Mozilla has released Firefox 68.10.0 on June 30: https://www.mozilla.org/en-US/firefox/68.10.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/ Also out is NSPR 4.26: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/YDlWqMPNR9Y Also new rootcerts out (20200612). nss 3.53.1 fixed CVE-2020-12402, which Debian-LTS issued an advisory for on June 30: https://www.debian.org/lts/security/2020/dla-2266 Update in progress. Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: Side channel vulnerabilities during RSA key generation in NSS (CVE-2020-12402). Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript (CVE-2020-12418). When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free in nsGlobalWindowInner. This could have led to memory corruption and a potentially exploitable crash (CVE-2020-12419). When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash (CVE-2020-12420). When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user (CVE-2020-12421). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12402 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421 https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/YDlWqMPNR9Y https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/ https://www.debian.org/lts/security/2020/dla-2266 ======================== Updated packages in core/updates_testing: ======================== libnspr4-4.26-1.mga7 libnspr-devel-4.26-1.mga7 rootcerts-20200612.00-1.mga7 rootcerts-java-20200612.00-1.mga7 nss-3.52.1-1.1.mga7 nss-doc-3.52.1-1.1.mga7 libnss3-3.52.1-1.1.mga7 libnss-devel-3.52.1-1.1.mga7 libnss-static-devel-3.52.1-1.1.mga7 firefox-68.10.0-1.mga7 firefox-devel-68.10.0-1.mga7 firefox-af-68.10.0-1.mga7 firefox-an-68.10.0-1.mga7 firefox-ar-68.10.0-1.mga7 firefox-ast-68.10.0-1.mga7 firefox-az-68.10.0-1.mga7 firefox-be-68.10.0-1.mga7 firefox-bg-68.10.0-1.mga7 firefox-bn-68.10.0-1.mga7 firefox-br-68.10.0-1.mga7 firefox-bs-68.10.0-1.mga7 firefox-ca-68.10.0-1.mga7 firefox-cs-68.10.0-1.mga7 firefox-cy-68.10.0-1.mga7 firefox-da-68.10.0-1.mga7 firefox-de-68.10.0-1.mga7 firefox-el-68.10.0-1.mga7 firefox-en_CA-68.10.0-1.mga7 firefox-en_GB-68.10.0-1.mga7 firefox-en_US-68.10.0-1.mga7 firefox-eo-68.10.0-1.mga7 firefox-es_AR-68.10.0-1.mga7 firefox-es_CL-68.10.0-1.mga7 firefox-es_ES-68.10.0-1.mga7 firefox-es_MX-68.10.0-1.mga7 firefox-et-68.10.0-1.mga7 firefox-eu-68.10.0-1.mga7 firefox-fa-68.10.0-1.mga7 firefox-ff-68.10.0-1.mga7 firefox-fi-68.10.0-1.mga7 firefox-fr-68.10.0-1.mga7 firefox-fy_NL-68.10.0-1.mga7 firefox-ga_IE-68.10.0-1.mga7 firefox-gd-68.10.0-1.mga7 firefox-gl-68.10.0-1.mga7 firefox-gu_IN-68.10.0-1.mga7 firefox-he-68.10.0-1.mga7 firefox-hi_IN-68.10.0-1.mga7 firefox-hr-68.10.0-1.mga7 firefox-hsb-68.10.0-1.mga7 firefox-hu-68.10.0-1.mga7 firefox-hy_AM-68.10.0-1.mga7 firefox-ia-68.10.0-1.mga7 firefox-id-68.10.0-1.mga7 firefox-is-68.10.0-1.mga7 firefox-it-68.10.0-1.mga7 firefox-ja-68.10.0-1.mga7 firefox-ka-68.10.0-1.mga7 firefox-kab-68.10.0-1.mga7 firefox-kk-68.10.0-1.mga7 firefox-km-68.10.0-1.mga7 firefox-kn-68.10.0-1.mga7 firefox-ko-68.10.0-1.mga7 firefox-lij-68.10.0-1.mga7 firefox-lt-68.10.0-1.mga7 firefox-lv-68.10.0-1.mga7 firefox-mk-68.10.0-1.mga7 firefox-mr-68.10.0-1.mga7 firefox-ms-68.10.0-1.mga7 firefox-my-68.10.0-1.mga7 firefox-nb_NO-68.10.0-1.mga7 firefox-nl-68.10.0-1.mga7 firefox-nn_NO-68.10.0-1.mga7 firefox-oc-68.10.0-1.mga7 firefox-pa_IN-68.10.0-1.mga7 firefox-pl-68.10.0-1.mga7 firefox-pt_BR-68.10.0-1.mga7 firefox-pt_PT-68.10.0-1.mga7 firefox-ro-68.10.0-1.mga7 firefox-ru-68.10.0-1.mga7 firefox-si-68.10.0-1.mga7 firefox-sk-68.10.0-1.mga7 firefox-sl-68.10.0-1.mga7 firefox-sq-68.10.0-1.mga7 firefox-sr-68.10.0-1.mga7 firefox-sv_SE-68.10.0-1.mga7 firefox-ta-68.10.0-1.mga7 firefox-te-68.10.0-1.mga7 firefox-th-68.10.0-1.mga7 firefox-tr-68.10.0-1.mga7 firefox-uk-68.10.0-1.mga7 firefox-ur-68.10.0-1.mga7 firefox-uz-68.10.0-1.mga7 firefox-vi-68.10.0-1.mga7 firefox-xh-68.10.0-1.mga7 firefox-zh_CN-68.10.0-1.mga7 firefox-zh_TW-68.10.0-1.mga7 from SRPMS: nspr-4.26-1.mga7.src.rpm rootcerts-20200612.00-1.mga7.src.rpm nss-3.52.1-1.1.mga7.src.rpm firefox-68.10.0-1.mga7.src.rpm firefox-l10n-68.10.0-1.mga7.src.rpm
Blocks: (none) => 26891
Ugh, 68.9 (Bug 26828) never got pushed.
Blocks: (none) => 26828
Combined advisory for 68.9 and 68.10. Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys (CVE-2020-12399). Side channel vulnerabilities during RSA key generation in NSS (CVE-2020-12402). When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash due to a use-after-free (CVE-2020-12405). Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash due to type confusion with NativeTypes. We presume that with enough effort that it could be exploited to run arbitrary code (CVE-2020-12406). Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox ESR 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-12410). Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript (CVE-2020-12418). When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free in nsGlobalWindowInner. This could have led to memory corruption and a potentially exploitable crash (CVE-2020-12419). When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash (CVE-2020-12420). When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user (CVE-2020-12421). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12399 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12402 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12405 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12418 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12419 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12420 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12421 https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/YDlWqMPNR9Y https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52.1_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-25/ https://www.debian.org/lts/security/2020/dla-2266
Assignee: bugsquad => qa-bugs
Tested mga7-64 General browsing, jetstream, youtube video, all OK.
Whiteboard: (none) => mga7-64-okCC: (none) => wrw105
Tested in Vbox mga7-64 All ok. Why don't we go directly to Firefox ESR 78?? And so we will have all the improvements of Firefox in the ESR version? Greetings.
CC: (none) => joselp
Because we have to do open heart surgery on the distribution to update to 78. Also it doesn't even build.
Installed the US English version on my 64-bit Plasma system, visited several sites, played a Youtube video, opened multiple tabs, visited Facebook, looked at my morning newspaper. All OK. Validating. Best advisory in Comment 2. Let's hope we can push this one before 68.11 comes out. Problem is that TMB used to keep track of pushing the validated updates, and those who have tried to take up the slack haven't yet developed the habit of regular check in. I'm sure it will get better. I was wondering why 26891 hadn't been sent to QA yet, but I see it's still in the "being built" stage. I will be watching for it.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
OK 64 bit plasma, nvidia-proprietary, intel i7 Swedish localisation, resumes ~200 tabs from previous version, plays videos from svtplay.se and youtu.be, adobe flash test, three banking sites, surfing for a while...
CC: (none) => fri
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0274.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
RedHat has issued an advisory for this on July 6: https://access.redhat.com/errata/RHSA-2020:2827