Bug 24864 - Firefox 60.7
Summary: Firefox 60.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-24 09:28 CEST by Nicolas Salguero
Modified: 2019-06-10 21:18 CEST (History)
6 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2019-05-24 09:28:19 CEST 
Hi,

Firefox 60.7 has been released (May 21).

References:
https://www.mozilla.org/en-US/firefox/60.7.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/

Best regards,

Nico.
Nicolas Salguero 2019-05-24 09:28:47 CEST

Source RPM: (none) => firefox

Comment 1 Nicolas Salguero 2019-05-24 11:25:10 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Type confusion with object groups and UnboxedObjects. (CVE-2019-9816)

Stealing of cross-domain images using canvas. (CVE-2019-9817)

Use-after-free in crash generation server. (CVE-2019-9818)

Compartment mismatch with fetch API. (CVE-2019-9819)

Use-after-free of ChromeEventHandler by DocShell. (CVE-2019-9820)

Use-after-free in XMLHttpRequest. (CVE-2019-11691)

Use-after-free removing listeners in the event listener manager. (CVE-2019-11692)

Buffer overflow in WebGL bufferdata on Linux. (CVE-2019-11693)

Use-after-free in png_image_free of libpng library. (CVE-2019-7317)

Cross-origin theft of images with createImageBitmap. (CVE-2019-9797)

Cross-origin theft of images with ImageBitmapRenderingContext. (CVE-2018-18511)

Theft of user history data through drag and drop of hyperlinks to and from bookmarks. (CVE-2019-11698)

Out-of-bounds read in Skia. (CVE-2019-5798)

Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and firefox 60.7. (CVE-2019-9800)

References:
https://www.mozilla.org/en-US/firefox/60.7.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9800
========================

Updated packages in core/updates_testing:
========================
firefox-60.7.0-1.mga6
firefox-devel-60.7.0-1.mga6
firefox-af-60.7.0-1.mga6
firefox-an-60.7.0-1.mga6
firefox-ar-60.7.0-1.mga6
firefox-as-60.7.0-1.mga6
firefox-ast-60.7.0-1.mga6
firefox-az-60.7.0-1.mga6
firefox-bg-60.7.0-1.mga6
firefox-bn_IN-60.7.0-1.mga6
firefox-bn_BD-60.7.0-1.mga6
firefox-br-60.7.0-1.mga6
firefox-bs-60.7.0-1.mga6
firefox-ca-60.7.0-1.mga6
firefox-cs-60.7.0-1.mga6
firefox-cy-60.7.0-1.mga6
firefox-da-60.7.0-1.mga6
firefox-de-60.7.0-1.mga6
firefox-el-60.7.0-1.mga6
firefox-en_GB-60.7.0-1.mga6
firefox-en_US-60.7.0-1.mga6
firefox-en_ZA-60.7.0-1.mga6
firefox-eo-60.7.0-1.mga6
firefox-es_AR-60.7.0-1.mga6 
firefox-es_CL-60.7.0-1.mga6 
firefox-es_ES-60.7.0-1.mga6 
firefox-es_MX-60.7.0-1.mga6 
firefox-et-60.7.0-1.mga6 
firefox-eu-60.7.0-1.mga6 
firefox-fa-60.7.0-1.mga6 
firefox-ff-60.7.0-1.mga6 
firefox-fi-60.7.0-1.mga6 
firefox-fr-60.7.0-1.mga6 
firefox-fy_NL-60.7.0-1.mga6 
firefox-ga_IE-60.7.0-1.mga6 
firefox-gd-60.7.0-1.mga6 
firefox-gl-60.7.0-1.mga6 
firefox-gu_IN-60.7.0-1.mga6 
firefox-he-60.7.0-1.mga6 
firefox-hi_IN-60.7.0-1.mga6
firefox-hr-60.7.0-1.mga6 
firefox-hsb-60.7.0-1.mga6 
firefox-hu-60.7.0-1.mga6 
firefox-hy_AM-60.7.0-1.mga6 
firefox-id-60.7.0-1.mga6 
firefox-is-60.7.0-1.mga6 
firefox-it-60.7.0-1.mga6 
firefox-ja-60.7.0-1.mga6 
firefox-kk-60.7.0-1.mga6 
firefox-km-60.7.0-1.mga6 
firefox-kn-60.7.0-1.mga6 
firefox-ko-60.7.0-1.mga6 
firefox-lij-60.7.0-1.mga6 
firefox-lt-60.7.0-1.mga6 
firefox-lv-60.7.0-1.mga6 
firefox-mai-60.7.0-1.mga6 
firefox-mk-60.7.0-1.mga6 
firefox-ml-60.7.0-1.mga6 
firefox-mr-60.7.0-1.mga6 
firefox-ms-60.7.0-1.mga6 
firefox-nb_NO-60.7.0-1.mga6 
firefox-nl-60.7.0-1.mga6 
firefox-nn_NO-60.7.0-1.mga6 
firefox-or-60.7.0-1.mga6 
firefox-pa_IN-60.7.0-1.mga6 
firefox-pl-60.7.0-1.mga6 
firefox-pt_BR-60.7.0-1.mga6 
firefox-pt_PT-60.7.0-1.mga6 
firefox-ro-60.7.0-1.mga6 
firefox-ru-60.7.0-1.mga6 
firefox-si-60.7.0-1.mga6 
firefox-sk-60.7.0-1.mga6 
firefox-sl-60.7.0-1.mga6 
firefox-sq-60.7.0-1.mga6 
firefox-sr-60.7.0-1.mga6 
firefox-sv_SE-60.7.0-1.mga6 
firefox-ta-60.7.0-1.mga6 
firefox-te-60.7.0-1.mga6 
firefox-th-60.7.0-1.mga6 
firefox-tr-60.7.0-1.mga6 
firefox-uk-60.7.0-1.mga6 
firefox-uz-60.7.0-1.mga6 
firefox-vi-60.7.0-1.mga6 
firefox-xh-60.7.0-1.mga6 
firefox-zh_CN-60.7.0-1.mga6 
firefox-zh_TW-60.7.0-1.mga6

from SRPMS:
firefox-60.7.0-1.mga6.src.rpm
firefox-l10n-60.7.0-1.mga6.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Thomas Andrews 2019-05-25 03:34:54 CEST 
Real hardware, nvidia340 graphics, Atheros wifi, 64-bit Plasma system using the desktop kernel.

Updated the English versions of Firefox and Thunderbird in one operation. Afterward, tried Firefox on a number of different sites, no issues noted.

I believe this is OK, but it should be tried with some other languages before moving it on.

CC: (none) => andrewsfarm

Comment 3 James Kerr 2019-05-25 09:59:37 CEST 
on mga6-64 plasma

packages installed cleanly:
- firefox-60.7.0-1.mga6.x86_64
- firefox-en_GB-60.7.0-1.mga6.noarch

no regressions observed 
looks OK for mga6-64 on this system:

Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.7.3 date: 01/31/2018
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530

CC: (none) => jim

Comment 4 Len Lawrence 2019-05-27 07:55:48 CEST 
mga6, x86_64

Working fine here.  Firefox Quantum 60.7 esr - en_GB.
Ran the Acid tests at acid*.acidtests.org and saw the usual failures.
acid1 passed
acid2 failed
acid3 97/100

No change there, so OK for 64-bits.

CC: (none) => tarazed25

Comment 5 Thomas Andrews 2019-05-30 15:01:09 CEST 
Tested the 32-bit English version in Xfce, and all is OK.

Time to send this on its way. OKing and validating. Advisory in Comment 1.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Morgan Leijström 2019-05-30 16:54:26 CEST 
Have been running it since it showed up, no problems. 64 bit.

CC: (none) => fri

Comment 7 David Walser 2019-05-31 19:22:05 CEST 
RedHat has issued an advisory for this on May 23:
https://access.redhat.com/errata/RHSA-2019:1265
Thomas Backlund 2019-06-10 19:50:41 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-06-10 21:18:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0191.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.