Mozilla.org has issued an advisory on February 23, 2021: https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/ Mageia 7 and 8 also affected.
Added Commiters in CC.
Whiteboard: (none) => MGA7TOO MGA8TOOCC: (none) => nicolas.salguero
Blocks: (none) => 28431
Mozilla has released Firefox 78.8.0 on February 23: https://www.mozilla.org/en-US/firefox/78.8.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/ NSS 3.62 is also out (February 19): https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_62_RTM/src/ (release notes not available yet) certdata.txt and nssckbi.h for rootcerts need to be updated as of February 23. crypto-policies can be updated in Cauldron, but doesn't need to be for stable.
CC: (none) => luigiwalserSummary: Firefox 78.8 fixes security issues => Firefox 78.8Whiteboard: MGA7TOO MGA8TOO => MGA8TOO, MGA7TOOSeverity: normal => critical
Group: secteam => (none)
RedHat has issued an advisory for this on February 24: https://access.redhat.com/errata/RHSA-2021:0655
rootcerts and nss builds submitted to the build system. firefox and firefox-l10n updates checked into SVN.
Build failed on aarch64, looks like rust compiler died. 32:12.97 error: could not compile `style` 32:12.97 Caused by: 32:12.97 process didn't exit successfully: `/usr/bin/rustc [ snip ... ] 53:17.53 error: build failed 53:17.59 gmake[4]: *** [/home/iurt/rpmbuild/BUILD/firefox-78.8.0/config/makefiles/rust.mk:299: force-cargo-library-build] Error 101 I think it's just warnings, but there's a lot of messages like the following that make me thing we need to change the -std used by the compiler to C++14 or 17: note: parameter passing for argument of type 'mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float>' when C++17 is enabled changed to match C++14 in GCC 10.1
CC: (none) => rverschelde
Package list so far: rootcerts-20210223.00-1.mga7 rootcerts-java-20210223.00-1.mga7 nss-3.62.0-1.mga7 nss-doc-3.62.0-1.mga7 libnss3-3.62.0-1.mga7 libnss-devel-3.62.0-1.mga7 libnss-static-devel-3.62.0-1.mga7 rootcerts-20210223.00-1.mga8 rootcerts-java-20210223.00-1.mga8 nss-3.62.0-1.mga8 libnss-static-devel-3.62.0-1.mga8 libnss3-3.62.0-1.mga8 libnss-devel-3.62.0-1.mga8 nss-doc-3.62.0-1.mga8
uploaded firefox for mga7/8 src: mageia 7: firefox-78.8.0-1.mga7 firefox-l10n-78.8.0-1.mga7 mageia 7: firefox-78.8.0-1.mga8 firefox-l10n-78.8.0-1.mga8
Assignee: pkg-bugs => qa-bugsCC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Are we ever going to fix Cauldron?
looking to it now
(In reply to David Walser from comment #6) > Package list so far: > rootcerts-20210223.00-1.mga7 > rootcerts-java-20210223.00-1.mga7 > nss-3.62.0-1.mga7 > nss-doc-3.62.0-1.mga7 > libnss3-3.62.0-1.mga7 > libnss-devel-3.62.0-1.mga7 > libnss-static-devel-3.62.0-1.mga7 > rootcerts-20210223.00-1.mga8 > rootcerts-java-20210223.00-1.mga8 > nss-3.62.0-1.mga8 > libnss-static-devel-3.62.0-1.mga8 > libnss3-3.62.0-1.mga8 > libnss-devel-3.62.0-1.mga8 > nss-doc-3.62.0-1.mga8 Mageia 7 packages for Firefox below (Mageia 8 are same but mga8): firefox-78.8.0-1.mga7 firefox-devel-78.8.0-1.mga7 firefox-af-78.8.0-1.mga7 firefox-an-78.8.0-1.mga7 firefox-ar-78.8.0-1.mga7 firefox-ast-78.8.0-1.mga7 firefox-az-78.8.0-1.mga7 firefox-be-78.8.0-1.mga7 firefox-bg-78.8.0-1.mga7 firefox-bn-78.8.0-1.mga7 firefox-br-78.8.0-1.mga7 firefox-bs-78.8.0-1.mga7 firefox-ca-78.8.0-1.mga7 firefox-cs-78.8.0-1.mga7 firefox-cy-78.8.0-1.mga7 firefox-da-78.8.0-1.mga7 firefox-de-78.8.0-1.mga7 firefox-el-78.8.0-1.mga7 firefox-en_CA-78.8.0-1.mga7 firefox-en_GB-78.8.0-1.mga7 firefox-en_US-78.8.0-1.mga7 firefox-eo-78.8.0-1.mga7 firefox-es_AR-78.8.0-1.mga7 firefox-es_CL-78.8.0-1.mga7 firefox-es_ES-78.8.0-1.mga7 firefox-es_MX-78.8.0-1.mga7 firefox-et-78.8.0-1.mga7 firefox-eu-78.8.0-1.mga7 firefox-fa-78.8.0-1.mga7 firefox-ff-78.8.0-1.mga7 firefox-fi-78.8.0-1.mga7 firefox-fr-78.8.0-1.mga7 firefox-fy_NL-78.8.0-1.mga7 firefox-ga_IE-78.8.0-1.mga7 firefox-gd-78.8.0-1.mga7 firefox-gl-78.8.0-1.mga7 firefox-gu_IN-78.8.0-1.mga7 firefox-he-78.8.0-1.mga7 firefox-hi_IN-78.8.0-1.mga7 firefox-hr-78.8.0-1.mga7 firefox-hsb-78.8.0-1.mga7 firefox-hu-78.8.0-1.mga7 firefox-hy_AM-78.8.0-1.mga7 firefox-ia-78.8.0-1.mga7 firefox-id-78.8.0-1.mga7 firefox-is-78.8.0-1.mga7 firefox-it-78.8.0-1.mga7 firefox-ja-78.8.0-1.mga7 firefox-ka-78.8.0-1.mga7 firefox-kab-78.8.0-1.mga7 firefox-kk-78.8.0-1.mga7 firefox-km-78.8.0-1.mga7 firefox-kn-78.8.0-1.mga7 firefox-ko-78.8.0-1.mga7 firefox-lij-78.8.0-1.mga7 firefox-lt-78.8.0-1.mga7 firefox-lv-78.8.0-1.mga7 firefox-mk-78.8.0-1.mga7 firefox-mr-78.8.0-1.mga7 firefox-ms-78.8.0-1.mga7 firefox-my-78.8.0-1.mga7 firefox-nb_NO-78.8.0-1.mga7 firefox-nl-78.8.0-1.mga7 firefox-nn_NO-78.8.0-1.mga7 firefox-oc-78.8.0-1.mga7 firefox-pa_IN-78.8.0-1.mga7 firefox-pl-78.8.0-1.mga7 firefox-pt_BR-78.8.0-1.mga7 firefox-pt_PT-78.8.0-1.mga7 firefox-ro-78.8.0-1.mga7 firefox-ru-78.8.0-1.mga7 firefox-si-78.8.0-1.mga7 firefox-sk-78.8.0-1.mga7 firefox-sl-78.8.0-1.mga7 firefox-sq-78.8.0-1.mga7 firefox-sr-78.8.0-1.mga7 firefox-sv_SE-78.8.0-1.mga7 firefox-ta-78.8.0-1.mga7 firefox-te-78.8.0-1.mga7 firefox-th-78.8.0-1.mga7 firefox-tl-78.8.0-1.mga7 firefox-tr-78.8.0-1.mga7 firefox-uk-78.8.0-1.mga7 firefox-ur-78.8.0-1.mga7 firefox-uz-78.8.0-1.mga7 firefox-vi-78.8.0-1.mga7 firefox-xh-78.8.0-1.mga7 firefox-zh_CN-78.8.0-1.mga7 firefox-zh_TW-78.8.0-1.mga7
Advisory: ======================== Updated firefox packages fix security vulnerabilities: If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs (CVE-2021-23968). As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin (CVE-2021-23969). When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that MediaError message may have revealed information about the resource (CVE-2021-23973). Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2021-23978). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23968 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23973 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23978 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/ SRPMS: rootcerts-20210223.00-1.mga7.src.rpm nss-3.62.0-1.mga7.src.rpm firefox-78.8.0-1.mga7.src.rpm firefox-l10n-78.8.0-1.mga7.src.rpm rootcerts-20210223.00-1.mga8.src.rpm nss-3.62.0-1.mga8.src.rpm firefox-78.8.0-1.mga8.src.rpm firefox-l10n-78.8.0-1.mga8.src.rpm
tested mga8-64 Jetstream, general browsing, video (YouTube) all OK
Whiteboard: MGA7TOO => MGA7TOO mga8-64-okCC: (none) => wrw105
mga7, x64 en_GB, en_US Restored previous session OK. Tried xkcd, youtube scifi videos, searches, goto links from external application, Jetstream2. That returned a score of 60, but is that good or bad? Looks fine.
CC: (none) => tarazed25
mga7-32 tested as above, ok.
Whiteboard: MGA7TOO mga8-64-ok => MGA7TOO mga8-64-ok mga7-32-ok
mga7-64 OK, Plasma, Nvidia-current, Intel i7, Swedish General browsing, video, various logins on banking, shops... All updates from testing installed.
CC: (none) => fri
MGA7-64 Plasma Using QA repo: firefox-fr-78.8.0-1.mga7 firefox-78.8.0-1.mga7 rootcerts-20210223.00-1.mga7 rootcerts-java-20210223.00-1.mga7 nss-3.62.0-1.mga7 nss-doc-3.62.0-1.mga7 libnss3-3.62.0-1.mga7 OK MGA8-64 Plasma Idem with .mga8 OK SSL site, Widevine DRM enabled contents OK All usages OK, both systems. Validating, Advisory pushed to SVN.
Whiteboard: MGA7TOO mga8-64-ok mga7-32-ok => MGA7TOO MGA7-32-OK MGA7-64-OK MGA8-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0097.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED