Bug 24361 - Firefox 60.5.1
Summary: Firefox 60.5.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK, mga6-64-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-15 00:09 CET by David Walser
Modified: 2019-02-19 18:32 CET (History)
4 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-02-15 00:09:29 CET 
Mozilla has released Firefox 60.5.1 today (February 14):
https://www.mozilla.org/en-US/firefox/60.5.1/releasenotes/

The security issues fixed are listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/

Package builds are starting.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5785
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

Updated packages in core/updates_testing:
========================
firefox-60.5.1-1.mga6
firefox-devel-60.5.1-1.mga6
firefox-af-60.5.1-1.mga6
firefox-an-60.5.1-1.mga6
firefox-ar-60.5.1-1.mga6
firefox-as-60.5.1-1.mga6
firefox-ast-60.5.1-1.mga6
firefox-az-60.5.1-1.mga6
firefox-bg-60.5.1-1.mga6
firefox-bn_IN-60.5.1-1.mga6
firefox-bn_BD-60.5.1-1.mga6
firefox-br-60.5.1-1.mga6
firefox-bs-60.5.1-1.mga6
firefox-ca-60.5.1-1.mga6
firefox-cs-60.5.1-1.mga6
firefox-cy-60.5.1-1.mga6
firefox-da-60.5.1-1.mga6
firefox-de-60.5.1-1.mga6
firefox-el-60.5.1-1.mga6
firefox-en_GB-60.5.1-1.mga6
firefox-en_US-60.5.1-1.mga6
firefox-en_ZA-60.5.1-1.mga6
firefox-eo-60.5.1-1.mga6
firefox-es_AR-60.5.1-1.mga6 
firefox-es_CL-60.5.1-1.mga6 
firefox-es_ES-60.5.1-1.mga6 
firefox-es_MX-60.5.1-1.mga6 
firefox-et-60.5.1-1.mga6 
firefox-eu-60.5.1-1.mga6 
firefox-fa-60.5.1-1.mga6 
firefox-ff-60.5.1-1.mga6 
firefox-fi-60.5.1-1.mga6 
firefox-fr-60.5.1-1.mga6 
firefox-fy_NL-60.5.1-1.mga6 
firefox-ga_IE-60.5.1-1.mga6 
firefox-gd-60.5.1-1.mga6 
firefox-gl-60.5.1-1.mga6 
firefox-gu_IN-60.5.1-1.mga6 
firefox-he-60.5.1-1.mga6 
firefox-hi_IN-60.5.1-1.mga6
firefox-hr-60.5.1-1.mga6 
firefox-hsb-60.5.1-1.mga6 
firefox-hu-60.5.1-1.mga6 
firefox-hy_AM-60.5.1-1.mga6 
firefox-id-60.5.1-1.mga6 
firefox-is-60.5.1-1.mga6 
firefox-it-60.5.1-1.mga6 
firefox-ja-60.5.1-1.mga6 
firefox-kk-60.5.1-1.mga6 
firefox-km-60.5.1-1.mga6 
firefox-kn-60.5.1-1.mga6 
firefox-ko-60.5.1-1.mga6 
firefox-lij-60.5.1-1.mga6 
firefox-lt-60.5.1-1.mga6 
firefox-lv-60.5.1-1.mga6 
firefox-mai-60.5.1-1.mga6 
firefox-mk-60.5.1-1.mga6 
firefox-ml-60.5.1-1.mga6 
firefox-mr-60.5.1-1.mga6 
firefox-ms-60.5.1-1.mga6 
firefox-nb_NO-60.5.1-1.mga6 
firefox-nl-60.5.1-1.mga6 
firefox-nn_NO-60.5.1-1.mga6 
firefox-or-60.5.1-1.mga6 
firefox-pa_IN-60.5.1-1.mga6 
firefox-pl-60.5.1-1.mga6 
firefox-pt_BR-60.5.1-1.mga6 
firefox-pt_PT-60.5.1-1.mga6 
firefox-ro-60.5.1-1.mga6 
firefox-ru-60.5.1-1.mga6 
firefox-si-60.5.1-1.mga6 
firefox-sk-60.5.1-1.mga6 
firefox-sl-60.5.1-1.mga6 
firefox-sq-60.5.1-1.mga6 
firefox-sr-60.5.1-1.mga6 
firefox-sv_SE-60.5.1-1.mga6 
firefox-ta-60.5.1-1.mga6 
firefox-te-60.5.1-1.mga6 
firefox-th-60.5.1-1.mga6 
firefox-tr-60.5.1-1.mga6 
firefox-uk-60.5.1-1.mga6 
firefox-uz-60.5.1-1.mga6 
firefox-vi-60.5.1-1.mga6 
firefox-xh-60.5.1-1.mga6 
firefox-zh_CN-60.5.1-1.mga6 
firefox-zh_TW-60.5.1-1.mga6

from SRPMS:
firefox-60.5.1-1.mga6.src.rpm
firefox-l10n-60.5.1-1.mga6.src.rpm
Comment 1 Herman Viaene 2019-02-15 15:32:37 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues (Dutch version)
This website works OK with it, as does my usual newspaper with text,sound, pictures and Video.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 2 Bill Wilkinson 2019-02-15 16:24:39 CET 
Tested mga6-64.

Acid 3 ok-ish, but no different than usual.
Jetstream ok
General browsing ok
YouTube video ok

Validating, ready for push when advisory uploaded to SVN.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK, mga6-64-ok
CC: (none) => wrw105, sysadmin-bugs

Comment 3 David Walser 2019-02-15 19:03:22 CET 
Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A use-after-free vulnerability in the Skia library can occur when creating a
path, leading to a potentially exploitable crash (CVE-2018-18356).

An integer overflow vulnerability in the Skia library can occur after specific
transform operations, leading to a potentially exploitable crash
(CVE-2019-5785).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5785
https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Dave Hodgins 2019-02-17 17:41:01 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2019-02-17 18:19:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0089.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2019-02-19 18:32:40 CET 
RedHat has issued an advisory for this today (February 19):
https://access.redhat.com/errata/RHSA-2019:0374
Note You need to log in before you can comment on or make changes to this bug.