Bug 28034 - Firefox 78.6.1
Summary: Firefox 78.6.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga7-64-ok mga7-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-01-07 00:23 CET by David Walser
Modified: 2021-01-11 13:46 CET (History)
4 users (show)

See Also:
Source RPM: nss, firefox
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-07 00:23:22 CET 
Mozilla has released Firefox 78.6.1 today (January 6):
https://www.mozilla.org/en-US/firefox/78.6.1/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/

NSS 3.60.1 is also out (release notes not available yet):
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60.1_release_notes

Update in progress (waiting on Cauldron pushes).  Package list will be as follows.

nss-3.60.1-1.mga7
nss-doc-3.60.1-1.mga7
libnss3-3.60.1-1.mga7
libnss-devel-3.60.1-1.mga7
libnss-static-devel-3.60.1-1.mga7
firefox-78.6.1-1.mga7
firefox-devel-78.6.1-1.mga7
firefox-af-78.6.1-1.mga7
firefox-an-78.6.1-1.mga7
firefox-ar-78.6.1-1.mga7
firefox-ast-78.6.1-1.mga7
firefox-az-78.6.1-1.mga7
firefox-be-78.6.1-1.mga7
firefox-bg-78.6.1-1.mga7
firefox-bn-78.6.1-1.mga7
firefox-br-78.6.1-1.mga7
firefox-bs-78.6.1-1.mga7
firefox-ca-78.6.1-1.mga7
firefox-cs-78.6.1-1.mga7
firefox-cy-78.6.1-1.mga7
firefox-da-78.6.1-1.mga7
firefox-de-78.6.1-1.mga7
firefox-el-78.6.1-1.mga7
firefox-en_CA-78.6.1-1.mga7
firefox-en_GB-78.6.1-1.mga7
firefox-en_US-78.6.1-1.mga7
firefox-eo-78.6.1-1.mga7
firefox-es_AR-78.6.1-1.mga7
firefox-es_CL-78.6.1-1.mga7
firefox-es_ES-78.6.1-1.mga7
firefox-es_MX-78.6.1-1.mga7
firefox-et-78.6.1-1.mga7
firefox-eu-78.6.1-1.mga7
firefox-fa-78.6.1-1.mga7
firefox-ff-78.6.1-1.mga7
firefox-fi-78.6.1-1.mga7
firefox-fr-78.6.1-1.mga7
firefox-fy_NL-78.6.1-1.mga7
firefox-ga_IE-78.6.1-1.mga7
firefox-gd-78.6.1-1.mga7
firefox-gl-78.6.1-1.mga7
firefox-gu_IN-78.6.1-1.mga7
firefox-he-78.6.1-1.mga7
firefox-hi_IN-78.6.1-1.mga7
firefox-hr-78.6.1-1.mga7
firefox-hsb-78.6.1-1.mga7
firefox-hu-78.6.1-1.mga7
firefox-hy_AM-78.6.1-1.mga7
firefox-ia-78.6.1-1.mga7
firefox-id-78.6.1-1.mga7
firefox-is-78.6.1-1.mga7
firefox-it-78.6.1-1.mga7
firefox-ja-78.6.1-1.mga7
firefox-ka-78.6.1-1.mga7
firefox-kab-78.6.1-1.mga7
firefox-kk-78.6.1-1.mga7
firefox-km-78.6.1-1.mga7
firefox-kn-78.6.1-1.mga7
firefox-ko-78.6.1-1.mga7
firefox-lij-78.6.1-1.mga7
firefox-lt-78.6.1-1.mga7
firefox-lv-78.6.1-1.mga7
firefox-mk-78.6.1-1.mga7
firefox-mr-78.6.1-1.mga7
firefox-ms-78.6.1-1.mga7
firefox-my-78.6.1-1.mga7
firefox-nb_NO-78.6.1-1.mga7
firefox-nl-78.6.1-1.mga7
firefox-nn_NO-78.6.1-1.mga7
firefox-oc-78.6.1-1.mga7
firefox-pa_IN-78.6.1-1.mga7
firefox-pl-78.6.1-1.mga7
firefox-pt_BR-78.6.1-1.mga7
firefox-pt_PT-78.6.1-1.mga7
firefox-ro-78.6.1-1.mga7
firefox-ru-78.6.1-1.mga7
firefox-si-78.6.1-1.mga7
firefox-sk-78.6.1-1.mga7
firefox-sl-78.6.1-1.mga7
firefox-sq-78.6.1-1.mga7
firefox-sr-78.6.1-1.mga7
firefox-sv_SE-78.6.1-1.mga7
firefox-ta-78.6.1-1.mga7
firefox-te-78.6.1-1.mga7
firefox-th-78.6.1-1.mga7
firefox-tl-78.6.1-1.mga7
firefox-tr-78.6.1-1.mga7
firefox-uk-78.6.1-1.mga7
firefox-ur-78.6.1-1.mga7
firefox-uz-78.6.1-1.mga7
firefox-vi-78.6.1-1.mga7
firefox-xh-78.6.1-1.mga7
firefox-zh_CN-78.6.1-1.mga7
firefox-zh_TW-78.6.1-1.mga7

from SRPMS:
nss-3.60.1-1.mga7.src.rpm
firefox-78.6.1-1.mga7.src.rpm
firefox-l10n-78.6.1-1.mga7.src.rpm
Comment 1 David Walser 2021-01-07 00:25:19 CET 
Advisory will be as follows.

Advisory:
========================

Updated firefox packages fix security vulnerability:

A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a
way that potentially resulted in a use-after-free. We presume that with enough
effort it could have been exploited to run arbitrary code (CVE-2020-16044).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16044
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60.1_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/
Comment 2 David Walser 2021-01-07 04:18:48 CET 
Advisory in Comment 1.  Package list in Comment 0.

Assignee: bugsquad => qa-bugs

Comment 3 Bill Wilkinson 2021-01-07 17:51:28 CET 
tested mga7-64

General browsing, video, Jetstream all OK

Whiteboard: (none) => mga7-64-ok
CC: (none) => wrw105

Comment 4 Bill Wilkinson 2021-01-07 19:43:59 CET 
Tested MGA7-32 as above, apart from Jetstream, due to rootcerts issue.

all OK.

Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok

Comment 5 Thomas Andrews 2021-01-07 22:29:12 CET 
Firefox use is so widespread that I thought a few more tests on differing hardware, arches, and DEs would be in order before validating.

To that end, I have checked this on 2 64-bit Plasma systems, one with Intel graphics and a wired Internet connection, and another with AMD processor and graphics, with Atheros-based wifi. I also checked on a 32-bit Xfce system with Intel processor, graphics, and wifi.

All tests were OK. No issues noted. That should be enough. Validating. Advisory in Comment 1, package list in Comment 0.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-01-08 14:36:00 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-08 16:36:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0012.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 8 David Walser 2021-01-11 13:46:26 CET 
RedHat has issued an advisory for this today (January 11):
https://access.redhat.com/errata/RHSA-2021:0052
Note You need to log in before you can comment on or make changes to this bug.