Bug 27011 - Firefox 68.11
Summary: Firefox 68.11
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga7-64-ok
Keywords:
Depends on:
Blocks: 27025
  Show dependency treegraph
 
Reported: 2020-07-28 19:11 CEST by David Walser
Modified: 2020-08-03 10:50 CEST (History)
4 users (show)

See Also:
Source RPM: nspr, nss, firefox, firefox-l10n
CVE:
Status comment:


Attachments

Description David Walser 2020-07-28 19:11:16 CEST
Mozilla has released Firefox 68.11.0 today (July 28):
https://www.mozilla.org/en-US/firefox/68.11.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/

Also out is NSPR 4.27:
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/3626XG8mLJw

No new rootcerts or nss 3.52.x.  NSS 3.55 has some security fixes which hopefully we can backport.
Nicolas Salguero 2020-07-30 10:21:27 CEST

Blocks: (none) => 27025

Comment 1 David Walser 2020-07-30 17:22:23 CEST
RedHat has issued an advisory for this today (July 30):
https://access.redhat.com/errata/RHSA-2020:3241

I'm waiting for Bug 26642 to be pushed, and to see if anyone has nss patches.
Comment 2 Nicolas Salguero 2020-07-31 10:11:13 CEST
Hi,

Cannot we build NSS 3.55 and use it with Firefox and Thunderbird 68.11, since you plan to build NSPR 4.27, which is required by that version of NSS?

It seems that at least FreeBSD has that configuration.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2020-07-31 12:53:10 CEST
No.  While technically possible, updating nss is what causes the loss of libnssckbi.so, neccesitating the crypto-policies and p11-kit-trust updates that are extremely invasive, which is exactly what I'm trying to put off doing for as long as I can.  I'm still not caught up on other distro advisories, but I hope to get to it today.  I may just have to wait to fix the nss security issues until later, but we'll see.  Updating nspr is no big deal, as the changes to that are extremely minimal.
Comment 4 Nicolas Salguero 2020-07-31 15:08:37 CEST
Hi,

By looking at the mercurial repository of NSS, I was able to identify the commits linked to the bugs 1631583 (CVE-2020-6829, CVE-2020-12400), 1631573 (CVE-2020-12401) and 1636771 (CVE-2020-12403).

I added those commits to our NSS 3.52 package and I was able to build a new version of NSS locally (the 5 patches needed no modification to apply to NSS 3.52) so I pushed my changes to the SVN.

Best regards,

Nico.
Comment 5 Lewis Smith 2020-07-31 20:56:32 CEST
Firefox : Tue Jul 28 by luigiwalser : 68.11.0
nspr : Tue Jul 28 by luigiwalser : 4.27

Fine, luigi is effectively the maintainer for both SRPMS, and they are already in /packages/updates/7/. Since you are already listed for this bug, it can remain assigned to Bugsquad for the moment.
Comment 6 David Walser 2020-08-01 03:43:35 CEST
Thanks Nicolas!

Source RPM: nspr, firefox => nspr, nss, firefox

Comment 7 David Walser 2020-08-01 04:02:00 CEST
nspr and nss submitted, will submit firefox when nss is built.  Advisory below.

Advisory:
========================

Updated nss and firefox packages fix security vulnerabilities:

WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is often transmitted to the peer, which allows bypassing ASLR (CVE-2020-6514).

Crafted media files could lead to a race in texture caches, resulting in a use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture, memory corruption, and a potentially exploitable crash (CVE-2020-6463).

By observing the stack trace for JavaScript errors in web workers, it was possible to leak the result of a cross-origin redirect. This applied only to content that can be parsed as script (CVE-2020-15652).

Mozilla developers Jason Kratzer and Luke Wagner reported memory safety bugs present in Firefox 78 and Firefox ESR 68.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15659).

Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-6829).

A side channel flaw was found in the way P-384 and P-521 curses are used in generation EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-12400).

Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-12401).

Multi-part ChaCha20 was not functioning correctly and tag length was not strictly enforced (CVE-2020-12403).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15659
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/3626XG8mLJw
https://bugzilla.redhat.com/show_bug.cgi?id=1826187
https://bugzilla.redhat.com/show_bug.cgi?id=1853983
https://bugzilla.redhat.com/show_bug.cgi?id=1851294
https://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
========================

Updated packages in core/updates_testing:
========================
libnspr4-4.27-1.mga7
libnspr-devel-4.27-1.mga7
nss-3.52.1-1.2.mga7
nss-doc-3.52.1-1.2.mga7
libnss3-3.52.1-1.2.mga7
libnss-devel-3.52.1-1.2.mga7
libnss-static-devel-3.52.1-1.2.mga7
firefox-68.11.0-1.mga7
firefox-devel-68.11.0-1.mga7
firefox-af-68.11.0-1.mga7
firefox-an-68.11.0-1.mga7
firefox-ar-68.11.0-1.mga7
firefox-ast-68.11.0-1.mga7
firefox-az-68.11.0-1.mga7
firefox-be-68.11.0-1.mga7
firefox-bg-68.11.0-1.mga7
firefox-bn-68.11.0-1.mga7
firefox-br-68.11.0-1.mga7
firefox-bs-68.11.0-1.mga7
firefox-ca-68.11.0-1.mga7
firefox-cs-68.11.0-1.mga7
firefox-cy-68.11.0-1.mga7
firefox-da-68.11.0-1.mga7
firefox-de-68.11.0-1.mga7
firefox-el-68.11.0-1.mga7
firefox-en_CA-68.11.0-1.mga7
firefox-en_GB-68.11.0-1.mga7
firefox-en_US-68.11.0-1.mga7
firefox-eo-68.11.0-1.mga7
firefox-es_AR-68.11.0-1.mga7
firefox-es_CL-68.11.0-1.mga7
firefox-es_ES-68.11.0-1.mga7
firefox-es_MX-68.11.0-1.mga7
firefox-et-68.11.0-1.mga7
firefox-eu-68.11.0-1.mga7
firefox-fa-68.11.0-1.mga7
firefox-ff-68.11.0-1.mga7
firefox-fi-68.11.0-1.mga7
firefox-fr-68.11.0-1.mga7
firefox-fy_NL-68.11.0-1.mga7
firefox-ga_IE-68.11.0-1.mga7
firefox-gd-68.11.0-1.mga7
firefox-gl-68.11.0-1.mga7
firefox-gu_IN-68.11.0-1.mga7
firefox-he-68.11.0-1.mga7
firefox-hi_IN-68.11.0-1.mga7
firefox-hr-68.11.0-1.mga7
firefox-hsb-68.11.0-1.mga7
firefox-hu-68.11.0-1.mga7
firefox-hy_AM-68.11.0-1.mga7
firefox-ia-68.11.0-1.mga7
firefox-id-68.11.0-1.mga7
firefox-is-68.11.0-1.mga7
firefox-it-68.11.0-1.mga7
firefox-ja-68.11.0-1.mga7
firefox-ka-68.11.0-1.mga7
firefox-kab-68.11.0-1.mga7
firefox-kk-68.11.0-1.mga7
firefox-km-68.11.0-1.mga7
firefox-kn-68.11.0-1.mga7
firefox-ko-68.11.0-1.mga7
firefox-lij-68.11.0-1.mga7
firefox-lt-68.11.0-1.mga7
firefox-lv-68.11.0-1.mga7
firefox-mk-68.11.0-1.mga7
firefox-mr-68.11.0-1.mga7
firefox-ms-68.11.0-1.mga7
firefox-my-68.11.0-1.mga7
firefox-nb_NO-68.11.0-1.mga7
firefox-nl-68.11.0-1.mga7
firefox-nn_NO-68.11.0-1.mga7
firefox-oc-68.11.0-1.mga7
firefox-pa_IN-68.11.0-1.mga7
firefox-pl-68.11.0-1.mga7
firefox-pt_BR-68.11.0-1.mga7
firefox-pt_PT-68.11.0-1.mga7
firefox-ro-68.11.0-1.mga7
firefox-ru-68.11.0-1.mga7
firefox-si-68.11.0-1.mga7
firefox-sk-68.11.0-1.mga7
firefox-sl-68.11.0-1.mga7
firefox-sq-68.11.0-1.mga7
firefox-sr-68.11.0-1.mga7
firefox-sv_SE-68.11.0-1.mga7
firefox-ta-68.11.0-1.mga7
firefox-te-68.11.0-1.mga7
firefox-th-68.11.0-1.mga7
firefox-tr-68.11.0-1.mga7
firefox-uk-68.11.0-1.mga7
firefox-ur-68.11.0-1.mga7
firefox-uz-68.11.0-1.mga7
firefox-vi-68.11.0-1.mga7
firefox-xh-68.11.0-1.mga7
firefox-zh_CN-68.11.0-1.mga7
firefox-zh_TW-68.11.0-1.mga7

from SRPMS:
nspr-4.27-1.mga7.src.rpm
nss-3.52.1-1.2.mga7.src.rpm
firefox-68.11.0-1.mga7.src.rpm
firefox-l10n-68.11.0-1.mga7.src.rpm
Nicolas Salguero 2020-08-01 11:00:41 CEST

Status: NEW => ASSIGNED
Source RPM: nspr, nss, firefox => nspr, nss, firefox, firefox-l10n
Assignee: bugsquad => qa-bugs

Comment 8 Herman Viaene 2020-08-01 13:54:58 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Could read my usual newspaper site and could install the plugin for the Belgian Eid-card, and access the government websites using the card for authorization.
As far as I go, good enough.

CC: (none) => herman.viaene

Comment 9 Bill Wilkinson 2020-08-02 20:51:46 CEST
Tested mga7-64.

General browsing, javascript (Jetstream), video on youtube all ok.

Whiteboard: (none) => mga7-64-ok
CC: (none) => wrw105

Comment 10 Jose Manuel López 2020-08-03 10:50:40 CEST
Installed in Mga 7.1 Plasma, works ok, addons, certificates, all ok.

Greetins!!

CC: (none) => joselp


Note You need to log in before you can comment on or make changes to this bug.