Upstream Mozilla has released Firefox ESR 78.10.

It has various stability, functionality, and security fixes:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-15/

Also, NSS 3.63.1 is out.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63.1_release_notes

It fixes Bug https://bugs.mageia.org/show_bug.cgi?id=28359


Assigning globally, adding CC'd.

Summary: Update request to Firefox 78.10 ESR => Firefox 78.10 ESR Update
Blocks: (none) => 28788
Component: RPM Packages => Security
Whiteboard: (none) => MGA7TOO MGA8TOO
CC: (none) => nicolas.salguero, ouaurelien
CVE: (none) => CVE-2021-23961, CVE-2021-23994, CVE-2021-23995, CVE-2021-23998, CVE-2021-23999, CVE-2021-24002, CVE-2021-29945, CVE-2021-29946
QA Contact: (none) => security
Version: 8 => Cauldron

Current NSS version is actually 3.64:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.64_release_notes

No rootcerts or nspr updates at this time.

build in progress for mga7/8/9

CC: (none) => mageia

src:

   - mga7:
       - nss-3.64.0-1.mga7
       - firefox-78.10.0-1.mga7
       - firefox-l10n-78.10.0-1.mga7
   - mga8:
       - nss-3.64.0-1.mga8
       - firefox-78.10.0-1.mga8
       - firefox-l10n-78.10.0-1.mga8

Whiteboard: MGA7TOO MGA8TOO => MGA7TOO
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8

Hm...

As nss was not allowed to be built before sumitting firefox, they might need a second rebuild in case there is something important we want a "hard dep" on...

Hi, 

I have updated Firefox to 78.10, I still cannot enter the login of the Bankinter Empresas website, this is related to our compilation, as I already indicated in the Bug 28359. 

In the official version I haven't this issue. 

This screenshot show the bug: https://bugs.mageia.org/attachment.cgi?id=12341

Greetings!

(In reply to Thomas Backlund from comment #5)
> Hm...
> 
> As nss was not allowed to be built before sumitting firefox, they might need
> a second rebuild in case there is something important we want a "hard dep"
> on...

yes you are right, i just sent a new rebuild of FF for mageia 7 and 8

(In reply to Jose Manuel López from comment #6)
> Hi, 
> 
> I have updated Firefox to 78.10, I still cannot enter the login of the
> Bankinter Empresas website, this is related to our compilation, as I already
> indicated in the Bug 28359. 
> 
> In the official version I haven't this issue. 
> 
> This screenshot show the bug: https://bugs.mageia.org/attachment.cgi?id=12341
> 
> Greetings!

i tried  to understand this but this is really strange.

I think i should rebuild a FF locally with nothing from system and try to enable one by one to see which one is failing.

Nicolas,

Should we hold this until you have a chance to do the testing or work to push this out now and do the correction as a separate update?

CC: (none) => wrw105

MGA8-64 Plasma, nvidia-current, kernel 5.10.30-desktop-1.mga8

Installed
 - firefox-0:78.10.0-1.1.mga8.x86_64
 - firefox-sv_SE-78.10.0-1.mga8.noarch
 - nss-2:3.64.0-1.mga8.x86_64

Already installed as dep when I tested Thunderbird just now:
 - lib64nss3-3.64.0-1.mga8.x86_64

OK: Localisation, settings reopened tabs, plays various video sites, log in to bankings...

Bill, test what we've got for now.  I don't expect other issues to be fixed quickly or easily.

(In reply to David Walser from comment #11)
> Bill, test what we've got for now.  I don't expect other issues to be fixed
> quickly or easily.

Yes, fixing this will be a separate issue, as it can take time to understand/fix.

tested mga8-32

Jetstream, general browsing, video all OK

Whiteboard: MGA7TOO => MGA7TOO mga8-32-ok

Tested mga7-32 as above, all OK.

Whiteboard: MGA7TOO mga8-32-ok => MGA7TOO mga8-32-ok mga7-32-ok

Tested mga7-64 as above, all ok

Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok => MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok

Tested on mga8-64. Most looks OK. 

After reading the above comments, I didn't expect a change, but I tried to log onto Keybank online banking anyway, without success. Their message has been reworded slightly. Instead of saying that I need something other than Firefox, they now say ours is too old and I need the "latest" version. I have not tried to use Mozilla's ESR with that site yet, so I can't be sure that it's just our ESR that's the problem. 

I hesitate to try much, lest they flag me as someone trying to break in where I shouldn't be, and lock my IP out of my account altogether.

CC: (none) => andrewsfarm

RedHat has issued an advisory for this on April 26:
https://access.redhat.com/errata/RHSA-2021:1360

tested mga8-64 as above, all OK. Looks like it's ready for validation when the advisory is uploaded to svn.

Whiteboard: MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok => MGA7TOO mga8-32-ok mga7-32-ok mga7-64-ok mga8-64-ok

Advisory:
========================

The updated packages fix security vulnerabilities:

More internal network hosts could have been probed by a malicious webpage:
Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine (CVE-2021-23961).

Out of bound write due to lazy initialization:
A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write (CVE-2021-23994).

Use-after-free in Responsive Design Mode:
When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code (CVE-2021-23995).

Secure Lock icon could have been spoofed:
Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page (CVE-2021-23998).

Blob URLs may have been granted additional privileges:
If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content (CVE-2021-23999).

Arbitrary FTP command execution on FTP servers using an encoded URL:
When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server (CVE-2021-24002).

Incorrect size computation in WebAssembly JIT could lead to null-reads:
The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are unaffected. (CVE-2021-29945).

Port blocking could be bypassed:
Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header (CVE-2021-29946).

references:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23995
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23999
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29946
https://www.mozilla.org/en-US/security/advisories/mfsa2021-15/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.64_release_notes
https://access.redhat.com/errata/RHSA-2021:1360
========================

Updated packages in core/updates_testing:
========================
firefox-af-78.10.0-1.mga{7;8}
firefox-an-78.10.0-1.mga{7;8}
firefox-ar-78.10.0-1.mga{7;8}
firefox-ast-78.10.0-1.mga{7;8}
firefox-az-78.10.0-1.mga{7;8}
firefox-be-78.10.0-1.mga{7;8}
firefox-bg-78.10.0-1.mga{7;8}
firefox-bn-78.10.0-1.mga{7;8}
firefox-br-78.10.0-1.mga{7;8}
firefox-bs-78.10.0-1.mga{7;8}
firefox-ca-78.10.0-1.mga{7;8}
firefox-cs-78.10.0-1.mga{7;8}
firefox-cy-78.10.0-1.mga{7;8}
firefox-da-78.10.0-1.mga{7;8}
firefox-de-78.10.0-1.mga{7;8}
firefox-el-78.10.0-1.mga{7;8}
firefox-en_CA-78.10.0-1.mga{7;8}
firefox-en_GB-78.10.0-1.mga{7;8}
firefox-en_US-78.10.0-1.mga{7;8}
firefox-eo-78.10.0-1.mga{7;8}
firefox-es_AR-78.10.0-1.mga{7;8}
firefox-es_CL-78.10.0-1.mga{7;8}
firefox-es_ES-78.10.0-1.mga{7;8}
firefox-es_MX-78.10.0-1.mga{7;8}
firefox-et-78.10.0-1.mga{7;8}
firefox-eu-78.10.0-1.mga{7;8}
firefox-fa-78.10.0-1.mga{7;8}
firefox-ff-78.10.0-1.mga{7;8}
firefox-fi-78.10.0-1.mga{7;8}
firefox-fr-78.10.0-1.mga{7;8}
firefox-fy_NL-78.10.0-1.mga{7;8}
firefox-ga_IE-78.10.0-1.mga{7;8}
firefox-gd-78.10.0-1.mga{7;8}
firefox-gl-78.10.0-1.mga{7;8}
firefox-gu_IN-78.10.0-1.mga{7;8}
firefox-he-78.10.0-1.mga{7;8}
firefox-hi_IN-78.10.0-1.mga{7;8}
firefox-hr-78.10.0-1.mga{7;8}
firefox-hsb-78.10.0-1.mga{7;8}
firefox-hu-78.10.0-1.mga{7;8}
firefox-hy_AM-78.10.0-1.mga{7;8}
firefox-ia-78.10.0-1.mga{7;8}
firefox-id-78.10.0-1.mga{7;8}
firefox-is-78.10.0-1.mga{7;8}
firefox-it-78.10.0-1.mga{7;8}
firefox-ja-78.10.0-1.mga{7;8}
firefox-ka-78.10.0-1.mga{7;8}
firefox-kab-78.10.0-1.mga{7;8}
firefox-kk-78.10.0-1.mga{7;8}
firefox-km-78.10.0-1.mga{7;8}
firefox-kn-78.10.0-1.mga{7;8}
firefox-ko-78.10.0-1.mga{7;8}
firefox-lij-78.10.0-1.mga{7;8}
firefox-lt-78.10.0-1.mga{7;8}
firefox-lv-78.10.0-1.mga{7;8}
firefox-mk-78.10.0-1.mga{7;8}
firefox-mr-78.10.0-1.mga{7;8}
firefox-ms-78.10.0-1.mga{7;8}
firefox-my-78.10.0-1.mga{7;8}
firefox-nb_NO-78.10.0-1.mga{7;8}
firefox-nl-78.10.0-1.mga{7;8}
firefox-nn_NO-78.10.0-1.mga{7;8}
firefox-oc-78.10.0-1.mga{7;8}
firefox-pa_IN-78.10.0-1.mga{7;8}
firefox-pl-78.10.0-1.mga{7;8}
firefox-pt_BR-78.10.0-1.mga{7;8}
firefox-pt_PT-78.10.0-1.mga{7;8}
firefox-ro-78.10.0-1.mga{7;8}
firefox-ru-78.10.0-1.mga{7;8}
firefox-si-78.10.0-1.mga{7;8}
firefox-sk-78.10.0-1.mga{7;8}
firefox-sl-78.10.0-1.mga{7;8}
firefox-sq-78.10.0-1.mga{7;8}
firefox-sr-78.10.0-1.mga{7;8}
firefox-sv_SE-78.10.0-1.mga{7;8}
firefox-ta-78.10.0-1.mga{7;8}
firefox-te-78.10.0-1.mga{7;8}
firefox-th-78.10.0-1.mga{7;8}
firefox-tl-78.10.0-1.mga{7;8}
firefox-tr-78.10.0-1.mga{7;8}
firefox-uk-78.10.0-1.mga{7;8}
firefox-ur-78.10.0-1.mga{7;8}
firefox-uz-78.10.0-1.mga{7;8}
firefox-vi-78.10.0-1.mga{7;8}
firefox-xh-78.10.0-1.mga{7;8}
firefox-zh_CN-78.10.0-1.mga{7;8}
firefox-zh_TW-78.10.0-1.mga{7;8}
lib(64)nss-devel-3.64.0-1.mga{7;8}
lib(64)nss-static-devel-3.64.0-1.mga{7;8}
lib(64)nss3-3.64.0-1.mga{7;8}
nss-3.64.0-1.mga{7;8}
nss-doc-3.64.0-1.mga{7;8}
firefox-78.10.0-1.1.mga{7;8}
firefox-devel-78.10.0-1.1.mga{7;8}

from SRPMS:
========================
firefox-l10n-78.10.0-1.mga{7;8}.src.rpm
nss-3.64.0-1.mga{7;8}.src.rpm
firefox-78.10.0-1.1.mga{7;8}.src.rpm

Keywords: (none) => advisory

MGA8 Plasma x86_64 OK.
Basic usage.
Widevine OK
SSL sites OK.
Bank site OK.

Still reported issues (webrtc, zoom, bigbluebutton,...) non functioning.
See Firefox Tracker Bug 28788.

Hi, works ok, but still it doesn't work with the Bankinter web. Appears the same issue.

Greetings!!

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0199.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED