Mozilla has released Firefox 68.9.0 today (June 1): https://www.mozilla.org/en-US/firefox/68.9.0/releasenotes/ Release notes are not available yet. NSS 3.53 is also out: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes Update in progress. Package list will be as follows. Updated packages in core/updates_testing: ======================== rootcerts-20200527.00-1.mga7 rootcerts-java-20200527.00-1.mga7 nss-3.53.0-1.mga7 nss-doc-3.53.0-1.mga7 libnss3-3.53.0-1.mga7 libnss-devel-3.53.0-1.mga7 libnss-static-devel-3.53.0-1.mga7 firefox-68.9.0-1.mga7 firefox-devel-68.9.0-1.mga7 firefox-af-68.9.0-1.mga7 firefox-an-68.9.0-1.mga7 firefox-ar-68.9.0-1.mga7 firefox-ast-68.9.0-1.mga7 firefox-az-68.9.0-1.mga7 firefox-bg-68.9.0-1.mga7 firefox-bn-68.9.0-1.mga7 firefox-br-68.9.0-1.mga7 firefox-bs-68.9.0-1.mga7 firefox-ca-68.9.0-1.mga7 firefox-cs-68.9.0-1.mga7 firefox-cy-68.9.0-1.mga7 firefox-da-68.9.0-1.mga7 firefox-de-68.9.0-1.mga7 firefox-el-68.9.0-1.mga7 firefox-en_GB-68.9.0-1.mga7 firefox-en_US-68.9.0-1.mga7 firefox-eo-68.9.0-1.mga7 firefox-es_AR-68.9.0-1.mga7 firefox-es_CL-68.9.0-1.mga7 firefox-es_ES-68.9.0-1.mga7 firefox-es_MX-68.9.0-1.mga7 firefox-et-68.9.0-1.mga7 firefox-eu-68.9.0-1.mga7 firefox-fa-68.9.0-1.mga7 firefox-ff-68.9.0-1.mga7 firefox-fi-68.9.0-1.mga7 firefox-fr-68.9.0-1.mga7 firefox-fy_NL-68.9.0-1.mga7 firefox-ga_IE-68.9.0-1.mga7 firefox-gd-68.9.0-1.mga7 firefox-gl-68.9.0-1.mga7 firefox-gu_IN-68.9.0-1.mga7 firefox-he-68.9.0-1.mga7 firefox-hi_IN-68.9.0-1.mga7 firefox-hr-68.9.0-1.mga7 firefox-hsb-68.9.0-1.mga7 firefox-hu-68.9.0-1.mga7 firefox-hy_AM-68.9.0-1.mga7 firefox-id-68.9.0-1.mga7 firefox-is-68.9.0-1.mga7 firefox-it-68.9.0-1.mga7 firefox-ja-68.9.0-1.mga7 firefox-kk-68.9.0-1.mga7 firefox-km-68.9.0-1.mga7 firefox-kn-68.9.0-1.mga7 firefox-ko-68.9.0-1.mga7 firefox-lij-68.9.0-1.mga7 firefox-lt-68.9.0-1.mga7 firefox-lv-68.9.0-1.mga7 firefox-mk-68.9.0-1.mga7 firefox-mr-68.9.0-1.mga7 firefox-ms-68.9.0-1.mga7 firefox-nb_NO-68.9.0-1.mga7 firefox-nl-68.9.0-1.mga7 firefox-nn_NO-68.9.0-1.mga7 firefox-pa_IN-68.9.0-1.mga7 firefox-pl-68.9.0-1.mga7 firefox-pt_BR-68.9.0-1.mga7 firefox-pt_PT-68.9.0-1.mga7 firefox-ro-68.9.0-1.mga7 firefox-ru-68.9.0-1.mga7 firefox-si-68.9.0-1.mga7 firefox-sk-68.9.0-1.mga7 firefox-sl-68.9.0-1.mga7 firefox-sq-68.9.0-1.mga7 firefox-sr-68.9.0-1.mga7 firefox-sv_SE-68.9.0-1.mga7 firefox-ta-68.9.0-1.mga7 firefox-te-68.9.0-1.mga7 firefox-th-68.9.0-1.mga7 firefox-tr-68.9.0-1.mga7 firefox-uk-68.9.0-1.mga7 firefox-uz-68.9.0-1.mga7 firefox-vi-68.9.0-1.mga7 firefox-xh-68.9.0-1.mga7 firefox-zh_CN-68.9.0-1.mga7 firefox-zh_TW-68.9.0-1.mga7 from SRPMS: rootcerts-20200527.00-1.mga7.src.rpm nss-3.53.0-1.mga7.src.rpm firefox-68.9.0-1.mga7.src.rpm firefox-l10n-68.9.0-1.mga7.src.rpm
Blocks: (none) => 26709
nss is failing to build: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20200601172555.luigiwalser.duvel.10227/log/nss-3.53.0-1.mga8/build.0.20200601172603.log
Assignee: bugsquad => pkg-bugs
RedHat has issued an advisory for this today (June 3): https://access.redhat.com/errata/RHSA-2020:2379
OK the way you have to call make during the build process changed, so I fixed that the same way Fedora did. However, now libnssckbi.so doesn't get built. Fedora actually hasn't provided it for years, linking it to p11-kit-trust.so from p11-kit-trust. So I'm doing that in Cauldron, but I'm not 100% sure what the implications of that are.
It did indeed cause problems. I'm hoping I found the right fix. I found this: https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules which led me to this: https://src.fedoraproject.org/rpms/nss/c/6f4f615c051ed6204a08973fe13046c05da5cf20?branch=master so I did something similar in nss, and had to fix a packaging error in p11-kit: http://svnweb.mageia.org/packages?view=revision&revision=1590433 If I do the same in Mageia 7, we'll probably need to update crypto-policies too.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=26729
CC: (none) => boulshet
Blocks: (none) => 26705
nss is affected by CVE-2020-12399. Ubuntu has issued an advisory on June 16: https://usn.ubuntu.com/4397-1/ Fortunately this is fixed in NSS 3.52.1, which I wasn't previously aware of: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52.1_release_notes We can use that here, and hold off on 3.53+ until upgrading to the next ESR.
Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys (CVE-2020-12399). When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash due to a use-after-free (CVE-2020-12405). Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash due to type confusion with NativeTypes. We presume that with enough effort that it could be exploited to run arbitrary code (CVE-2020-12406). Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12410). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12399 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52.1_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/ ======================== Updated packages in core/updates_testing: ======================== rootcerts-20200527.00-1.mga7 rootcerts-java-20200527.00-1.mga7 nss-3.52.1-1.mga7 nss-doc-3.52.1-1.mga7 libnss3-3.52.1-1.mga7 libnss-devel-3.52.1-1.mga7 libnss-static-devel-3.52.1-1.mga7 firefox-68.9.0-1.mga7 firefox-devel-68.9.0-1.mga7 firefox-af-68.9.0-1.mga7 firefox-an-68.9.0-1.mga7 firefox-ar-68.9.0-1.mga7 firefox-ast-68.9.0-1.mga7 firefox-az-68.9.0-1.mga7 firefox-bg-68.9.0-1.mga7 firefox-bn-68.9.0-1.mga7 firefox-br-68.9.0-1.mga7 firefox-bs-68.9.0-1.mga7 firefox-ca-68.9.0-1.mga7 firefox-cs-68.9.0-1.mga7 firefox-cy-68.9.0-1.mga7 firefox-da-68.9.0-1.mga7 firefox-de-68.9.0-1.mga7 firefox-el-68.9.0-1.mga7 firefox-en_GB-68.9.0-1.mga7 firefox-en_US-68.9.0-1.mga7 firefox-eo-68.9.0-1.mga7 firefox-es_AR-68.9.0-1.mga7 firefox-es_CL-68.9.0-1.mga7 firefox-es_ES-68.9.0-1.mga7 firefox-es_MX-68.9.0-1.mga7 firefox-et-68.9.0-1.mga7 firefox-eu-68.9.0-1.mga7 firefox-fa-68.9.0-1.mga7 firefox-ff-68.9.0-1.mga7 firefox-fi-68.9.0-1.mga7 firefox-fr-68.9.0-1.mga7 firefox-fy_NL-68.9.0-1.mga7 firefox-ga_IE-68.9.0-1.mga7 firefox-gd-68.9.0-1.mga7 firefox-gl-68.9.0-1.mga7 firefox-gu_IN-68.9.0-1.mga7 firefox-he-68.9.0-1.mga7 firefox-hi_IN-68.9.0-1.mga7 firefox-hr-68.9.0-1.mga7 firefox-hsb-68.9.0-1.mga7 firefox-hu-68.9.0-1.mga7 firefox-hy_AM-68.9.0-1.mga7 firefox-id-68.9.0-1.mga7 firefox-is-68.9.0-1.mga7 firefox-it-68.9.0-1.mga7 firefox-ja-68.9.0-1.mga7 firefox-kk-68.9.0-1.mga7 firefox-km-68.9.0-1.mga7 firefox-kn-68.9.0-1.mga7 firefox-ko-68.9.0-1.mga7 firefox-lij-68.9.0-1.mga7 firefox-lt-68.9.0-1.mga7 firefox-lv-68.9.0-1.mga7 firefox-mk-68.9.0-1.mga7 firefox-mr-68.9.0-1.mga7 firefox-ms-68.9.0-1.mga7 firefox-nb_NO-68.9.0-1.mga7 firefox-nl-68.9.0-1.mga7 firefox-nn_NO-68.9.0-1.mga7 firefox-pa_IN-68.9.0-1.mga7 firefox-pl-68.9.0-1.mga7 firefox-pt_BR-68.9.0-1.mga7 firefox-pt_PT-68.9.0-1.mga7 firefox-ro-68.9.0-1.mga7 firefox-ru-68.9.0-1.mga7 firefox-si-68.9.0-1.mga7 firefox-sk-68.9.0-1.mga7 firefox-sl-68.9.0-1.mga7 firefox-sq-68.9.0-1.mga7 firefox-sr-68.9.0-1.mga7 firefox-sv_SE-68.9.0-1.mga7 firefox-ta-68.9.0-1.mga7 firefox-te-68.9.0-1.mga7 firefox-th-68.9.0-1.mga7 firefox-tr-68.9.0-1.mga7 firefox-uk-68.9.0-1.mga7 firefox-uz-68.9.0-1.mga7 firefox-vi-68.9.0-1.mga7 firefox-xh-68.9.0-1.mga7 firefox-zh_CN-68.9.0-1.mga7 firefox-zh_TW-68.9.0-1.mga7 from SRPMS: rootcerts-20200527.00-1.mga7.src.rpm nss-3.52.1-1.mga7.src.rpm firefox-68.9.0-1.mga7.src.rpm firefox-l10n-68.9.0-1.mga7.src.rpm
See Also: https://bugs.mageia.org/show_bug.cgi?id=26729 => (none)
Can't bootstrap the Firefox build at the moment because of the broken nodejs stuff in core/updates_testing.
CC: (none) => mageia
And now there's CVE-2020-12402 fixed in NSS 3.53.1: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53.1_release_notes Also new rootcerts out (20200612).
Moved Firefox 68.9 update to Bug 26828. Will use this bug for the next ESR branch, which will need many of the notes in this bug, as well as will have the next rootcerts update (currently 20200612) and nss 3.53.1 (Comment 8).
Summary: Firefox 68.9 => Firefox 78.0 and nss new security issue CVE-2020-12402Blocks: 26705, 26709 => (none)
Also coming, NSPR 4.26: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/YDlWqMPNR9Y
And NSS 3.54: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.54_release_notes
Debian-LTS has issued an advisory for the nss issues on June 30: https://www.debian.org/lts/security/2020/dla-2266
Moved nss issue CVE-2020-12402 and nspr 4.26 update to Bug 26890.
Summary: Firefox 78.0 and nss new security issue CVE-2020-12402 => Firefox 78.1
You meant 78.0.1 instead of 78.1 I think. Note that 78.0.1 is available in Cauldron, you can start to backport it…
CC: (none) => thierry.vignaudSummary: Firefox 78.1 => Firefox 78.0.1
Thanks for fixing it. I actually meant 78.1 as I won't start backporting it until at least then. 68.10 had the same fixes as 78.0 so we don't need that one.
Summary: Firefox 78.0.1 => Firefox 78.1
In fact, given the risks with all the changes this will require, I'll put it off as long as possible: https://wiki.mozilla.org/Release_Management/Calendar So after we push 68.12, we'll build 78.2 just for internal testing and target 78.3 for the first public release.
Summary: Firefox 78.1 => Firefox 78.3
Blocks: (none) => 26965
NSPR 4.27: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/3626XG8mLJw which I will update in another bug, but NSS 3.55 will stay here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes It fixes CVE-2020-6829 and CVE-2020-1240[013].
Nicolas Salguero found patches for the CVEs fixed in NSS 3.55, so we can take care of those in Bug 27001.
Just saw this note on the dev ml from Christiaan: "If you use build.sh (which uses gyp), then libnssckbi.so is built. For example: ./build.sh --target x64 --opt --system-sqlite --with-nspr=/usr/include/nspr4: --disable-tests " So maybe the craziness can be avoided when updating mga7. We'll see...
I see Christiaan later posted on the ml an SRPM, but his website is inaccessible. CC'ing Christiaan so he can post the needed SPEC changes here.
CC: (none) => cjw
Using that alternative build method, static libraries are not built, and AFAICT this is not very easy to fix. There must be some bug in the makefiles that causes libnssckbi.so not to be built anymore. Has upstream not fixed this by now?
I don't think upstream cares.
NSPR 4.28: https://groups.google.com/g/mozilla.dev.tech.nspr/c/YLamaq1rVco which I will update in another bug, but NSS 3.56 will stay here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes No CVEs listed there at the moment, and no new NSS 3.52.x or rootcerts right now.
(In reply to David Walser from comment #18) > Nicolas Salguero found patches for the CVEs fixed in NSS 3.55, so we can > take care of those in Bug 27001. This should have said Bug 27011.
(In reply to David Walser from comment #23) > NSPR 4.28: > https://groups.google.com/g/mozilla.dev.tech.nspr/c/YLamaq1rVco That's in Bug 27193. Once that's pushed, we can start working on this bug.
Underlying package updates committed in SVN. I think they should be built in this order: - crypto-policies - p11-kit - rootcerts - nss Some References for the future update: https://fedoraproject.org/wiki/Changes/CryptoPolicy https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.54_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes Still need to commit firefox and firefox-l10n. Would be nice to clean updates_testing first too.
I've checked everything in updates_testing and either assigned it to QA, pinged the bug, pinged a needed packager, or determined that the package isn't needed, so I'll be asking for updates_testing to be wiped once the currently assigned to QA bugs are dealt with.
Underlying packages built and uploaded. Now trying to build firefox. crypto-policies-20200813-1.mga7 p11-kit-0.23.21-1.mga7 libp11-kit0-0.23.21-1.mga7 libp11-kit-devel-0.23.21-1.mga7 p11-kit-trust-0.23.21-1.mga7 rootcerts-20200612.00-1.1.mga7 rootcerts-java-20200612.00-1.1.mga7 nss-3.56.0-1.mga7 nss-doc-3.56.0-1.mga7 libnss3-3.56.0-1.mga7 libnss-devel-3.56.0-1.mga7 libnss-static-devel-3.56.0-1.mga7 from SRPMS: crypto-policies-20200813-1.mga7.src.rpm p11-kit-0.23.21-1.mga7.src.rpm rootcerts-20200612.00-1.1.mga7.src.rpm nss-3.56.0-1.mga7.src.rpm
Hi Rémi, it says rust is too old and needs to be updated to at least 1.41: http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20200907193230.luigiwalser.duvel.17616/log/firefox-78.2.0-1.mga7/build.0.20200907193411.log
CC: (none) => rverschelde
FYI to anyone watching, 1.43 is the rust version that Mozilla used for their 78 builds, so I'm waiting for that before building Firefox. Apparently the rust versions need to be stepped up one at a time.
rust 1.42 isn't building so it might be a while before we get to 1.43. Trying to build Firefox now.
Ouch, Firefox needs an update nodejs to build.
Depends on: (none) => 25314
Depends on: (none) => 27268
nspr 4.29 will be a part of this: https://groups.google.com/g/mozilla.dev.tech.nspr/c/zrirzzoOjeg as are updated rootcerts and NSS 3.57: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes and Firefox 78.3.0 is actually out now: https://www.mozilla.org/en-US/firefox/78.3.0/releasenotes/
Blocks: (none) => 27257
Hi, The problem with nodejs in Mageia 7 will be solved with nodejs-10.22.1-1.mga7. Best regards, Nico.
CC: (none) => nicolas.salguero
Thanks. Underlying packages are now: crypto-policies-20200813-1.mga7 p11-kit-0.23.21-1.mga7 libp11-kit0-0.23.21-1.mga7 libp11-kit-devel-0.23.21-1.mga7 p11-kit-trust-0.23.21-1.mga7 libnspr4-4.29-1.mga7 libnspr-devel-4.29-1.mga7 rootcerts-20200911.00-1.mga7 rootcerts-java-20200911.00-1.mga7 nss-3.57.0-1.mga7 nss-doc-3.57.0-1.mga7 libnss3-3.57.0-1.mga7 libnss-devel-3.57.0-1.mga7 libnss-static-devel-3.57.0-1.mga7 from SRPMS: crypto-policies-20200813-1.mga7.src.rpm p11-kit-0.23.21-1.mga7.src.rpm nspr-4.29-1.mga7.src.rpm rootcerts-20200911.00-1.mga7.src.rpm nss-3.57.0-1.mga7.src.rpm Some References for the future update: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15673 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15676 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15677 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15678 https://fedoraproject.org/wiki/Changes/CryptoPolicy https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules https://groups.google.com/g/mozilla.dev.tech.nspr/c/zrirzzoOjeg https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.54_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/ RedHat has issued an advisory for Firefox 78.3 today (September 24): https://access.redhat.com/errata/RHSA-2020:3832
Nicolas, when pushing firefox/thunderbird to the build system, please wait until it successfully builds before pushing -l10n, otherwise if the build fails we end up with a mess on our hands.
Sorry, I was a bit too fast. When I push to release (Cauldron), I try to think about it but when I push to updates_testing, I often forget to wait a little. My bad.
Advisory: ======================== Updated firefox packages fix security vulnerabilities: Mozilla developer Jason Kratzer reported memory safety bugs present in Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15673). Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in a XSS issue due to JavaScript being executed after pasting attacker-controlled data into a contenteditable element (CVE-2020-15676). By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from (CVE-2020-15677). When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules (CVE-2020-15678). The firefox package has been updated to the 78.x ESR branch, which brings significant changes in how CA certificates and smart cards are loaded into Firefox. The root CA certificates are no longer statically built into the nss library. They are loaded dynamically via p11-kit-trust, and therefore may be modified by the system administrator. Smart card support should be automatically loaded via p11-kit-trust as well, rather than requiring opensc to be manually loaded. NSS also now complies with the system crypto policy, which is provided by the crypto-policies package. See the fedoraproject references for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15673 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15676 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15677 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15678 https://fedoraproject.org/wiki/Changes/CryptoPolicy https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules https://groups.google.com/g/mozilla.dev.tech.nspr/c/zrirzzoOjeg https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.54_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/ ======================== Updated packages in core/updates_testing: ======================== crypto-policies-20200813-1.mga7 p11-kit-0.23.21-1.mga7 libp11-kit0-0.23.21-1.mga7 libp11-kit-devel-0.23.21-1.mga7 p11-kit-trust-0.23.21-1.mga7 libnspr4-4.29-1.mga7 libnspr-devel-4.29-1.mga7 rootcerts-20200911.00-1.mga7 rootcerts-java-20200911.00-1.mga7 nss-3.57.0-1.mga7 nss-doc-3.57.0-1.mga7 libnss3-3.57.0-1.mga7 libnss-devel-3.57.0-1.mga7 libnss-static-devel-3.57.0-1.mga7 firefox-78.3.0-1.mga7 firefox-devel-78.3.0-1.mga7 firefox-af-78.3.0-1.mga7 firefox-an-78.3.0-1.mga7 firefox-ar-78.3.0-1.mga7 firefox-ast-78.3.0-1.mga7 firefox-az-78.3.0-1.mga7 firefox-be-78.3.0-1.mga7 firefox-bg-78.3.0-1.mga7 firefox-bn-78.3.0-1.mga7 firefox-br-78.3.0-1.mga7 firefox-bs-78.3.0-1.mga7 firefox-ca-78.3.0-1.mga7 firefox-cs-78.3.0-1.mga7 firefox-cy-78.3.0-1.mga7 firefox-da-78.3.0-1.mga7 firefox-de-78.3.0-1.mga7 firefox-el-78.3.0-1.mga7 firefox-en_CA-78.3.0-1.mga7 firefox-en_GB-78.3.0-1.mga7 firefox-en_US-78.3.0-1.mga7 firefox-eo-78.3.0-1.mga7 firefox-es_AR-78.3.0-1.mga7 firefox-es_CL-78.3.0-1.mga7 firefox-es_ES-78.3.0-1.mga7 firefox-es_MX-78.3.0-1.mga7 firefox-et-78.3.0-1.mga7 firefox-eu-78.3.0-1.mga7 firefox-fa-78.3.0-1.mga7 firefox-ff-78.3.0-1.mga7 firefox-fi-78.3.0-1.mga7 firefox-fr-78.3.0-1.mga7 firefox-fy_NL-78.3.0-1.mga7 firefox-ga_IE-78.3.0-1.mga7 firefox-gd-78.3.0-1.mga7 firefox-gl-78.3.0-1.mga7 firefox-gu_IN-78.3.0-1.mga7 firefox-he-78.3.0-1.mga7 firefox-hi_IN-78.3.0-1.mga7 firefox-hr-78.3.0-1.mga7 firefox-hsb-78.3.0-1.mga7 firefox-hu-78.3.0-1.mga7 firefox-hy_AM-78.3.0-1.mga7 firefox-ia-78.3.0-1.mga7 firefox-id-78.3.0-1.mga7 firefox-is-78.3.0-1.mga7 firefox-it-78.3.0-1.mga7 firefox-ja-78.3.0-1.mga7 firefox-ka-78.3.0-1.mga7 firefox-kab-78.3.0-1.mga7 firefox-kk-78.3.0-1.mga7 firefox-km-78.3.0-1.mga7 firefox-kn-78.3.0-1.mga7 firefox-ko-78.3.0-1.mga7 firefox-lij-78.3.0-1.mga7 firefox-lt-78.3.0-1.mga7 firefox-lv-78.3.0-1.mga7 firefox-mk-78.3.0-1.mga7 firefox-mr-78.3.0-1.mga7 firefox-ms-78.3.0-1.mga7 firefox-my-78.3.0-1.mga7 firefox-nb_NO-78.3.0-1.mga7 firefox-nl-78.3.0-1.mga7 firefox-nn_NO-78.3.0-1.mga7 firefox-oc-78.3.0-1.mga7 firefox-pa_IN-78.3.0-1.mga7 firefox-pl-78.3.0-1.mga7 firefox-pt_BR-78.3.0-1.mga7 firefox-pt_PT-78.3.0-1.mga7 firefox-ro-78.3.0-1.mga7 firefox-ru-78.3.0-1.mga7 firefox-si-78.3.0-1.mga7 firefox-sk-78.3.0-1.mga7 firefox-sl-78.3.0-1.mga7 firefox-sq-78.3.0-1.mga7 firefox-sr-78.3.0-1.mga7 firefox-sv_SE-78.3.0-1.mga7 firefox-ta-78.3.0-1.mga7 firefox-te-78.3.0-1.mga7 firefox-th-78.3.0-1.mga7 firefox-tl-78.3.0-1.mga7 firefox-tr-78.3.0-1.mga7 firefox-uk-78.3.0-1.mga7 firefox-ur-78.3.0-1.mga7 firefox-uz-78.3.0-1.mga7 firefox-vi-78.3.0-1.mga7 firefox-xh-78.3.0-1.mga7 firefox-zh_CN-78.3.0-1.mga7 firefox-zh_TW-78.3.0-1.mga7 from SRPMS: crypto-policies-20200813-1.mga7.src.rpm p11-kit-0.23.21-1.mga7.src.rpm nspr-4.29-1.mga7.src.rpm rootcerts-20200911.00-1.mga7.src.rpm nss-3.57.0-1.mga7.src.rpm firefox-78.3.0-1.mga7.src.rpm firefox-l10n-78.3.0-1.mga7.src.rpm
Packages built and should be available on mirrors in the next couple hours. Advisory and package list in Comment 38.
Assignee: pkg-bugs => qa-bugs
Testing on Mageia 7.1 Plasma x86_64, nvidia-current nonfree drivers. Install the 7 following packages from ftp.free.fr mirror: - firefox-78.3.0-1.mga7.x86_64 - firefox-fr-78.3.0-1.mga7.noarch - lib64nspr4-4.29-1.mga7.x86_64 - lib64nss3-3.57.0-1.mga7.x86_64 - nss-3.57.0-1.mga7.x86_64 - rootcerts-20200911.00-1.mga7.noarch - rootcerts-java-20200911.00-1.mga7.noarch Installation OK. Run firefox from Plasma menu : 1) Open several website is OK. 2) My bank site is ok. 3) Medias well played. 4) widevine DRM enabled websites like spotify, netflix are OK 5) No apparent crash. 6) Importing settings is OK. Firefox Sync correctly imported. MGA7-64-OK Should be validated_update.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OK
mga7, x86_64 Confirmed that the browser supports playing Youtube videos in an html5 framework - https://www.youtube.com/supported_browsers
CC: (none) => tarazed25
Let's give QA more time with this one.
Keywords: validated_update => (none)
In VirtualBox, M7.1, Plasma, 64-bit Package(s) under test: Firefox Package(s) under test: firefox firefox-en_US firefox-en_GB default install of firefox firefox-en_US & firefox-en_GB [root@localhost wilcal]# urpmi firefox Package firefox-68.12.0-2.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_US Package firefox-en_US-68.12.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-68.12.0-1.mga7.noarch is already installed Firefox works, many websites are accessible, YouTube & Vimeo videos play, common plugins are active. weather.com works fine. http://www.webstandards.org/files/acid2/test.html#top test ok http://acid3.acidtests.org/ test ok https://html5test.com/ test ok install firefox firefox-en_US firefox-en_GB from updates_testing The following 8 packages are going to be installed: - firefox-78.3.0-1.mga7.x86_64 - firefox-en_GB-78.3.0-1.mga7.noarch - firefox-en_US-78.3.0-1.mga7.noarch - lib64nspr4-4.29-1.mga7.x86_64 - lib64nss3-3.57.0-1.mga7.x86_64 - lib64p11-kit0-0.23.21-1.mga7.x86_64 - p11-kit-0.23.21-1.mga7.x86_64 - p11-kit-trust-0.23.21-1.mga7.x86_64 [root@localhost wilcal]# urpmi firefox Package firefox-78.3.0-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_US Package firefox-en_US-78.3.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-78.3.0-1.mga7.noarch is already installed Fail everywhere. Every website I attempt to load throws a: "Warning: Potential Security Risk Ahead" Error. Even CNN and BBC fail to load due to the above error Looks like it's associated with the CERTS
CC: (none) => wilcal.int
Look at the package list again and make sure you update all relevant packages.
Browsing without problems over an hour or so. Have added a doc file and a couple of devel packages. Made a donation online and that went OK. No faults here so far.
(In reply to David Walser from comment #44) > Look at the package list again and make sure you update all relevant > packages. Look at the list of packages that got installed in my Comment 43. That is what the MCC choose, or choose not, to install. Is there something missing there?
You were missing packages, as I said. It's not just going to do it for you, you have to make sure to select all relevant packages.
(In reply to David Walser from comment #47) > You were missing packages, as I said. It's not just going to do it for you, > you have to make sure to select all relevant packages. I did that and it does not work. I've updated Firefox dozens and dozens of times successfully. This time it fell on it's face, literally.
No, there's no it to fall on its face, *you* have to make sure all of the needed packages get selected. From what you posted, you missed the rootcerts and crypto-policies packages.
(In reply to William Kenney from comment #48) > I did that and it does not work. > I've updated Firefox dozens and dozens of times successfully. > This time it fell on it's face, literally. Specifically, did you include ... rootcerts-20200527.00-1.mga7 rootcerts-java-20200527.00-1.mga7 nss-3.53.0-1.mga7 nss-doc-3.53.0-1.mga7 libnss3-3.53.0-1.mga7 It's working ok here on all of the sites I normally use.
CC: (none) => davidwhodgins
Realized right after I posted the above ... http://mirrors.mageia.org/status The princeton mirror and the mirrors that sync from it haven't synced for two days. I emailed the admin a few earlier today, but no response yet. The kernel.org and distrib.coffee are currently up-to-date.
Used a European second tier mirror here and that is up-to-date.
Ok, Lets try this again Thanks David. In VirtualBox, M7.1, Gnome, 32-bit Package(s) under test: Firefox Package(s) under test: firefox firefox-en_US firefox-en_GB rootcerts rootcerts-java crypto-policies default install of: firefox firefox-en_US firefox-en_GB rootcerts rootcerts-java crypto-policies [root@localhost wilcal]# urpmi firefox Package firefox-68.12.0-2.mga7.i586 is already installed [root@localhost wilcal]# urpmi firefox-en_US Package firefox-en_US-68.12.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-68.12.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts Package rootcerts-20200612.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts-java Package rootcerts-java-20200612.00-1.mga7.noarch is already installed Marking rootcerts-java as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi crypto-policies Package crypto-policies-20170606-2.mga7.noarch is already installed Firefox works, many websites are accessible, YouTube & Vimeo videos play, common plugins are active. weather.com works fine. http://www.webstandards.org/files/acid2/test.html#top test ok http://acid3.acidtests.org/ test ok https://html5test.com/ test ok install: firefox firefox-en_US firefox-en_GB rootcerts rootcerts-java crypto-policies from updates_testing The following 11 packages are going to be installed: - crypto-policies-20200813-1.mga7.noarch - firefox-78.3.0-1.mga7.x86_64 - firefox-en_GB-78.3.0-1.mga7.noarch - firefox-en_US-78.3.0-1.mga7.noarch - lib64nspr4-4.29-1.mga7.x86_64 - lib64nss3-3.57.0-1.mga7.x86_64 - lib64p11-kit0-0.23.21-1.mga7.x86_64 - p11-kit-0.23.21-1.mga7.x86_64 - p11-kit-trust-0.23.21-1.mga7.x86_64 - rootcerts-20200911.00-1.mga7.noarch - rootcerts-java-20200911.00-1.mga7.noarch [root@localhost wilcal]# urpmi firefox Package firefox-78.3.0-1.mga7.i586 is already installed [root@localhost wilcal]# urpmi firefox-en_US Package firefox-en_US-78.3.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-78.3.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts Package rootcerts-20200911.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts-java Package rootcerts-java-20200911.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi crypto-policies Package crypto-policies-20200813-1.mga7.noarch is already installed Firefox works, many websites are accessible, YouTube & Vimeo videos play, common plugins are active. weather.com works fine. http://www.webstandards.org/files/acid2/test.html#top test ok http://acid3.acidtests.org/ test ok https://html5test.com/ test ok
In VirtualBox, M7.1, Plasma, 64-bit Package(s) under test: Firefox Package(s) under test: firefox firefox-en_US firefox-en_GB rootcerts rootcerts-java crypto-policies default install of firefox firefox-en_US & firefox-en_GB [root@localhost wilcal]# urpmi firefox Package firefox-68.12.0-2.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_US Package firefox-en_US-68.12.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-68.12.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts Package rootcerts-20200612.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts-java Package rootcerts-java-20200612.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi crypto-policies Package crypto-policies-20170606-2.mga7.noarch is already installed Firefox works, many websites are accessible, YouTube & Vimeo videos play, common plugins are active. weather.com works fine. http://www.webstandards.org/files/acid2/test.html#top test ok http://acid3.acidtests.org/ test ok https://html5test.com/ test ok install: firefox firefox-en_US firefox-en_GB rootcerts rootcerts-java crypto-policies from updates_testing The following 11 packages are going to be installed: - crypto-policies-20200813-1.mga7.noarch - firefox-78.3.0-1.mga7.i586 - firefox-en_GB-78.3.0-1.mga7.noarch - firefox-en_US-78.3.0-1.mga7.noarch - libnspr4-4.29-1.mga7.i586 - libnss3-3.57.0-1.mga7.i586 - libp11-kit0-0.23.21-1.mga7.i586 - p11-kit-0.23.21-1.mga7.i586 - p11-kit-trust-0.23.21-1.mga7.i586 - rootcerts-20200911.00-1.mga7.noarch - rootcerts-java-20200911.00-1.mga7.noarch [root@localhost wilcal]# urpmi firefox Package firefox-78.3.0-1.mga7.x86_64 is already installed [root@localhost wilcal]# urpmi firefox-en_US Package firefox-en_US-78.3.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi firefox-en_GB Package firefox-en_GB-78.3.0-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts Package rootcerts-20200911.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi rootcerts-java Package rootcerts-java-20200911.00-1.mga7.noarch is already installed [root@localhost wilcal]# urpmi crypto-policies Package crypto-policies-20200813-1.mga7.noarch is already installed Firefox works, many websites are accessible, YouTube & Vimeo videos play, common plugins are active. weather.com works fine. http://www.webstandards.org/files/acid2/test.html#top test ok http://acid3.acidtests.org/ test ok https://html5test.com/ test ok
Just note, as I've told you in the past, urpmi is not a good way to install testing updates (unless the update is a single package), as it messes up your orphans tracking (which you can see in your output above), and your method of using it contributes to you missing packages in updates like this (hence why we've discussed this before, as you've had this issue before). It's better to use MageiaUpdate where it's easier to see and check the right available packages, or to use qarepo with the package list and urpmi --auto-select it. Either method will not mess up your orphans tracking either.
on mga7-64 kernel-desktop plasma packages installed cleanly: - crypto-policies-20200813-1.mga7.noarch - firefox-78.3.0-1.mga7.x86_64 - firefox-en_GB-78.3.0-1.mga7.noarch - firefox-en_US-78.3.0-1.mga7.noarch - lib64nspr4-4.29-1.mga7.x86_64 - lib64nss3-3.57.0-1.mga7.x86_64 - lib64p11-kit0-0.23.21-1.mga7.x86_64 - nss-3.57.0-1.mga7.x86_64 - p11-kit-0.23.21-1.mga7.x86_64 - p11-kit-trust-0.23.21-1.mga7.x86_64 - rootcerts-20200911.00-1.mga7.noarch - rootcerts-java-20200911.00-1.mga7.noarch no regressions observed looks OK for mga7-64
CC: (none) => jim
Running fine here, 64 bit, i7, Plasma, Nvidia, Swedish. System is fully updated to testing per yesterday. A couple hundred preserved tabs OK, using my various sites is OK.
CC: (none) => fri
Keywords: (none) => validated_update
Patience padawan. Has anyone tested smart card usage?
I don't think we have anyone available to test using smart cards, and do not think we should hold this update waiting for someone. Validating the update
I know we have users out there... Anyway, pushing the underlying package updates will mess Thunderbird unless we push it too, which we haven't validated yet, because encrypted stuff still needs to be tested. We'll validate them together.
(In reply to David Walser from comment #55) > Just note, as I've told you in the past, urpmi is not a good way to install > testing updates (unless the update is a single package), as it messes up > your orphans tracking (which you can see in your output above), Note that I rarely use an SU terminal and the urpmi command to install packages. I always use the MCC as as you mentioned it includes other packages needed. The urpmi text above is run after the packages are installed and my testing prove to be working. It's just a simplier way to document the update for me.
It's a confusing and overly verbose way to document what you've installed, low signal to noise ratio, but that's good to know. So you just need to make sure you're matching up with the rpms list. Thanks for the clarification.
CC: (none) => dglent
I don't have smartcards. Anyone here?
Probably not on the QA team. There was someone asking about beid stuff recently though, so they might. I think Sander uses them too.
Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK
(In reply to David Walser from comment #60) > I know we have users out there... Anyway, pushing the underlying package > updates will mess Thunderbird unless we push it too, which we haven't > validated yet, because encrypted stuff still needs to be tested. We'll > validate them together. Hello, I have one, using cryptovision interface. Actually, this is not working in Mageia 7 with Firefox 68, but it works on Debian with Firefox 68 too.
CC: (none) => yves.brungard_mageia
Hello, installing - crypto-policies-20200813-1.mga7.noarch - firefox-78.3.0-1.mga7.x86_64 - firefox-fr-78.3.0-1.mga7.noarch - lib64nspr4-4.29-1.mga7.x86_64 - lib64nss3-3.57.0-1.mga7.x86_64 - lib64p11-kit0-0.23.21-1.mga7.x86_64 - nss-3.57.0-1.mga7.x86_64 - p11-kit-0.23.21-1.mga7.x86_64 - p11-kit-trust-0.23.21-1.mga7.x86_64 - rootcerts-20200911.00-1.mga7.noarch All seems to work, except the smart card, not better than previously. I got: SEC_ERROR_INVALID_ARGS This is a proprietary software provided for another distribution, thus this is not surprising.
So you're saying it didn't work on 68 either? If you go to Preferences > Privacy & Security > Security Devices, do you see the smart card reader in either? This is where the biggest change is from 68 to 78 BTW. In 68 you usually have to manually Load opensc there (/lib64/pkcs11/opensc-pkcs11.so) but in 78 you should see p11-kit-proxy already loaded there automatically.
I tried now an update of the cryptovision interface. And this is now WORKING fine! Thank to have been incentive to try something ;)
So, we can validate this my Jedi Master David (;-)), don't we?
Status: NEW => ASSIGNED
(In reply to David Walser from comment #67) > So you're saying it didn't work on 68 either? If you go to Preferences > > Privacy & Security > Security Devices, do you see the smart card reader in > either? This is where the biggest change is from 68 to 78 BTW. In 68 you > usually have to manually Load opensc there (/lib64/pkcs11/opensc-pkcs11.so) > but in 78 you should see p11-kit-proxy already loaded there automatically. No, it was configured, but didn't work. The previous try was direct, without configuring again. Now, I just go to the "Security devices", and yes, the interface is new. There is a button "Connection" which triggers the ask for the PIN password. This work. There is a "Enable FIPS" button, I don't know what it is. I see that OpenSC detect also the card reader and can ask for connection. This is perhaps why the PIN is asked 2 times.
Yeah you shouldn't have a manually added opensc any more. Sounds like we're good to go.
I have a smart card. Belgian eid. If you can spare me a few hours, I''ll report on it.
CC: (none) => herman.viaene
Tested access to Belgian government sites with authentication thru Belgian eid-card. Works perfectly OK. Good to go for this aspect.
Wonderful, everyone :)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0377.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED