Bug 28641 - Firefox 78.9, NSPR 4.30 and NSS 3.63
Summary: Firefox 78.9, NSPR 4.30 and NSS 3.63
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO mga8-64-ok mga8-32-ok mga7-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks: 28642
  Show dependency treegraph
 
Reported: 2021-03-25 09:12 CET by Nicolas Salguero
Modified: 2021-03-30 23:08 CEST (History)
8 users (show)

See Also:
Source RPM: firefox, firefox-l10n, nss, nspr
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2021-03-25 09:12:07 CET
Mozilla has released Firefox 78.9.0 on March 23:
https://www.mozilla.org/en-US/firefox/78.9.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/

Mageia 7 and 8 also affected.
Nicolas Salguero 2021-03-25 09:12:36 CET

Source RPM: (none) => firefox, firefox-l10n
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Nicolas Salguero 2021-03-25 09:30:32 CET
NSS 3.63 is also out:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes

Source RPM: firefox, firefox-l10n => firefox, firefox-l10n, nss

Nicolas Salguero 2021-03-25 09:30:49 CET

Blocks: (none) => 28642

Nicolas Salguero 2021-03-25 09:31:22 CET

Summary: Firefox 78.9 => Firefox 78.9 and NSS 3.63

Comment 2 Nicolas Salguero 2021-03-25 09:37:23 CET
There is also a new release of NSPR (4.30) which is required by NSS 3.63:
https://groups.google.com/g/mozilla.dev.tech.nspr/c/wwXfLFWZRlA

Source RPM: firefox, firefox-l10n, nss => firefox, firefox-l10n, nss, nspr
Summary: Firefox 78.9 and NSS 3.63 => Firefox 78.9 NSPR 4.30 and NSS 3.63

Nicolas Salguero 2021-03-25 09:37:31 CET

Summary: Firefox 78.9 NSPR 4.30 and NSS 3.63 => Firefox 78.9, NSPR 4.30 and NSS 3.63

Comment 3 Nicolas Salguero 2021-03-25 09:42:50 CET
There is also rootcerts 20210308.

Source RPM: firefox, firefox-l10n, nss, nspr => firefox, firefox-l10n, nss, nspr, rootcerts

Comment 4 Nicolas Salguero 2021-03-25 09:56:49 CET
Oops, finally rootcerts appears to be the same as current version.

Source RPM: firefox, firefox-l10n, nss, nspr, rootcerts => firefox, firefox-l10n, nss, nspr

Comment 5 Lewis Smith 2021-03-25 19:17:40 CET
Assigning it to you, Nicolas, as you are already very involved!

Assignee: bugsquad => nicolas.salguero

Comment 6 Nicolas Lécureuil 2021-03-25 22:00:29 CET
pushed in cauldron mga7/8 by Nicolas:

src:
   - mageia 7:
         - nss-3.63.0-1.mga7
         - nspr-4.30-1.mga7
         - firefox-78.9.0-1.mga7
         - firefox-l10n-78.9.0-1.mga7
   - mageia 8:
         - nss-3.63.0-1.mga8
         - nspr-4.30-1.mga8
         - firefox-78.9.0-1.mga8
         - firefox-l10n-78.9.0-1.mga8

Version: Cauldron => 8
Assignee: nicolas.salguero => qa-bugs
CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 7 Morgan Leijström 2021-03-26 01:05:51 CET
mga7-64 Plasma Nvidia-current quick test OK
Picking up settings and previous open tabs
Swedish locale
Video playing on various sites
Banking logins and other
Viewing and printing pdf

CC: (none) => fri

Comment 8 Brian Rockwell 2021-03-26 04:07:02 CET
MGA8-64 Gnome nvidia (390) - phys hardware.

The following 6 packages are going to be installed:

- firefox-78.9.0-1.mga8.x86_64
- firefox-en_GB-78.9.0-1.mga8.noarch
- firefox-en_US-78.9.0-1.mga8.noarch
- lib64nspr4-4.30-1.mga8.x86_64
- lib64nss3-3.63.0-1.mga8.x86_64
- nss-3.63.0-1.mga8.x86_64


Used it for videos, etc.

Working

CC: (none) => brtians1

Comment 9 Nicolas Salguero 2021-03-26 09:10:34 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Texture upload into an unbound backing buffer resulted in an out-of-bound read. (CVE-2021-23981)

Angle graphics library out of date. (MOZ-2021-0002)

Internal network hosts could have been probed by a malicious webpage. (CVE-2021-23982)

Malicious extensions could have spoofed popup information. (CVE-2021-23984)

Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9. (CVE-2021-23987)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23987
https://www.mozilla.org/en-US/firefox/78.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes
https://groups.google.com/g/mozilla.dev.tech.nspr/c/wwXfLFWZRlA

Status: NEW => ASSIGNED

Comment 10 Thomas Andrews 2021-03-27 20:55:30 CET
T have been using this for a few hours now on mga8-64 Plasma. No issues noted.

CC: (none) => andrewsfarm

Comment 11 Guillaume Royer 2021-03-28 13:35:15 CEST
MGA8 XFCE with core I3 4 Go RAM Nvidia driver 390

Update with QA repo and with: 

firefox-78.9.0-1.mga8
firefox-fr-78.9.0-1.mga8

Installation OK, Bank sit, Netflix, Mastodon ok
Element Matrix NOK, Can't connect to server, it was the same problem on older versions

CC: (none) => guillaume.royer

Comment 12 Guillaume Royer 2021-03-28 13:56:19 CEST
MGA7 GNOME with core I3 4 Go RAM Nvidia driver 390

Update with QA repo and with: 

nss-3.63.0-1.mga7
firefox-78.9.0-1.mga7
firefox-fr-78.9.0-1.mga7
lib64nspr4-4.30-1.mga7
 

Installation OK, Bank sit, Netflix, Mastodon ok
Element Matrix NOK, Can't connect to server, it was the same problem on older versions
Comment 13 Bill Wilkinson 2021-03-29 22:38:30 CEST
Tested mga8-64
Jetstream, general browsing, video (Youtube), all OK.

CC: (none) => wrw105
Whiteboard: MGA7TOO => MGA7TOO mga8-64-ok

Comment 14 Brian Rockwell 2021-03-30 00:03:30 CEST
MG8-64, Plasma

Tested, seems to be working as expected.
Comment 15 Bill Wilkinson 2021-03-30 04:13:07 CEST
tested mga8-32 in virtualbox guest

tested as above, all OK.

Whiteboard: MGA7TOO mga8-64-ok => MGA7TOO mga8-64-ok mga8-32-ok

Comment 16 Bill Wilkinson 2021-03-30 15:36:59 CEST
Tested mga7-32 in virtualbox, as above, all ok.

Whiteboard: MGA7TOO mga8-64-ok mga8-32-ok => MGA7TOO mga8-64-ok mga8-32-ok mga7-32-ok

Comment 17 Aurelien Oudelet 2021-03-30 18:19:24 CEST
Validating.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 18 Mageia Robot 2021-03-30 22:11:14 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0163.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 19 David Walser 2021-03-30 23:08:07 CEST
RedHat has issued an advisory for this on March 25:
https://access.redhat.com/errata/RHSA-2021:0990

Note You need to log in before you can comment on or make changes to this bug.