Mozilla has released Firefox 78.4.0 on October 20: https://www.mozilla.org/en-US/firefox/78.4.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2020-46/ NSS 3.58 is also out: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes It fixes CVE-2020-25648: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25648 Update in progress. Advisory will be as follows. Advisory: ======================== Updated nss and firefox packages fix security vulnerabilities: Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15683). A use-after-free bug in the usersctp library was reported upstream. We assume this could have led to memory corruption and a potentially exploitable crash (CVE-2020-15969). A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58 (CVE-2020-25648). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15683 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25648 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2020-46/ ======================== Updated packages in core/updates_testing: ======================== rootcerts-20201021.00-1.mga7 rootcerts-java-20201021.00-1.mga7 nss-3.58.0-1.mga7 nss-doc-3.58.0-1.mga7 libnss3-3.58.0-1.mga7 libnss-devel-3.58.0-1.mga7 libnss-static-devel-3.58.0-1.mga7 firefox-78.4.0-1.mga7 firefox-devel-78.4.0-1.mga7 firefox-af-78.4.0-1.mga7 firefox-an-78.4.0-1.mga7 firefox-ar-78.4.0-1.mga7 firefox-ast-78.4.0-1.mga7 firefox-az-78.4.0-1.mga7 firefox-be-78.4.0-1.mga7 firefox-bg-78.4.0-1.mga7 firefox-bn-78.4.0-1.mga7 firefox-br-78.4.0-1.mga7 firefox-bs-78.4.0-1.mga7 firefox-ca-78.4.0-1.mga7 firefox-cs-78.4.0-1.mga7 firefox-cy-78.4.0-1.mga7 firefox-da-78.4.0-1.mga7 firefox-de-78.4.0-1.mga7 firefox-el-78.4.0-1.mga7 firefox-en_CA-78.4.0-1.mga7 firefox-en_GB-78.4.0-1.mga7 firefox-en_US-78.4.0-1.mga7 firefox-eo-78.4.0-1.mga7 firefox-es_AR-78.4.0-1.mga7 firefox-es_CL-78.4.0-1.mga7 firefox-es_ES-78.4.0-1.mga7 firefox-es_MX-78.4.0-1.mga7 firefox-et-78.4.0-1.mga7 firefox-eu-78.4.0-1.mga7 firefox-fa-78.4.0-1.mga7 firefox-ff-78.4.0-1.mga7 firefox-fi-78.4.0-1.mga7 firefox-fr-78.4.0-1.mga7 firefox-fy_NL-78.4.0-1.mga7 firefox-ga_IE-78.4.0-1.mga7 firefox-gd-78.4.0-1.mga7 firefox-gl-78.4.0-1.mga7 firefox-gu_IN-78.4.0-1.mga7 firefox-he-78.4.0-1.mga7 firefox-hi_IN-78.4.0-1.mga7 firefox-hr-78.4.0-1.mga7 firefox-hsb-78.4.0-1.mga7 firefox-hu-78.4.0-1.mga7 firefox-hy_AM-78.4.0-1.mga7 firefox-ia-78.4.0-1.mga7 firefox-id-78.4.0-1.mga7 firefox-is-78.4.0-1.mga7 firefox-it-78.4.0-1.mga7 firefox-ja-78.4.0-1.mga7 firefox-ka-78.4.0-1.mga7 firefox-kab-78.4.0-1.mga7 firefox-kk-78.4.0-1.mga7 firefox-km-78.4.0-1.mga7 firefox-kn-78.4.0-1.mga7 firefox-ko-78.4.0-1.mga7 firefox-lij-78.4.0-1.mga7 firefox-lt-78.4.0-1.mga7 firefox-lv-78.4.0-1.mga7 firefox-mk-78.4.0-1.mga7 firefox-mr-78.4.0-1.mga7 firefox-ms-78.4.0-1.mga7 firefox-my-78.4.0-1.mga7 firefox-nb_NO-78.4.0-1.mga7 firefox-nl-78.4.0-1.mga7 firefox-nn_NO-78.4.0-1.mga7 firefox-oc-78.4.0-1.mga7 firefox-pa_IN-78.4.0-1.mga7 firefox-pl-78.4.0-1.mga7 firefox-pt_BR-78.4.0-1.mga7 firefox-pt_PT-78.4.0-1.mga7 firefox-ro-78.4.0-1.mga7 firefox-ru-78.4.0-1.mga7 firefox-si-78.4.0-1.mga7 firefox-sk-78.4.0-1.mga7 firefox-sl-78.4.0-1.mga7 firefox-sq-78.4.0-1.mga7 firefox-sr-78.4.0-1.mga7 firefox-sv_SE-78.4.0-1.mga7 firefox-ta-78.4.0-1.mga7 firefox-te-78.4.0-1.mga7 firefox-th-78.4.0-1.mga7 firefox-tl-78.4.0-1.mga7 firefox-tr-78.4.0-1.mga7 firefox-uk-78.4.0-1.mga7 firefox-ur-78.4.0-1.mga7 firefox-uz-78.4.0-1.mga7 firefox-vi-78.4.0-1.mga7 firefox-xh-78.4.0-1.mga7 firefox-zh_CN-78.4.0-1.mga7 firefox-zh_TW-78.4.0-1.mga7 from SRPMS: rootcerts-20201021.00-1.mga7.src.rpm nss-3.58.0-1.mga7.src.rpm firefox-78.4.0-1.mga7.src.rpm firefox-l10n-78.4.0-1.mga7.src.rpm
Blocks: (none) => 27438
Got a bunch of build errors on aarch64 for firefox: http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20201021214626.luigiwalser.duvel.26844/log/firefox-78.4.0-2.mga7/build.0.20201021225421.log
CC: (none) => pterjan
Hi, thanks for reporting this bug. Assigned to all packagers, no registered one. CC'd recent commiters.
Status: NEW => ASSIGNEDAssignee: bugsquad => pkg-bugsCC: (none) => nicolas.salgueroKeywords: (none) => Triaged
Hi, firefox and firefox-l10n built for Mageia 7. Best regards, Nico.
Keywords: Triaged => (none)Assignee: pkg-bugs => qa-bugs
Thanks, that's odd that it built without any changes this time. Advisory and package list in Comment 0.
CC: pterjan => (none)
Tested MGA7-64 General browsing, jetstream javascript, youtube video all OK
CC: (none) => wrw105Whiteboard: (none) => mga7-64-ok
mga7-64 running fine here too. Plasma, Nvidia, i7, 4k screen. Swedish localisation. Resumed 200+ tabs, banking and shop sites, video and sound.
CC: (none) => fri
Updated the 64-bit US English versions of both Firefox and Thunderbird in one operation, using Qarepo. No installation issues, once I put the "64" in the three library filenames. Tried several websites, no issues noted. Looks OK here. Now to report on Thunderbird, which also seems OK.
CC: (none) => andrewsfarm
Tested as above on mga7-32. all OK. I'll allow some time for any others who wish to test before setting validated.
Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok
Three of us tested on one arch, one test on the other, no issues. Should be enough. Validating. Advisory in Comment 0.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
on mga7-64 kernel-desktop plasma packages installed cleanly: - firefox-78.4.0-1.mga7.x86_64 - firefox-en_GB-78.4.0-1.mga7.noarch - firefox-en_US-78.4.0-1.mga7.noarch - lib64nss3-3.58.0-1.mga7.x86_64 - nss-3.58.0-1.mga7.x86_64 - rootcerts-20201021.00-1.mga7.noarch - rootcerts-java-20201021.00-1.mga7.noarch no regressions observed looks OK for mga7-64
CC: (none) => jim
Advisory pushed to SVN.
CC: (none) => ouaurelienWhiteboard: mga7-64-ok mga7-32-ok => MGA7-64-OK MGA7-32-OKKeywords: (none) => advisoryCVE: (none) => CVE-2020-15683, CVE-2020-15969, CVE-2020-25648
RedHat has issued an advisory for this on October 22: https://access.redhat.com/errata/RHSA-2020:4310
Advisory changed to add RedHat reference.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0395.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED