Fedora has issued an advisory on June 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OS4TDQ75LLRCFOAXMPHTQE6XCPJGZQ6X/ The issues are fixed upstream in 60.7.2. gjs had to be rebuilt against the update mozjs60: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZS2X4UWVWTNTNWOCAJYQO77GGSSI3H6K/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No registered maintainer, so assigning globally. CC relatively recent committers MartinW and DavidG.
CC: (none) => geiger.david68210, mageiaAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2. (CVE-2019-11707) Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. (CVE-2019-11708) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OS4TDQ75LLRCFOAXMPHTQE6XCPJGZQ6X/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZS2X4UWVWTNTNWOCAJYQO77GGSSI3H6K/ ======================== Updated packages in core/updates_testing: ======================== lib(64)mozjs60-60.9.0-1.mga7 lib(64)mozjs60-devel-60.9.0-1.mga7 gjs-1.56.2-1.1.mga7 gjs-common-1.56.2-1.1.mga7 lib(64)gjs0-1.56.2-1.1.mga7 lib(64)gjs-devel-1.56.2-1.1.mga7 lib(64)gjs-gir1.0-1.56.2-1.1.mga7 from SRPMS: mozjs60-60.9.0-1.mga7.src.rpm gjs-1.56.2-1.1.mga7.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 7CVE: (none) => CVE-2019-11707, CVE-2019-11708Source RPM: mozjs60-60.4.0-2.mga7.src.rpm => mozjs60-60.4.0-2.mga7.src.rpm, gjs-1.56.2-1.mga7.src.rpmCC: (none) => nicolas.salgueroWhiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Addendum to advisory: The mozjs60 package has been updated to version 60.9.0, fixing these issues and other bugs. The gjs package has been rebuilt against the updated mozjs60.
MGA7-64 Plasma on Lenovo B50 No installation issues. No apparent ill effects on system, so like other Java stuff OK'ing on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory information in Comment 2 and Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0009.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED