1.mga6.noarch

no regressions noted

looks OK for mga6-32
Comment 11 William Kenney 2018-10-11 20:22:53 CEST
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
firefox firefox-en_US firefox-en_GB

default install of firefox firefox-en_US & firefox-en_GB

[root@localhost wilcal]# urpmi firefox
Package firefox-60.2.1-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-60.2.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-60.2.1-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com works fine.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

install firefox firefox-en_US & firefox-en_GB from updates_testing

[root@localhost wilcal]# urpmi firefox
Package firefox-60.2.2-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-60.2.2-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-60.2.2-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com does work.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

CC: (none) => wilcal.int

William Kenney 2018-10-11 20:23:30 CEST

Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-10-14 01:53:23 CEST

Keywords: (none) => advisory

Comment 12 Mageia Robot 2018-10-14 02:59:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0396.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.