Mozilla has released Firefox 68.11.0 today (July 28): https://www.mozilla.org/en-US/firefox/68.11.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/ Also out is NSPR 4.27: https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/3626XG8mLJw No new rootcerts or nss 3.52.x. NSS 3.55 has some security fixes which hopefully we can backport.
Blocks: (none) => 27025
RedHat has issued an advisory for this today (July 30): https://access.redhat.com/errata/RHSA-2020:3241 I'm waiting for Bug 26642 to be pushed, and to see if anyone has nss patches.
Hi, Cannot we build NSS 3.55 and use it with Firefox and Thunderbird 68.11, since you plan to build NSPR 4.27, which is required by that version of NSS? It seems that at least FreeBSD has that configuration. Best regards, Nico.
CC: (none) => nicolas.salguero
No. While technically possible, updating nss is what causes the loss of libnssckbi.so, neccesitating the crypto-policies and p11-kit-trust updates that are extremely invasive, which is exactly what I'm trying to put off doing for as long as I can. I'm still not caught up on other distro advisories, but I hope to get to it today. I may just have to wait to fix the nss security issues until later, but we'll see. Updating nspr is no big deal, as the changes to that are extremely minimal.
Hi, By looking at the mercurial repository of NSS, I was able to identify the commits linked to the bugs 1631583 (CVE-2020-6829, CVE-2020-12400), 1631573 (CVE-2020-12401) and 1636771 (CVE-2020-12403). I added those commits to our NSS 3.52 package and I was able to build a new version of NSS locally (the 5 patches needed no modification to apply to NSS 3.52) so I pushed my changes to the SVN. Best regards, Nico.
Firefox : Tue Jul 28 by luigiwalser : 68.11.0 nspr : Tue Jul 28 by luigiwalser : 4.27 Fine, luigi is effectively the maintainer for both SRPMS, and they are already in /packages/updates/7/. Since you are already listed for this bug, it can remain assigned to Bugsquad for the moment.
Thanks Nicolas!
Source RPM: nspr, firefox => nspr, nss, firefox
nspr and nss submitted, will submit firefox when nss is built. Advisory below. Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is often transmitted to the peer, which allows bypassing ASLR (CVE-2020-6514). Crafted media files could lead to a race in texture caches, resulting in a use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture, memory corruption, and a potentially exploitable crash (CVE-2020-6463). By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script (CVE-2020-15652). Mozilla developers Jason Kratzer and Luke Wagner reported memory safety bugs present in Firefox 78 and Firefox ESR 68.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15659). Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-6829). A side channel flaw was found in the way P-384 and P-521 curses are used in generation EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-12400). Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-12401). Multi-part ChaCha20 was not functioning correctly and tag length was not strictly enforced (CVE-2020-12403). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6514 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6829 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12400 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12401 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12403 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15652 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15659 https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/3626XG8mLJw https://bugzilla.redhat.com/show_bug.cgi?id=1826187 https://bugzilla.redhat.com/show_bug.cgi?id=1853983 https://bugzilla.redhat.com/show_bug.cgi?id=1851294 https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/ ======================== Updated packages in core/updates_testing: ======================== libnspr4-4.27-1.mga7 libnspr-devel-4.27-1.mga7 nss-3.52.1-1.2.mga7 nss-doc-3.52.1-1.2.mga7 libnss3-3.52.1-1.2.mga7 libnss-devel-3.52.1-1.2.mga7 libnss-static-devel-3.52.1-1.2.mga7 firefox-68.11.0-1.mga7 firefox-devel-68.11.0-1.mga7 firefox-af-68.11.0-1.mga7 firefox-an-68.11.0-1.mga7 firefox-ar-68.11.0-1.mga7 firefox-ast-68.11.0-1.mga7 firefox-az-68.11.0-1.mga7 firefox-be-68.11.0-1.mga7 firefox-bg-68.11.0-1.mga7 firefox-bn-68.11.0-1.mga7 firefox-br-68.11.0-1.mga7 firefox-bs-68.11.0-1.mga7 firefox-ca-68.11.0-1.mga7 firefox-cs-68.11.0-1.mga7 firefox-cy-68.11.0-1.mga7 firefox-da-68.11.0-1.mga7 firefox-de-68.11.0-1.mga7 firefox-el-68.11.0-1.mga7 firefox-en_CA-68.11.0-1.mga7 firefox-en_GB-68.11.0-1.mga7 firefox-en_US-68.11.0-1.mga7 firefox-eo-68.11.0-1.mga7 firefox-es_AR-68.11.0-1.mga7 firefox-es_CL-68.11.0-1.mga7 firefox-es_ES-68.11.0-1.mga7 firefox-es_MX-68.11.0-1.mga7 firefox-et-68.11.0-1.mga7 firefox-eu-68.11.0-1.mga7 firefox-fa-68.11.0-1.mga7 firefox-ff-68.11.0-1.mga7 firefox-fi-68.11.0-1.mga7 firefox-fr-68.11.0-1.mga7 firefox-fy_NL-68.11.0-1.mga7 firefox-ga_IE-68.11.0-1.mga7 firefox-gd-68.11.0-1.mga7 firefox-gl-68.11.0-1.mga7 firefox-gu_IN-68.11.0-1.mga7 firefox-he-68.11.0-1.mga7 firefox-hi_IN-68.11.0-1.mga7 firefox-hr-68.11.0-1.mga7 firefox-hsb-68.11.0-1.mga7 firefox-hu-68.11.0-1.mga7 firefox-hy_AM-68.11.0-1.mga7 firefox-ia-68.11.0-1.mga7 firefox-id-68.11.0-1.mga7 firefox-is-68.11.0-1.mga7 firefox-it-68.11.0-1.mga7 firefox-ja-68.11.0-1.mga7 firefox-ka-68.11.0-1.mga7 firefox-kab-68.11.0-1.mga7 firefox-kk-68.11.0-1.mga7 firefox-km-68.11.0-1.mga7 firefox-kn-68.11.0-1.mga7 firefox-ko-68.11.0-1.mga7 firefox-lij-68.11.0-1.mga7 firefox-lt-68.11.0-1.mga7 firefox-lv-68.11.0-1.mga7 firefox-mk-68.11.0-1.mga7 firefox-mr-68.11.0-1.mga7 firefox-ms-68.11.0-1.mga7 firefox-my-68.11.0-1.mga7 firefox-nb_NO-68.11.0-1.mga7 firefox-nl-68.11.0-1.mga7 firefox-nn_NO-68.11.0-1.mga7 firefox-oc-68.11.0-1.mga7 firefox-pa_IN-68.11.0-1.mga7 firefox-pl-68.11.0-1.mga7 firefox-pt_BR-68.11.0-1.mga7 firefox-pt_PT-68.11.0-1.mga7 firefox-ro-68.11.0-1.mga7 firefox-ru-68.11.0-1.mga7 firefox-si-68.11.0-1.mga7 firefox-sk-68.11.0-1.mga7 firefox-sl-68.11.0-1.mga7 firefox-sq-68.11.0-1.mga7 firefox-sr-68.11.0-1.mga7 firefox-sv_SE-68.11.0-1.mga7 firefox-ta-68.11.0-1.mga7 firefox-te-68.11.0-1.mga7 firefox-th-68.11.0-1.mga7 firefox-tr-68.11.0-1.mga7 firefox-uk-68.11.0-1.mga7 firefox-ur-68.11.0-1.mga7 firefox-uz-68.11.0-1.mga7 firefox-vi-68.11.0-1.mga7 firefox-xh-68.11.0-1.mga7 firefox-zh_CN-68.11.0-1.mga7 firefox-zh_TW-68.11.0-1.mga7 from SRPMS: nspr-4.27-1.mga7.src.rpm nss-3.52.1-1.2.mga7.src.rpm firefox-68.11.0-1.mga7.src.rpm firefox-l10n-68.11.0-1.mga7.src.rpm
Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDSource RPM: nspr, nss, firefox => nspr, nss, firefox, firefox-l10n
MGA7-64 Plasma on Lenovo B50 No installation issues. Could read my usual newspaper site and could install the plugin for the Belgian Eid-card, and access the government websites using the card for authorization. As far as I go, good enough.
CC: (none) => herman.viaene
Tested mga7-64. General browsing, javascript (Jetstream), video on youtube all ok.
Whiteboard: (none) => mga7-64-okCC: (none) => wrw105
Installed in Mga 7.1 Plasma, works ok, addons, certificates, all ok. Greetins!!
CC: (none) => joselp
OM mga 7-64, Plasma, Nvidia proprietary, 4k screen, intel i7. Swedish localisation, hundreds of open tabs preserved after update as well as login and cookies, videos playing well in youtube and svt.se, banking sites... hours of use.
CC: (none) => fri
Looks good to me. Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Ubuntu has issued an advisory for the nss issues on August 10: https://ubuntu.com/security/notices/USN-4455-1
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0318.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for the other nss issue today (August 27): https://ubuntu.com/security/notices/USN-4476-1