Mozilla has released Firefox 68.11.0 today (July 28):
Security issues fixed:
Also out is NSPR 4.27:
No new rootcerts or nss 3.52.x. NSS 3.55 has some security fixes which hopefully we can backport.
RedHat has issued an advisory for this today (July 30):
I'm waiting for Bug 26642 to be pushed, and to see if anyone has nss patches.
Cannot we build NSS 3.55 and use it with Firefox and Thunderbird 68.11, since you plan to build NSPR 4.27, which is required by that version of NSS?
It seems that at least FreeBSD has that configuration.
No. While technically possible, updating nss is what causes the loss of libnssckbi.so, neccesitating the crypto-policies and p11-kit-trust updates that are extremely invasive, which is exactly what I'm trying to put off doing for as long as I can. I'm still not caught up on other distro advisories, but I hope to get to it today. I may just have to wait to fix the nss security issues until later, but we'll see. Updating nspr is no big deal, as the changes to that are extremely minimal.
By looking at the mercurial repository of NSS, I was able to identify the commits linked to the bugs 1631583 (CVE-2020-6829, CVE-2020-12400), 1631573 (CVE-2020-12401) and 1636771 (CVE-2020-12403).
I added those commits to our NSS 3.52 package and I was able to build a new version of NSS locally (the 5 patches needed no modification to apply to NSS 3.52) so I pushed my changes to the SVN.
Firefox : Tue Jul 28 by luigiwalser : 68.11.0
nspr : Tue Jul 28 by luigiwalser : 4.27
Fine, luigi is effectively the maintainer for both SRPMS, and they are already in /packages/updates/7/. Since you are already listed for this bug, it can remain assigned to Bugsquad for the moment.
nspr, firefox =>
nspr, nss, firefox
nspr and nss submitted, will submit firefox when nss is built. Advisory below.
Updated nss and firefox packages fix security vulnerabilities:
WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is often transmitted to the peer, which allows bypassing ASLR (CVE-2020-6514).
Crafted media files could lead to a race in texture caches, resulting in a use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture, memory corruption, and a potentially exploitable crash (CVE-2020-6463).
Mozilla developers Jason Kratzer and Luke Wagner reported memory safety bugs present in Firefox 78 and Firefox ESR 68.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15659).
Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-6829).
A side channel flaw was found in the way P-384 and P-521 curses are used in generation EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-12400).
Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality (CVE-2020-12401).
Multi-part ChaCha20 was not functioning correctly and tag length was not strictly enforced (CVE-2020-12403).
Updated packages in core/updates_testing:
nspr, nss, firefox =>
nspr, nss, firefox, firefox-l10nAssignee:
MGA7-64 Plasma on Lenovo B50
No installation issues.
Could read my usual newspaper site and could install the plugin for the Belgian Eid-card, and access the government websites using the card for authorization.
As far as I go, good enough.
Installed in Mga 7.1 Plasma, works ok, addons, certificates, all ok.