Bug 25820 - Firefox 68.3
Summary: Firefox 68.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-32-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on: 25792
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-04 11:03 CET by Nicolas Salguero
Modified: 2019-12-09 15:26 CET (History)
6 users (show)

See Also:
Source RPM: firefox, firefox-l10n, nspr
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2019-12-04 11:03:34 CET
Mozilla has released Firefox 68.3.0 today (December 3):
https://www.mozilla.org/en-US/firefox/68.3.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/

As well as updated nspr (4.24).
Nicolas Salguero 2019-12-04 11:03:50 CET

Whiteboard: (none) => MGA7TOO

Nicolas Salguero 2019-12-04 11:05:09 CET

Source RPM: (none) => firefox, firefox-l10n, nspr

Comment 1 David Walser 2019-12-04 13:10:56 CET
Since it's already built, go ahead and include the nspr update with this update.  If Bugzilla was working from here on Monday evening, I was going to say that it is not needed, because it has no changes except for the version number and will only be required by nss 3.48, which isn't out yet, so we wouldn't really need it until the next Firefox update, but now is fine too.

Whiteboard: MGA7TOO => (none)
Summary: Firefox 68.3, NSPR 4.24 => Firefox 68.3
Version: Cauldron => 7

David Walser 2019-12-04 13:32:01 CET

Depends on: (none) => 25792

Comment 2 Jose Manuel López 2019-12-04 13:55:55 CET
I can't install firefox 68.3. No appear it in the testing repositories, only appear language packages.

CC: (none) => joselp

Nicolas Salguero 2019-12-04 14:11:20 CET

Blocks: (none) => 25821

David Walser 2019-12-05 16:59:17 CET

Blocks: 25821 => (none)

Comment 3 Nicolas Salguero 2019-12-06 08:52:54 CET
Suggested advisory:
========================

Use-after-free in worker destruction. (CVE-2019-17008)

Stack corruption due to incorrect number of arguments in WebRTC code. (CVE-2019-13722)

Updater temporary files accessible to unprivileged processes. (CVE-2019-17009)

Use-after-free when performing device orientation checks. (CVE-2019-17010)

Buffer overflow in plain text serializer. (CVE-2019-17005)

Use-after-free when retrieving a document in antitracking. (CVE-2019-17011)

Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3. (CVE-2019-17012)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17012
https://www.mozilla.org/en-US/firefox/68.3.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/
========================

Updated packages in core/updates_testing:
========================
firefox-68.3.0-1.mga7
firefox-devel-68.3.0-1.mga7
firefox-af-68.3.0-1.mga7
firefox-an-68.3.0-1.mga7
firefox-ar-68.3.0-1.mga7
firefox-ast-68.3.0-1.mga7
firefox-az-68.3.0-1.mga7
firefox-bg-68.3.0-1.mga7
firefox-bn-68.3.0-1.mga7
firefox-br-68.3.0-1.mga7
firefox-bs-68.3.0-1.mga7
firefox-ca-68.3.0-1.mga7
firefox-cs-68.3.0-1.mga7
firefox-cy-68.3.0-1.mga7
firefox-da-68.3.0-1.mga7
firefox-de-68.3.0-1.mga7
firefox-el-68.3.0-1.mga7
firefox-en_GB-68.3.0-1.mga7
firefox-en_US-68.3.0-1.mga7
firefox-eo-68.3.0-1.mga7
firefox-es_AR-68.3.0-1.mga7
firefox-es_CL-68.3.0-1.mga7
firefox-es_ES-68.3.0-1.mga7
firefox-es_MX-68.3.0-1.mga7
firefox-et-68.3.0-1.mga7
firefox-eu-68.3.0-1.mga7
firefox-fa-68.3.0-1.mga7
firefox-ff-68.3.0-1.mga7
firefox-fi-68.3.0-1.mga7
firefox-fr-68.3.0-1.mga7
firefox-fy_NL-68.3.0-1.mga7
firefox-ga_IE-68.3.0-1.mga7
firefox-gd-68.3.0-1.mga7
firefox-gl-68.3.0-1.mga7
firefox-gu_IN-68.3.0-1.mga7
firefox-he-68.3.0-1.mga7
firefox-hi_IN-68.3.0-1.mga7
firefox-hr-68.3.0-1.mga7
firefox-hsb-68.3.0-1.mga7
firefox-hu-68.3.0-1.mga7
firefox-hy_AM-68.3.0-1.mga7
firefox-id-68.3.0-1.mga7
firefox-is-68.3.0-1.mga7
firefox-it-68.3.0-1.mga7
firefox-ja-68.3.0-1.mga7
firefox-kk-68.3.0-1.mga7
firefox-km-68.3.0-1.mga7
firefox-kn-68.3.0-1.mga7
firefox-ko-68.3.0-1.mga7
firefox-lij-68.3.0-1.mga7
firefox-lt-68.3.0-1.mga7
firefox-lv-68.3.0-1.mga7
firefox-mk-68.3.0-1.mga7
firefox-mr-68.3.0-1.mga7
firefox-ms-68.3.0-1.mga7
firefox-nb_NO-68.3.0-1.mga7
firefox-nl-68.3.0-1.mga7
firefox-nn_NO-68.3.0-1.mga7
firefox-pa_IN-68.3.0-1.mga7
firefox-pl-68.3.0-1.mga7
firefox-pt_BR-68.3.0-1.mga7
firefox-pt_PT-68.3.0-1.mga7
firefox-ro-68.3.0-1.mga7
firefox-ru-68.3.0-1.mga7
firefox-si-68.3.0-1.mga7
firefox-sk-68.3.0-1.mga7
firefox-sl-68.3.0-1.mga7
firefox-sq-68.3.0-1.mga7
firefox-sr-68.3.0-1.mga7
firefox-sv_SE-68.3.0-1.mga7
firefox-ta-68.3.0-1.mga7
firefox-te-68.3.0-1.mga7
firefox-th-68.3.0-1.mga7
firefox-tr-68.3.0-1.mga7
firefox-uk-68.3.0-1.mga7
firefox-uz-68.3.0-1.mga7
firefox-vi-68.3.0-1.mga7
firefox-xh-68.3.0-1.mga7
firefox-zh_CN-68.3.0-1.mga7
firefox-zh_TW-68.3.0-1.mga7
lib(64)nspr4-4.24-1.mga7
lib(64)nspr-devel-4.24-1.mga7

from SRPMS:
firefox-68.3.0-1.mga7.src.rpm
firefox-l10n-68.3.0-1.mga7.src.rpm
nspr-4.24-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 4 Thomas Backlund 2019-12-06 21:13:41 CET
 Seems to work ok here on x86_64

CC: (none) => tmb

Comment 5 Herman Viaene 2019-12-07 10:58:34 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
Tested usual newspapersite and one of my own pages: all OK.

CC: (none) => herman.viaene

Comment 6 José Jorge 2019-12-07 17:56:11 CET
MGA7-32 all ok, even heavy Youtube playing.

CC: (none) => lists.jjorge
Whiteboard: (none) => MGA7-32-OK

Comment 7 James Kerr 2019-12-08 15:09:45 CET
on mga7-64  kernel-desktop  plasma

packages installed cleanly:
- lib64nss3-3.47.1-1.mga7.x86_64
- nss-3.47.1-1.mga7.x86_64
- rootcerts-20191126.00-1.mga7.noarch
- rootcerts-java-20191126.00-1.mga7.noarch
- firefox-68.3.0-1.mga7.x86_64
- firefox-en_GB-68.3.0-1.mga7.noarch
- firefox-en_US-68.3.0-1.mga7.noarch
- lib64nspr4-4.24-1.mga7.x86_64

no regressions observed

looks OK for mga7-64

CC: (none) => jim

David Walser 2019-12-08 16:40:39 CET

Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OK

Thomas Backlund 2019-12-08 18:40:18 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2019-12-08 19:13:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0376.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 9 David Walser 2019-12-09 15:26:40 CET
RedHat has issued an advisory for this on December 5:
https://access.redhat.com/errata/RHSA-2019:4107

Note You need to log in before you can comment on or make changes to this bug.