Bug 23751 - Firefox 60.3
Summary: Firefox 60.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-23 05:12 CEST by David Walser
Modified: 2018-10-27 11:46 CEST (History)
7 users (show)

See Also:
Source RPM: rootcerts, nspr, firefox, firefox-l10n
CVE:
Status comment:


Attachments

Description David Walser 2018-10-23 05:12:50 CEST
Mozilla has released Firefox 60.3 today (October 22):
https://www.mozilla.org/en-US/firefox/60.3.0/releasenotes/

Information for this update isn't available yet.

Updated packages in core/updates_testing:
========================
rootcerts-20181001.00-1.mga6
rootcerts-java-20181001.00-1.mga6
libnspr4-4.20-1.mga6
libnspr-devel-4.20-1.mga6
nss-3.36.5-1.2.mga6
nss-doc-3.36.5-1.2.mga6
libnss3-3.36.5-1.2.mga6
libnss-devel-3.36.5-1.2.mga6
libnss-static-devel-3.36.5-1.2.mga6
firefox-60.3.0-1.mga6
firefox-devel-60.3.0-1.mga6
firefox-af-60.3.0-1.mga6
firefox-an-60.3.0-1.mga6
firefox-ar-60.3.0-1.mga6
firefox-as-60.3.0-1.mga6
firefox-ast-60.3.0-1.mga6
firefox-az-60.3.0-1.mga6
firefox-bg-60.3.0-1.mga6
firefox-bn_IN-60.3.0-1.mga6
firefox-bn_BD-60.3.0-1.mga6
firefox-br-60.3.0-1.mga6
firefox-bs-60.3.0-1.mga6
firefox-ca-60.3.0-1.mga6
firefox-cs-60.3.0-1.mga6
firefox-cy-60.3.0-1.mga6
firefox-da-60.3.0-1.mga6
firefox-de-60.3.0-1.mga6
firefox-el-60.3.0-1.mga6
firefox-en_GB-60.3.0-1.mga6
firefox-en_US-60.3.0-1.mga6
firefox-en_ZA-60.3.0-1.mga6
firefox-eo-60.3.0-1.mga6
firefox-es_AR-60.3.0-1.mga6 
firefox-es_CL-60.3.0-1.mga6 
firefox-es_ES-60.3.0-1.mga6 
firefox-es_MX-60.3.0-1.mga6 
firefox-et-60.3.0-1.mga6 
firefox-eu-60.3.0-1.mga6 
firefox-fa-60.3.0-1.mga6 
firefox-ff-60.3.0-1.mga6 
firefox-fi-60.3.0-1.mga6 
firefox-fr-60.3.0-1.mga6 
firefox-fy_NL-60.3.0-1.mga6 
firefox-ga_IE-60.3.0-1.mga6 
firefox-gd-60.3.0-1.mga6 
firefox-gl-60.3.0-1.mga6 
firefox-gu_IN-60.3.0-1.mga6 
firefox-he-60.3.0-1.mga6 
firefox-hi_IN-60.3.0-1.mga6
firefox-hr-60.3.0-1.mga6 
firefox-hsb-60.3.0-1.mga6 
firefox-hu-60.3.0-1.mga6 
firefox-hy_AM-60.3.0-1.mga6 
firefox-id-60.3.0-1.mga6 
firefox-is-60.3.0-1.mga6 
firefox-it-60.3.0-1.mga6 
firefox-ja-60.3.0-1.mga6 
firefox-kk-60.3.0-1.mga6 
firefox-km-60.3.0-1.mga6 
firefox-kn-60.3.0-1.mga6 
firefox-ko-60.3.0-1.mga6 
firefox-lij-60.3.0-1.mga6 
firefox-lt-60.3.0-1.mga6 
firefox-lv-60.3.0-1.mga6 
firefox-mai-60.3.0-1.mga6 
firefox-mk-60.3.0-1.mga6 
firefox-ml-60.3.0-1.mga6 
firefox-mr-60.3.0-1.mga6 
firefox-ms-60.3.0-1.mga6 
firefox-nb_NO-60.3.0-1.mga6 
firefox-nl-60.3.0-1.mga6 
firefox-nn_NO-60.3.0-1.mga6 
firefox-or-60.3.0-1.mga6 
firefox-pa_IN-60.3.0-1.mga6 
firefox-pl-60.3.0-1.mga6 
firefox-pt_BR-60.3.0-1.mga6 
firefox-pt_PT-60.3.0-1.mga6 
firefox-ro-60.3.0-1.mga6 
firefox-ru-60.3.0-1.mga6 
firefox-si-60.3.0-1.mga6 
firefox-sk-60.3.0-1.mga6 
firefox-sl-60.3.0-1.mga6 
firefox-sq-60.3.0-1.mga6 
firefox-sr-60.3.0-1.mga6 
firefox-sv_SE-60.3.0-1.mga6 
firefox-ta-60.3.0-1.mga6 
firefox-te-60.3.0-1.mga6 
firefox-th-60.3.0-1.mga6 
firefox-tr-60.3.0-1.mga6 
firefox-uk-60.3.0-1.mga6 
firefox-uz-60.3.0-1.mga6 
firefox-vi-60.3.0-1.mga6 
firefox-xh-60.3.0-1.mga6 
firefox-zh_CN-60.3.0-1.mga6 
firefox-zh_TW-60.3.0-1.mga6

from SRPMS:
rootcerts-20181001.00-1.mga6.src.rpm
nspr-4.20-1.mga6.src.rpm
nss-3.36.5-1.2.mga6.src.rpm
firefox-60.3.0-1.mga6.src.rpm
firefox-l10n-60.3.0-1.mga6.src.rpm
Comment 1 Morgan Leijström 2018-10-23 13:51:48 CEST
Working nicely on 64 bit, swedish: Restoring pages from previous running version, internet banking, video on svt.se, youtube.

CC: (none) => fri

Comment 2 Ben McMonagle 2018-10-23 20:26:37 CEST
Mga6 on real 32 h/w (lxde/lxqt DE)

$ lscpu
Architecture:          i686
CPU op-mode(s):        32-bit

AMD Athlon(tm) XP 2400+

Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
                       mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 
                       3dnow cpuid 3dnowprefetch vmmcall


firefox-52.2.0-1.mga6.i586 -launches -ok

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  firefox                        60.3.0       1.mga6        i586    
  firefox-en_GB                  60.3.0       1.mga6        noarch  
  libnspr4                       4.20         1.mga6        i586 

34MB of additional disk space will be used.
44MB of packages will be retrieved.
Proceed with the installation of the 3 packages? (Y/n) y

$ firefox
Illegal instruction (core dumped)

# urpme firefox
To satisfy dependencies, the following 2 packages will be removed (156MB):
  firefox-60.3.0-1.mga6.i586
  firefox-en_GB-60.3.0-1.mga6.noarch
   (due to unsatisfied firefox == 0:60.3.0)
Remove 2 packages? (y/N) 

The following 2 packages are going to be installed:

- firefox-52.2.0-1.mga6.i586
- firefox-en_GB-52.2.0-1.mga6.noarch

122MB of additional disk space will be used.
51MB of packages will be retrieved.
Is it ok to continue?y

firefox launches - ok

CC: (none) => westel

Comment 3 Len Lawrence 2018-10-25 09:29:46 CEST
Updated firefox.

Visited http://www.lagom.nl/lcd-test/gamma_calibration.php and ran the Acid tests at https://www.w3.org/Style/CSS/Test/CSS1/current/test5526c.htm,
http://acid2.acidtests.org/#top and http://acid3.acidtests.org/.
The Acid 3 test failed as usual - 97/100 score.
Youtube scifi movies play fine.

OK here for 64-bits.

CC: (none) => tarazed25

Comment 4 katnatek 2018-10-25 18:39:57 CEST
(In reply to ben mcmonagle from comment #2)
> Mga6 on real 32 h/w (lxde/lxqt DE)
> 
> $ lscpu
> Architecture:          i686
> CPU op-mode(s):        32-bit
> 
> AMD Athlon(tm) XP 2400+
> 
> Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
>                        mca cmov pat pse36 mmx fxsr sse syscall mmxext
> 3dnowext 
>                        3dnow cpuid 3dnowprefetch vmmcall
> 
> 
> firefox-52.2.0-1.mga6.i586 -launches -ok
> 
> To satisfy dependencies, the following packages are going to be installed:
>   Package                        Version      Release       Arch    
> (medium "Core Updates Testing (distrib5)")
>   firefox                        60.3.0       1.mga6        i586    
>   firefox-en_GB                  60.3.0       1.mga6        noarch  
>   libnspr4                       4.20         1.mga6        i586 
> 
> 34MB of additional disk space will be used.
> 44MB of packages will be retrieved.
> Proceed with the installation of the 3 packages? (Y/n) y
> 
> $ firefox
> Illegal instruction (core dumped)
> 

I think is issue of lack of support for your processor

In https://www.mozilla.org/en-US/firefox/60.3.0/system-requirements/

"Recommended Hardware

    Pentium 4 or newer processor that supports SSE2"

Your processor don't support sse2
Comment 5 Ben McMonagle 2018-10-25 21:00:07 CEST
(In reply to katnatek from comment #4)

> 
> I think is issue of lack of support for your processor
> 
> In https://www.mozilla.org/en-US/firefox/60.3.0/system-requirements/
> 
> "Recommended Hardware
> 
>     Pentium 4 or newer processor that supports SSE2"
> 
> Your processor don't support sse2

my thoughts too, which is why I included Cpu flags :)
Comment 6 David Walser 2018-10-26 05:23:28 CEST
RedHat has issued an advisory for this on October 24:
https://access.redhat.com/errata/RHSA-2018:3005

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Mozilla: Memory safety bugs fixed in Firefox ESR 60.3 (CVE-2018-12389).

Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
(CVE-2018-12390).

Mozilla: Crash with nested event loops (CVE-2018-12392).

Mozilla: Integer overflow during Unicode conversion while loading JavaScript
(CVE-2018-12393).

Mozilla: WebExtension bypass of domain restrictions through header rewriting
(CVE-2018-12395).

Mozilla: WebExtension content scripts can execute in disallowed contexts
(CVE-2018-12396).

Mozilla: WebExtension local file permission check bypass (CVE-2018-12397).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12397
https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2018:3005
Comment 7 James Kerr 2018-10-26 18:29:08 CEST
on mga6-32 kernel-server xfce

packages installed cleanly:
- firefox-60.3.0-1.mga6.i586
- firefox-en_GB-60.3.0-1.mga6.noarch
- libnspr4-4.20-1.mga6.i586
- libnss3-3.36.5-1.2.mga6.i586
- nss-3.36.5-1.2.mga6.i586
- rootcerts-20181001.00-1.mga6.noarch

looks OK on this system:

Machine:   Device: desktop Mobo: ECS model: GeForce7050M-M v: 1.0
CPU:       Quad core AMD Phenom 9500 (-MCP-) cache: 2048 KB 
Graphics:  Card: NVIDIA GK208B [GeForce GT 710]

CC: (none) => jim

Comment 8 Thomas Andrews 2018-10-26 19:04:32 CEST
Dell Inspiron 5100, 32-bit P4, 2GB RAM, Radeon 7500 graphics, old Atheros wifi. 32-bit Plasma system, using the VESA video driver as Plasma will not work on this hardware with the radeon driver. Using the US English pack only.

Everything installed correctly, and afterward Firefox ran perfectly, though perhaps slowly, on several websites. In my opinion, the observed sluggishness is due to the limitations of the hardware.

Updated to the 4.14.78 desktop kernel currently in testing, rebooted, and tried Firefox again, with the same results. Using it now to make this report.

Looks OK for 32-bit, as long as adequate hardware is being used.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2018-10-26 20:42:34 CEST
Updated my Probook 6550b 64-bit Plasma system. Packages all installed cleanly. Current extensions and plugins seem to work, including Flash.

Looks OK on this hardware, and looks good to go in general to me. OKing for 64-bit, and validating. Advisory in Comment 6.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-10-26 21:50:12 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 10 Mageia Robot 2018-10-27 11:46:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0420.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.