Bug 25359 - Firefox 68.1 and 60.9, NSPR 4.22 and rootcerts update
Summary: Firefox 68.1 and 60.9, NSPR 4.22 and rootcerts update
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO, MGA7-64-OK MGA7-32-OK mga6-3...
Keywords: advisory, validated_update
Depends on: 24750
Blocks: 25396
  Show dependency treegraph
 
Reported: 2019-08-26 11:09 CEST by Nicolas Salguero
Modified: 2020-01-12 17:22 CET (History)
10 users (show)

See Also:
Source RPM: firefox, firefox-l10n, rootcerts, nspr, nss
CVE:
Status comment:


Attachments

Nicolas Salguero 2019-08-26 11:10:14 CEST

Whiteboard: (none) => MGA7TOO
CVE: (none) => CVE-2019-11733
Source RPM: (none) => firefox, firefox-l10n

Comment 1 David Walser 2019-08-26 12:16:33 CEST
rootcerts and nspr (4.22) updates to come with this (plus nss rebuild for rootcerts).

https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/RQtSKOF9rM0
Comment 2 David Walser 2019-08-26 18:25:39 CEST
Since Mageia 6 won't be getting a Firefox update, it'll have a different advisory for the rootcerts/nspr update.

Package list (Mageia 6):
rootcerts-20190820.00-1.mga6
rootcerts-java-20190820.00-1.mga6
libnspr4-4.22-1.mga6
libnspr-devel-4.22-1.mga6
nss-3.36.8-1.2.mga6
nss-doc-3.36.8-1.2.mga6
libnss3-3.36.8-1.2.mga6
libnss-devel-3.36.8-1.2.mga6
libnss-static-devel-3.36.8-1.2.mga6

from SRPMS:
rootcerts-20190820.00-1.mga6.src.rpm
nspr-4.22-1.mga6.src.rpm
nss-3.36.8-1.2.mga6.src.rpm


Package list (Mageia 7, not including firefox/firefox-l10n):
rootcerts-20190820.00-1.mga7
rootcerts-java-20190820.00-1.mga7
libnspr4-4.22-1.mga7
libnspr-devel-4.22-1.mga7
nss-3.45.0-1.1.mga7
nss-doc-3.45.0-1.1.mga7
libnss3-3.45.0-1.1.mga7
libnss-devel-3.45.0-1.1.mga7
libnss-static-devel-3.45.0-1.1.mga7

from SRPMS:
rootcerts-20190820.00-1.mga7.src.rpm
nspr-4.22-1.mga7.src.rpm
nss-3.45.0-1.1.mga7.src.rpm
Comment 3 Lewis Smith 2019-08-26 21:29:08 CEST
Thank you DavidW for jumping on this.
Assigning globally as there is no specific maintainer for Firefox; CC'ing Thierry (I hope the right one) who has often dealt with it in the past.

CC: (none) => thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 4 David Walser 2019-08-26 22:25:30 CEST
For Firefox itself, Nicolas is working on it.
Comment 5 Nicolas Salguero 2019-08-29 09:06:06 CEST
Hi,

Done for Mageia 7 (firefox, firefox-l10n).

The main problem is for Cauldron where the build fails for i586 (same problem as several weeks ago: build killed apparently because of the timeout but the timeout is normally reached after 10 hours and the build is killed after a little more than an hour).

Best regards,

Nico.
Comment 6 David Walser 2019-08-29 13:18:01 CEST
Package list for Firefox itself (the rest of the list is in Comment 2):
firefox-68.0.2-1.mga7
firefox-devel-68.0.2-1.mga7
firefox-af-68.0.2-1.mga7
firefox-an-68.0.2-1.mga7
firefox-ar-68.0.2-1.mga7
firefox-ast-68.0.2-1.mga7
firefox-az-68.0.2-1.mga7
firefox-bg-68.0.2-1.mga7
firefox-bn-68.0.2-1.mga7
firefox-br-68.0.2-1.mga7
firefox-bs-68.0.2-1.mga7
firefox-ca-68.0.2-1.mga7
firefox-cs-68.0.2-1.mga7
firefox-cy-68.0.2-1.mga7
firefox-da-68.0.2-1.mga7
firefox-de-68.0.2-1.mga7
firefox-el-68.0.2-1.mga7
firefox-en_GB-68.0.2-1.mga7
firefox-en_US-68.0.2-1.mga7
firefox-eo-68.0.2-1.mga7
firefox-es_AR-68.0.2-1.mga7
firefox-es_CL-68.0.2-1.mga7
firefox-es_ES-68.0.2-1.mga7
firefox-es_MX-68.0.2-1.mga7
firefox-et-68.0.2-1.mga7
firefox-eu-68.0.2-1.mga7
firefox-fa-68.0.2-1.mga7
firefox-ff-68.0.2-1.mga7
firefox-fi-68.0.2-1.mga7
firefox-fr-68.0.2-1.mga7
firefox-fy_NL-68.0.2-1.mga7
firefox-ga_IE-68.0.2-1.mga7
firefox-gd-68.0.2-1.mga7
firefox-gl-68.0.2-1.mga7
firefox-gu_IN-68.0.2-1.mga7
firefox-he-68.0.2-1.mga7
firefox-hi_IN-68.0.2-1.mga7
firefox-hr-68.0.2-1.mga7
firefox-hsb-68.0.2-1.mga7
firefox-hu-68.0.2-1.mga7
firefox-hy_AM-68.0.2-1.mga7
firefox-id-68.0.2-1.mga7
firefox-is-68.0.2-1.mga7
firefox-it-68.0.2-1.mga7
firefox-ja-68.0.2-1.mga7
firefox-kk-68.0.2-1.mga7
firefox-km-68.0.2-1.mga7
firefox-kn-68.0.2-1.mga7
firefox-ko-68.0.2-1.mga7
firefox-lij-68.0.2-1.mga7
firefox-lt-68.0.2-1.mga7
firefox-lv-68.0.2-1.mga7
firefox-mk-68.0.2-1.mga7
firefox-mr-68.0.2-1.mga7
firefox-ms-68.0.2-1.mga7
firefox-nb_NO-68.0.2-1.mga7
firefox-nl-68.0.2-1.mga7
firefox-nn_NO-68.0.2-1.mga7
firefox-pa_IN-68.0.2-1.mga7
firefox-pl-68.0.2-1.mga7
firefox-pt_BR-68.0.2-1.mga7
firefox-pt_PT-68.0.2-1.mga7
firefox-ro-68.0.2-1.mga7
firefox-ru-68.0.2-1.mga7
firefox-si-68.0.2-1.mga7
firefox-sk-68.0.2-1.mga7
firefox-sl-68.0.2-1.mga7
firefox-sq-68.0.2-1.mga7
firefox-sr-68.0.2-1.mga7
firefox-sv_SE-68.0.2-1.mga7
firefox-ta-68.0.2-1.mga7
firefox-te-68.0.2-1.mga7
firefox-th-68.0.2-1.mga7
firefox-tr-68.0.2-1.mga7
firefox-uk-68.0.2-1.mga7
firefox-uz-68.0.2-1.mga7
firefox-vi-68.0.2-1.mga7
firefox-xh-68.0.2-1.mga7
firefox-zh_CN-68.0.2-1.mga7
firefox-zh_TW-68.0.2-1.mga7

from SRPMS:
firefox-68.0.2-1.mga7.src.rpm
firefox-l10n-68.0.2-1.mga7.src.rpm
Comment 7 David Walser 2019-08-29 13:18:45 CEST
I'd say don't worry about Cauldron for now and we can go ahead and push these updates to QA.
Comment 8 Nicolas Salguero 2019-08-29 13:43:34 CEST
For Mageia 6:

Suggested advisory:
========================

The updated packages fix several bugs:

For rootcerts:
  - Remove Swisscom Root CA 2 root certificate.
  - Remove Expired root certificates - Class 2 Primary, UTN-USERFirst-Client, Deutsche Telekom Root CA 2.

For NSPR:
  - Added support for the ARC architecture.
  - Removed support for the following platforms: OSF1/Tru64, DGUX, IRIX, Symbian, BeOS.
  - Correctness and build fixes.

References:
https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/RQtSKOF9rM0

Version: Cauldron => 7
Whiteboard: MGA7TOO => MGA6TOO
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: firefox, firefox-l10n => firefox, firefox-l10n, rootcerts, nspr, nss

Comment 9 Nicolas Salguero 2019-08-29 13:43:47 CEST
For Mageia 7:

Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Stored passwords in 'Saved Logins' can be copied without master password entry. (CVE-2019-11733)

For rootcerts:
  - Remove Swisscom Root CA 2 root certificate.
  - Remove Expired root certificates - Class 2 Primary, UTN-USERFirst-Client, Deutsche Telekom Root CA 2.

For NSPR:
  - Added support for the ARC architecture.
  - Removed support for the following platforms: OSF1/Tru64, DGUX, IRIX, Symbian, BeOS.
  - Correctness and build fixes.

References:
https://www.mozilla.org/en-US/firefox/68.0.1/releasenotes/
https://www.mozilla.org/en-US/firefox/68.0.2/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/RQtSKOF9rM0
Nicolas Salguero 2019-08-29 13:45:47 CEST

Summary: Firefox 68.0.2 => Firefox 68.0.2, NSPR 4.22 and rootcerts update

Comment 10 James Kerr 2019-08-31 08:45:38 CEST
on mga7-64  kernel-desktop  plasma

packages installed cleanly:
- firefox-68.0.2-1.mga7.x86_64
- firefox-en_GB-68.0.2-1.mga7.noarch
- lib64nspr4-4.22-1.mga7.x86_64
- lib64nss3-3.45.0-1.1.mga7.x86_64
- nss-3.45.0-1.1.mga7.x86_64
- rootcerts-20190820.00-1.mga7.noarch
- rootcerts-java-20190820.00-1.mga7.noarch

no regressions observed

looks OK for mga7-64

CC: (none) => jim

Comment 11 James Kerr 2019-08-31 15:07:57 CEST
on mga7-32  kernel-desktop586  plasma
in a vbox VM

packages installed cleanly:
- firefox-68.0.2-1.mga7.i586
- firefox-en_GB-68.0.2-1.mga7.noarch
- firefox-en_US-68.0.2-1.mga7.noarch
- libnspr4-4.22-1.mga7.i586
- libnss3-3.45.0-1.1.mga7.i586
- nss-3.45.0-1.1.mga7.i586
- rootcerts-20190820.00-1.mga7.noarch
- rootcerts-java-20190820.00-1.mga7.noarch

looks OK for mga7-32
Comment 12 James Kerr 2019-09-01 14:21:18 CEST
on mga6-64  kernel-desktop  plasma

Sorry, the following package cannot be selected:

- lib64nss3-3.36.8-1.2.mga6.x86_64 (due to unsatisfied lib64sqlite3_0[>= 3.28.0])

After installing the updates from bug 24750:
- lib64sqlite3_0-3.28.0-1.mga6.x86_64
- sqlite3-tools-3.28.0-1.mga6.x86_64

packages installed cleanly:
- lib64nspr4-4.22-1.mga6.x86_64
- lib64nss3-3.36.8-1.2.mga6.x86_64
- nss-3.36.8-1.2.mga6.x86_64
- rootcerts-20190820.00-1.mga6.noarch
- rootcerts-java-20190820.00-1.mga6.noarch

no regressions observed 
looks OK for mga6-64 on this system

This update requires the sqlite update, bug 24750

Depends on: (none) => 24750

Comment 13 James Kerr 2019-09-01 16:26:36 CEST
on mga6-32 in a vbox vm
kernel-desktop   plasma

installed the following from bug 24750
- libsqlite3_0-3.28.0-1.mga6.i586
- sqlite3-tools-3.28.0-1.mga6.i586

packages installed cleanly:
- libnspr4-4.22-1.mga6.i586
- libnss3-3.36.8-1.2.mga6.i586
- nss-3.36.8-1.2.mga6.i586
- rootcerts-20190820.00-1.mga6.noarch
- rootcerts-java-20190820.00-1.mga6.noarch

no regressions noted
looks OK for mga6-32

This update requires the sqlite update, bug 24750
Comment 14 Brian Rockwell 2019-09-02 23:00:49 CEST
$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

The following 8 packages are going to be installed:

- lib64nspr-devel-4.22-1.mga6.x86_64
- lib64nspr4-4.22-1.mga6.x86_64
- lib64nss3-3.36.8-1.2.mga6.x86_64
- lib64sqlite3_0-3.28.0-1.mga6.x86_64
- nss-3.36.8-1.2.mga6.x86_64
- nss-doc-3.36.8-1.2.mga6.noarch
- rootcerts-20190820.00-1.mga6.noarch
- rootcerts-java-20190820.00-1.mga6.noarch


I spent time visiting major sites with firefox.  Seemed to be fine.  These all installed properly as well.

Seems good to me.

CC: (none) => brtians1

Comment 15 David Walser 2019-09-03 02:44:55 CEST
NSS 3.46 finally came out, updating Mageia 7 with this:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes
Comment 16 David Walser 2019-09-03 03:05:20 CEST
We might as well update to Firefox 68.1 too:
https://www.mozilla.org/en-US/firefox/68.1.0/releasenotes/
Comment 17 David Walser 2019-09-04 02:12:31 CEST
(In reply to David Walser from comment #15)
> NSS 3.46 finally came out, updating Mageia 7 with this:
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.
> 46_release_notes

nss-3.46.0-1.mga7
nss-doc-3.46.0-1.mga7
libnss3-3.46.0-1.mga7
libnss-devel-3.46.0-1.mga7
libnss-static-devel-3.46.0-1.mga7

from nss-3.46.0-1.mga7.src.rpm
Comment 18 Nicolas Salguero 2019-09-04 10:38:23 CEST
Additional references:
For Firefox 68.1: https://www.mozilla.org/security/advisories/mfsa2019-26/
For Firefox 60.9:
https://www.mozilla.org/en-US/firefox/60.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/

Summary: Firefox 68.0.2, NSPR 4.22 and rootcerts update => Firefox 68.1 and 60.9, NSPR 4.22 and rootcerts update

Nicolas Salguero 2019-09-04 10:47:51 CEST

Severity: normal => critical
Assignee: qa-bugs => nicolas.salguero

Comment 19 Marja Van Waes 2019-09-04 11:05:39 CEST
*** Bug 25396 has been marked as a duplicate of this bug. ***

CC: (none) => josemlp

Comment 20 Nicolas Salguero 2019-09-04 13:43:48 CEST
For Mageia 6:

Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Use-after-free while manipulating video. (CVE-2019-11746)

XSS by breaking out of title and textarea elements using innerHTML. (CVE-2019-11744)

Same-origin policy violation with SVG filters and canvas to steal cross-origin images. (CVE-2019-11742)

Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (CVE-2019-11753)

Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752)

Sandbox escape through Firefox Sync. (CVE-2019-9812)

Cross-origin access to unload event attributes. (CVE-2019-11743)

Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9. (CVE-2019-11740)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
https://www.mozilla.org/en-US/firefox/60.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/
https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/RQtSKOF9rM0
========================

Updated packages in core/updates_testing:
========================
firefox-60.9.0-1.mga6
firefox-devel-60.9.0-1.mga6
firefox-af-60.9.0-1.mga6
firefox-an-60.9.0-1.mga6
firefox-ar-60.9.0-1.mga6
firefox-as-60.9.0-1.mga6
firefox-ast-60.9.0-1.mga6
firefox-az-60.9.0-1.mga6
firefox-bg-60.9.0-1.mga6
firefox-bn_IN-60.9.0-1.mga6
firefox-bn_BD-60.9.0-1.mga6
firefox-br-60.9.0-1.mga6
firefox-bs-60.9.0-1.mga6
firefox-ca-60.9.0-1.mga6
firefox-cs-60.9.0-1.mga6
firefox-cy-60.9.0-1.mga6
firefox-da-60.9.0-1.mga6
firefox-de-60.9.0-1.mga6
firefox-el-60.9.0-1.mga6
firefox-en_GB-60.9.0-1.mga6
firefox-en_US-60.9.0-1.mga6
firefox-en_ZA-60.9.0-1.mga6
firefox-eo-60.9.0-1.mga6
firefox-es_AR-60.9.0-1.mga6 
firefox-es_CL-60.9.0-1.mga6 
firefox-es_ES-60.9.0-1.mga6 
firefox-es_MX-60.9.0-1.mga6 
firefox-et-60.9.0-1.mga6 
firefox-eu-60.9.0-1.mga6 
firefox-fa-60.9.0-1.mga6 
firefox-ff-60.9.0-1.mga6 
firefox-fi-60.9.0-1.mga6 
firefox-fr-60.9.0-1.mga6 
firefox-fy_NL-60.9.0-1.mga6 
firefox-ga_IE-60.9.0-1.mga6 
firefox-gd-60.9.0-1.mga6 
firefox-gl-60.9.0-1.mga6 
firefox-gu_IN-60.9.0-1.mga6 
firefox-he-60.9.0-1.mga6 
firefox-hi_IN-60.9.0-1.mga6
firefox-hr-60.9.0-1.mga6 
firefox-hsb-60.9.0-1.mga6 
firefox-hu-60.9.0-1.mga6 
firefox-hy_AM-60.9.0-1.mga6 
firefox-id-60.9.0-1.mga6 
firefox-is-60.9.0-1.mga6 
firefox-it-60.9.0-1.mga6 
firefox-ja-60.9.0-1.mga6 
firefox-kk-60.9.0-1.mga6 
firefox-km-60.9.0-1.mga6 
firefox-kn-60.9.0-1.mga6 
firefox-ko-60.9.0-1.mga6 
firefox-lij-60.9.0-1.mga6 
firefox-lt-60.9.0-1.mga6 
firefox-lv-60.9.0-1.mga6 
firefox-mai-60.9.0-1.mga6 
firefox-mk-60.9.0-1.mga6 
firefox-ml-60.9.0-1.mga6 
firefox-mr-60.9.0-1.mga6 
firefox-ms-60.9.0-1.mga6 
firefox-nb_NO-60.9.0-1.mga6 
firefox-nl-60.9.0-1.mga6 
firefox-nn_NO-60.9.0-1.mga6 
firefox-or-60.9.0-1.mga6 
firefox-pa_IN-60.9.0-1.mga6 
firefox-pl-60.9.0-1.mga6 
firefox-pt_BR-60.9.0-1.mga6 
firefox-pt_PT-60.9.0-1.mga6 
firefox-ro-60.9.0-1.mga6 
firefox-ru-60.9.0-1.mga6 
firefox-si-60.9.0-1.mga6 
firefox-sk-60.9.0-1.mga6 
firefox-sl-60.9.0-1.mga6 
firefox-sq-60.9.0-1.mga6 
firefox-sr-60.9.0-1.mga6 
firefox-sv_SE-60.9.0-1.mga6 
firefox-ta-60.9.0-1.mga6 
firefox-te-60.9.0-1.mga6 
firefox-th-60.9.0-1.mga6 
firefox-tr-60.9.0-1.mga6 
firefox-uk-60.9.0-1.mga6 
firefox-uz-60.9.0-1.mga6 
firefox-vi-60.9.0-1.mga6 
firefox-xh-60.9.0-1.mga6 
firefox-zh_CN-60.9.0-1.mga6 
firefox-zh_TW-60.9.0-1.mga6
rootcerts-20190820.00-1.mga6
rootcerts-java-20190820.00-1.mga6
libnspr4-4.22-1.mga6
libnspr-devel-4.22-1.mga6
nss-3.36.8-1.2.mga6
nss-doc-3.36.8-1.2.mga6
libnss3-3.36.8-1.2.mga6
libnss-devel-3.36.8-1.2.mga6
libnss-static-devel-3.36.8-1.2.mga6

from SRPMS:
firefox-60.9.0-1.mga6.src.rpm
firefox-l10n-60.9.0-1.mga6.src.rpm
rootcerts-20190820.00-1.mga6.src.rpm
nspr-4.22-1.mga6.src.rpm
nss-3.36.8-1.2.mga6.src.rpm
Comment 21 David Walser 2019-09-04 15:58:15 CEST
Don't forget to push firefox-l10n for Mageia 7.  It should be ready in SVN.
Comment 22 Morgan Leijström 2019-09-04 19:31:09 CEST
mga6 64 bit Firefox with swedish working nicely on Plasma, Nvidia driver. Tabs restored after update, tested sites i often use, video with sound OK.

CC: (none) => fri

Comment 23 David Walser 2019-09-04 22:19:37 CEST
RedHat has issued an advisory for this today (September 4):
https://access.redhat.com/errata/RHSA-2019:2663
Comment 24 Nicolas Salguero 2019-09-06 08:35:57 CEST
For Mageia 7:

Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Stored passwords in 'Saved Logins' can be copied without master password entry. (CVE-2019-11733)

Malicious code execution through command line parameters. (CVE-2019-11751)

Use-after-free while manipulating video. (CVE-2019-11746)

XSS by breaking out of title and textarea elements using innerHTML. (CVE-2019-11744)

Same-origin policy violation with SVG filters and canvas to steal cross-origin images. (CVE-2019-11742)

File manipulation and privilege escalation in Mozilla Maintenance Service. (CVE-2019-11736)

Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (CVE-2019-11753)

Use-after-free while extracting a key value in IndexedDB. (CVE-2019-11752)

Sandbox escape through Firefox Sync. (CVE-2019-9812)

Cross-origin access to unload event attributes. (CVE-2019-11743)

Persistence of WebRTC permissions in a third party context. (CVE-2019-11748)

Camera information available without prompting using getUserMedia. (CVE-2019-11749)

Type confusion in Spidermonkey. (CVE-2019-11750)

Content security policy bypass through hash-based sources in directives. (CVE-2019-11738)

'Forget about this site' removes sites from pre-loaded HSTS list. (CVE-2019-11747)

Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1. (CVE-2019-11735)

Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, and Firefox ESR 60.9. (CVE-2019-11740)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11740
https://www.mozilla.org/en-US/firefox/68.0.1/releasenotes/
https://www.mozilla.org/en-US/firefox/68.0.2/releasenotes/
https://www.mozilla.org/en-US/firefox/68.1.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-26/
https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/RQtSKOF9rM0
https://access.redhat.com/errata/RHSA-2019:2663
========================

Updated packages in core/updates_testing:
========================
firefox-68.1.0-1.mga7
firefox-devel-68.1.0-1.mga7
firefox-af-68.1.0-1.mga7
firefox-an-68.1.0-1.mga7
firefox-ar-68.1.0-1.mga7
firefox-ast-68.1.0-1.mga7
firefox-az-68.1.0-1.mga7
firefox-bg-68.1.0-1.mga7
firefox-bn-68.1.0-1.mga7
firefox-br-68.1.0-1.mga7
firefox-bs-68.1.0-1.mga7
firefox-ca-68.1.0-1.mga7
firefox-cs-68.1.0-1.mga7
firefox-cy-68.1.0-1.mga7
firefox-da-68.1.0-1.mga7
firefox-de-68.1.0-1.mga7
firefox-el-68.1.0-1.mga7
firefox-en_GB-68.1.0-1.mga7
firefox-en_US-68.1.0-1.mga7
firefox-eo-68.1.0-1.mga7
firefox-es_AR-68.1.0-1.mga7
firefox-es_CL-68.1.0-1.mga7
firefox-es_ES-68.1.0-1.mga7
firefox-es_MX-68.1.0-1.mga7
firefox-et-68.1.0-1.mga7
firefox-eu-68.1.0-1.mga7
firefox-fa-68.1.0-1.mga7
firefox-ff-68.1.0-1.mga7
firefox-fi-68.1.0-1.mga7
firefox-fr-68.1.0-1.mga7
firefox-fy_NL-68.1.0-1.mga7
firefox-ga_IE-68.1.0-1.mga7
firefox-gd-68.1.0-1.mga7
firefox-gl-68.1.0-1.mga7
firefox-gu_IN-68.1.0-1.mga7
firefox-he-68.1.0-1.mga7
firefox-hi_IN-68.1.0-1.mga7
firefox-hr-68.1.0-1.mga7
firefox-hsb-68.1.0-1.mga7
firefox-hu-68.1.0-1.mga7
firefox-hy_AM-68.1.0-1.mga7
firefox-id-68.1.0-1.mga7
firefox-is-68.1.0-1.mga7
firefox-it-68.1.0-1.mga7
firefox-ja-68.1.0-1.mga7
firefox-kk-68.1.0-1.mga7
firefox-km-68.1.0-1.mga7
firefox-kn-68.1.0-1.mga7
firefox-ko-68.1.0-1.mga7
firefox-lij-68.1.0-1.mga7
firefox-lt-68.1.0-1.mga7
firefox-lv-68.1.0-1.mga7
firefox-mk-68.1.0-1.mga7
firefox-mr-68.1.0-1.mga7
firefox-ms-68.1.0-1.mga7
firefox-nb_NO-68.1.0-1.mga7
firefox-nl-68.1.0-1.mga7
firefox-nn_NO-68.1.0-1.mga7
firefox-pa_IN-68.1.0-1.mga7
firefox-pl-68.1.0-1.mga7
firefox-pt_BR-68.1.0-1.mga7
firefox-pt_PT-68.1.0-1.mga7
firefox-ro-68.1.0-1.mga7
firefox-ru-68.1.0-1.mga7
firefox-si-68.1.0-1.mga7
firefox-sk-68.1.0-1.mga7
firefox-sl-68.1.0-1.mga7
firefox-sq-68.1.0-1.mga7
firefox-sr-68.1.0-1.mga7
firefox-sv_SE-68.1.0-1.mga7
firefox-ta-68.1.0-1.mga7
firefox-te-68.1.0-1.mga7
firefox-th-68.1.0-1.mga7
firefox-tr-68.1.0-1.mga7
firefox-uk-68.1.0-1.mga7
firefox-uz-68.1.0-1.mga7
firefox-vi-68.1.0-1.mga7
firefox-xh-68.1.0-1.mga7
firefox-zh_CN-68.1.0-1.mga7
firefox-zh_TW-68.1.0-1.mga7
rootcerts-20190820.00-1.mga7
rootcerts-java-20190820.00-1.mga7
libnspr4-4.22-1.mga7
libnspr-devel-4.22-1.mga7
nss-3.46.0-1.mga7
nss-doc-3.46.0-1.mga7
libnss3-3.46.0-1.mga7
libnss-devel-3.46.0-1.mga7
libnss-static-devel-3.46.0-1.mga7

from SRPMS:
firefox-68.1.0-1.mga7.src.rpm
firefox-l10n-68.1.0-1.mga7.src.rpm
rootcerts-20190820.00-1.mga7.src.rpm
nspr-4.22-1.mga7.src.rpm
nss-3.46.0-1.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs
CVE: CVE-2019-11733 => (none)

Nicolas Salguero 2019-09-06 08:37:01 CEST

Blocks: (none) => 25396

Comment 25 Herman Viaene 2019-09-06 10:16:10 CEST
MGA6-64 Plasma on Lenovo B50
Noticed while selecting packages that the lib64nspr and lib64nss3 had updates, ut not the 32-bit libnspr and libnss3.
Firefox works OK on usual newspaper site with text, photos and video.
I think the 64-bit is OK, but waiting to see if the 32-bit needs further mending.

CC: (none) => herman.viaene

Comment 26 Brian Rockwell 2019-09-06 18:13:24 CEST
64bit - plasma

- firefox-en_GB-68.1.0-1.mga7.noarch
- firefox-en_US-68.1.0-1.mga7.noarch
- lib64nspr4-4.22-1.mga7.x86_64
- lib64nss3-3.46.0-1.mga7.x86_64


Ran it about an hour straight with videos, and major emails sites.  Seems to be working
Comment 27 Bill Wilkinson 2019-09-09 18:02:03 CEST
Tested mga7-64 general browsing, jetstream for javascript, videos, all OK

Whiteboard: MGA6TOO => MGA6TOO, mga-7-64-ok
CC: (none) => wrw105

Comment 28 Bill Wilkinson 2019-09-09 22:59:48 CEST
Tested mga7-32 in a virtualbox guest machine, as in comment 27, all OK

Whiteboard: MGA6TOO, mga-7-64-ok => MGA6TOO, mga-7-64-ok mga7-32-ok

Thomas Andrews 2019-09-10 14:02:36 CEST

CC: (none) => andrewsfarm
Whiteboard: MGA6TOO, mga-7-64-ok mga7-32-ok => MGA6TOO, MGA7-64-OK MGA7-32-OK

Comment 29 Thomas Andrews 2019-09-10 14:19:56 CEST
Looks good here in MGA7 Plasma. Will try Mga6 later.
Comment 30 Bill Wilkinson 2019-09-10 16:50:11 CEST
Tested mga6-32 as above, Starting ff shows a page showing it's out of date, but I'm not sure there's anything we can do about that. Everything working as expected.

Whiteboard: MGA6TOO, MGA7-64-OK MGA7-32-OK => MGA6TOO, MGA7-64-OK MGA7-32-OK mga6-32-ok

Comment 31 Thomas Andrews 2019-09-11 03:42:30 CEST
Good for 64-bits in Mageia 6 Plasma on my Probook 6550b.

Validating. Advisories in Comment 8 and Comment 9.

Whiteboard: MGA6TOO, MGA7-64-OK MGA7-32-OK mga6-32-ok => MGA6TOO, MGA7-64-OK MGA7-32-OK mga6-32-ok MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 32 David Walser 2019-09-11 14:45:10 CEST
RedHat has issued an advisory for Firefox 60.9 today (September 11):
https://access.redhat.com/errata/RHSA-2019:2729
Thomas Backlund 2019-09-12 17:37:47 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 33 Mageia Robot 2019-09-12 21:11:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0267.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 34 Mageia Robot 2019-09-12 21:11:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0268.html
Comment 35 David Walser 2020-01-12 17:22:09 CET
NSS 3.46 update in this bug also fixed CVE-2019-17006:
https://usn.ubuntu.com/4231-1/

Note You need to log in before you can comment on or make changes to this bug.