Bug 25102 - Firefox 60.8
Summary: Firefox 60.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on: 25105
Blocks: 25103
  Show dependency treegraph
 
Reported: 2019-07-11 10:32 CEST by Nicolas Salguero
Modified: 2019-07-21 20:18 CEST (History)
5 users (show)

See Also:
Source RPM: rootcerts, nss, firefox, firefox-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2019-07-11 10:32:46 CEST
Hi,

Firefox 60.8 has been released (July 9).

References:
https://www.mozilla.org/en-US/firefox/60.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/

Best regards,

Nico.
Nicolas Salguero 2019-07-11 10:33:06 CEST

Source RPM: (none) => firefox, firefox-l10n

Comment 1 David Walser 2019-07-11 11:36:05 CEST
Also TODO for this, update rootcerts to 20190604 and nss to 3.36.8.  I see Nicolas already built nss unfortunately, so it'll need to be rebuilt after rootcerts is built.
Comment 2 Nicolas Salguero 2019-07-11 13:23:16 CEST
Only nss needs to be rebuilt after rootcerts is built or firefox needs too?
Comment 3 David Walser 2019-07-11 13:24:03 CEST
Only nss.
Comment 4 Nicolas Salguero 2019-07-11 14:13:31 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Sandbox escape via installation of malicious language pack. (CVE-2019-9811)

Script injection within domain through inner window reuse. (CVE-2019-11711)

Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects. (CVE-2019-11712)

Use-after-free with HTTP/2 cached stream. (CVE-2019-11713)

Empty or malformed p256-ECDH public keys may trigger a segmentation fault. (CVE-2019-11729)

HTML parsing error can contribute to content XSS. (CVE-2019-11715)

Caret character improperly escaped in origins. (CVE-2019-11717)

Out-of-bounds read when importing curve25519 private key. (CVE-2019-11719)

Same-origin policy treats all files in a directory as having the same-origin. (CVE-2019-11730)

Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8. (CVE-2019-11709)

References:
https://www.mozilla.org/en-US/firefox/60.8.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11717
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11709
========================

Updated packages in core/updates_testing:
========================
firefox-60.8.0-1.mga6
firefox-devel-60.8.0-1.mga6
firefox-af-60.8.0-1.mga6
firefox-an-60.8.0-1.mga6
firefox-ar-60.8.0-1.mga6
firefox-as-60.8.0-1.mga6
firefox-ast-60.8.0-1.mga6
firefox-az-60.8.0-1.mga6
firefox-bg-60.8.0-1.mga6
firefox-bn_IN-60.8.0-1.mga6
firefox-bn_BD-60.8.0-1.mga6
firefox-br-60.8.0-1.mga6
firefox-bs-60.8.0-1.mga6
firefox-ca-60.8.0-1.mga6
firefox-cs-60.8.0-1.mga6
firefox-cy-60.8.0-1.mga6
firefox-da-60.8.0-1.mga6
firefox-de-60.8.0-1.mga6
firefox-el-60.8.0-1.mga6
firefox-en_GB-60.8.0-1.mga6
firefox-en_US-60.8.0-1.mga6
firefox-en_ZA-60.8.0-1.mga6
firefox-eo-60.8.0-1.mga6
firefox-es_AR-60.8.0-1.mga6 
firefox-es_CL-60.8.0-1.mga6 
firefox-es_ES-60.8.0-1.mga6 
firefox-es_MX-60.8.0-1.mga6 
firefox-et-60.8.0-1.mga6 
firefox-eu-60.8.0-1.mga6 
firefox-fa-60.8.0-1.mga6 
firefox-ff-60.8.0-1.mga6 
firefox-fi-60.8.0-1.mga6 
firefox-fr-60.8.0-1.mga6 
firefox-fy_NL-60.8.0-1.mga6 
firefox-ga_IE-60.8.0-1.mga6 
firefox-gd-60.8.0-1.mga6 
firefox-gl-60.8.0-1.mga6 
firefox-gu_IN-60.8.0-1.mga6 
firefox-he-60.8.0-1.mga6 
firefox-hi_IN-60.8.0-1.mga6
firefox-hr-60.8.0-1.mga6 
firefox-hsb-60.8.0-1.mga6 
firefox-hu-60.8.0-1.mga6 
firefox-hy_AM-60.8.0-1.mga6 
firefox-id-60.8.0-1.mga6 
firefox-is-60.8.0-1.mga6 
firefox-it-60.8.0-1.mga6 
firefox-ja-60.8.0-1.mga6 
firefox-kk-60.8.0-1.mga6 
firefox-km-60.8.0-1.mga6 
firefox-kn-60.8.0-1.mga6 
firefox-ko-60.8.0-1.mga6 
firefox-lij-60.8.0-1.mga6 
firefox-lt-60.8.0-1.mga6 
firefox-lv-60.8.0-1.mga6 
firefox-mai-60.8.0-1.mga6 
firefox-mk-60.8.0-1.mga6 
firefox-ml-60.8.0-1.mga6 
firefox-mr-60.8.0-1.mga6 
firefox-ms-60.8.0-1.mga6 
firefox-nb_NO-60.8.0-1.mga6 
firefox-nl-60.8.0-1.mga6 
firefox-nn_NO-60.8.0-1.mga6 
firefox-or-60.8.0-1.mga6 
firefox-pa_IN-60.8.0-1.mga6 
firefox-pl-60.8.0-1.mga6 
firefox-pt_BR-60.8.0-1.mga6 
firefox-pt_PT-60.8.0-1.mga6 
firefox-ro-60.8.0-1.mga6 
firefox-ru-60.8.0-1.mga6 
firefox-si-60.8.0-1.mga6 
firefox-sk-60.8.0-1.mga6 
firefox-sl-60.8.0-1.mga6 
firefox-sq-60.8.0-1.mga6 
firefox-sr-60.8.0-1.mga6 
firefox-sv_SE-60.8.0-1.mga6 
firefox-ta-60.8.0-1.mga6 
firefox-te-60.8.0-1.mga6 
firefox-th-60.8.0-1.mga6 
firefox-tr-60.8.0-1.mga6 
firefox-uk-60.8.0-1.mga6 
firefox-uz-60.8.0-1.mga6 
firefox-vi-60.8.0-1.mga6 
firefox-xh-60.8.0-1.mga6 
firefox-zh_CN-60.8.0-1.mga6 
firefox-zh_TW-60.8.0-1.mga6
nss-3.36.8-1.1.mga6
nss-doc-3.36.8-1.1.mga6
lib(64)nss3-3.36.8-1.1.mga6
lib(64)nss-devel-3.36.8-1.1.mga6
lib(64)nss-static-devel-3.36.8-1.1.mga6
rootcerts-20190604.00-1.mga6
rootcerts-java-20190604.00-1.mga6

from SRPMS:
firefox-60.8.0-1.mga6.src.rpm
firefox-l10n-60.8.0-1.mga6.src.rpm
nss-3.36.8-1.1.mga6.src.rpm
rootcerts-20190604.00-1.mga6.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 5 David Walser 2019-07-11 14:35:27 CEST
Addition to the references:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.8_release_notes

Source RPM: firefox, firefox-l10n => rootcerts, nss, firefox, firefox-l10n
Depends on: (none) => 25105

Comment 6 Brian Rockwell 2019-07-11 19:40:00 CEST

The following 5 packages are going to be installed:

- firefox-60.8.0-1.mga6.i586
- firefox-en_GB-60.8.0-1.mga6.noarch
- firefox-en_US-60.8.0-1.mga6.noarch
- firefox-en_ZA-60.8.0-1.mga6.noarch
- libnss3-3.36.8-1.1.mga6.i586


$ firefox -v
Mozilla Firefox 60.8.0


The browser worked fine on multiple sites.  I ran it from the command line so noticed these.  Not sure if the last is considered critical or not.

$ firefox
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
   
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
[Parent 30496, Gecko_IOThread] WARNING: pipe error (127): Connection reset by peer: file /home/iurt/rpmbuild/BUILD/firefox-60.8.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 342

###!!! [Parent][MessageChannel] Error: (msgtype=0x160080,name=PBrowser::Msg_Destroy) Closed channel: cannot send/recv

I think this is just from me closing the browser, so probably just doing a quick break from communication.

CC: (none) => brtians1

Comment 7 David Walser 2019-07-11 20:14:28 CEST
Brian, rootcerts should be installed too.
Comment 8 Brian Rockwell 2019-07-11 23:44:36 CEST
got it

The following 2 packages are going to be installed:

- rootcerts-20190604.00-1.mga6.noarch
- rootcerts-java-20190604.00-1.mga6.noarch


Firefox is functioning as expected.
Comment 9 Brian Rockwell 2019-07-11 23:45:35 CEST
(In reply to Brian Rockwell from comment #8)
> got it
> 
> The following 2 packages are going to be installed:
> 
> - rootcerts-20190604.00-1.mga6.noarch
> - rootcerts-java-20190604.00-1.mga6.noarch
> 
> 
> Firefox is functioning as expected.

[brian@localhost ~]$ firefox
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
alloc factor 0.900000 0.900000
[brian@localhost ~]$
Comment 10 James Kerr 2019-07-12 10:18:53 CEST
on mga6-64 plasma

packages installed cleanly:

- firefox-60.8.0-1.mga6.x86_64
- firefox-en_GB-60.8.0-1.mga6.noarch
- lib64nss3-3.36.8-1.1.mga6.x86_64
- nss-3.36.8-1.1.mga6.x86_64
- rootcerts-20190604.00-1.mga6.noarch
- rootcerts-java-20190604.00-1.mga6.noarch

no regressions observed 
looks OK for mga6-64 on this system:

Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.13.1
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530

CC: (none) => jim

James Kerr 2019-07-13 11:03:51 CEST

Blocks: (none) => 25103

Comment 11 James Kerr 2019-07-13 11:11:09 CEST
Why is this bug marked as depending on bug#25105 - that is a later version?
Comment 12 David Walser 2019-07-13 11:32:17 CEST
Because the rootcerts update has to ship in mga7 first or at the same time.
Comment 13 Nicolas Salguero 2019-07-13 13:17:13 CEST
(In reply to David Walser from comment #12)
> Because the rootcerts update has to ship in mga7 first or at the same time.

This applies to bug 25103 not that bug

Depends on: 25105 => (none)

James Kerr 2019-07-13 13:23:43 CEST

Whiteboard: (none) => MGA6-64-OK

David Walser 2019-07-13 16:01:01 CEST

Depends on: (none) => 25105

Comment 14 Morgan Leijström 2019-07-14 06:29:17 CEST
Test OK mga6-64, plasma, hidpi screen, nvidia driver, i7 CPU.
Hundreds of tabs, video with audio, many sites login incl banking.

CC: (none) => fri

Comment 15 Morgan Leijström 2019-07-14 06:29:50 CEST
swedish, i forgot to mention
Comment 16 David Walser 2019-07-15 15:24:14 CEST
RedHat has issued an advisory for this on July 8:
https://access.redhat.com/errata/RHSA-2019:1696
Dave Hodgins 2019-07-21 03:34:29 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 17 Mageia Robot 2019-07-21 20:18:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0211.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.