Bug 29621 - Firefox 91.3
Summary: Firefox 91.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK MGA8-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 29625
  Show dependency treegraph
 
Reported: 2021-11-02 15:55 CET by David Walser
Modified: 2022-10-26 18:39 CEST (History)
9 users (show)

See Also:
Source RPM: nss, firefox
CVE:
Status comment:


Attachments

Description David Walser 2021-11-02 15:55:30 CET
Mozilla has released Firefox 91.3.0 today (November 2):
https://www.mozilla.org/en-US/firefox/91.3.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/

NSS 3.72 is also out:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7O6a4NlaI2A
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_72.html

Update in progress.

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
nss-3.72.0-1.mga8
nss-doc-3.72.0-1.mga8
libnss3-3.72.0-1.mga8
libnss-devel-3.72.0-1.mga8
libnss-static-devel-3.72.0-1.mga8
firefox-91.3.0-1.mga8
firefox-ru-91.3.0-1.mga8
firefox-uk-91.3.0-1.mga8
firefox-be-91.3.0-1.mga8
firefox-el-91.3.0-1.mga8
firefox-kk-91.3.0-1.mga8
firefox-th-91.3.0-1.mga8
firefox-pa_IN-91.3.0-1.mga8
firefox-ka-91.3.0-1.mga8
firefox-ja-91.3.0-1.mga8
firefox-bg-91.3.0-1.mga8
firefox-sr-91.3.0-1.mga8
firefox-hy_AM-91.3.0-1.mga8
firefox-ko-91.3.0-1.mga8
firefox-zh_TW-91.3.0-1.mga8
firefox-vi-91.3.0-1.mga8
firefox-zh_CN-91.3.0-1.mga8
firefox-hu-91.3.0-1.mga8
firefox-bn-91.3.0-1.mga8
firefox-hi_IN-91.3.0-1.mga8
firefox-ar-91.3.0-1.mga8
firefox-sk-91.3.0-1.mga8
firefox-cs-91.3.0-1.mga8
firefox-ur-91.3.0-1.mga8
firefox-hsb-91.3.0-1.mga8
firefox-lt-91.3.0-1.mga8
firefox-te-91.3.0-1.mga8
firefox-fr-91.3.0-1.mga8
firefox-he-91.3.0-1.mga8
firefox-pl-91.3.0-1.mga8
firefox-sq-91.3.0-1.mga8
firefox-fa-91.3.0-1.mga8
firefox-de-91.3.0-1.mga8
firefox-oc-91.3.0-1.mga8
firefox-tr-91.3.0-1.mga8
firefox-kab-91.3.0-1.mga8
firefox-es_MX-91.3.0-1.mga8
firefox-es_AR-91.3.0-1.mga8
firefox-es_CL-91.3.0-1.mga8
firefox-pt_PT-91.3.0-1.mga8
firefox-fy_NL-91.3.0-1.mga8
firefox-pt_BR-91.3.0-1.mga8
firefox-gl-91.3.0-1.mga8
firefox-cy-91.3.0-1.mga8
firefox-sv_SE-91.3.0-1.mga8
firefox-gd-91.3.0-1.mga8
firefox-km-91.3.0-1.mga8
firefox-ro-91.3.0-1.mga8
firefox-mr-91.3.0-1.mga8
firefox-gu_IN-91.3.0-1.mga8
firefox-hr-91.3.0-1.mga8
firefox-sl-91.3.0-1.mga8
firefox-nl-91.3.0-1.mga8
firefox-es_ES-91.3.0-1.mga8
firefox-eo-91.3.0-1.mga8
firefox-ca-91.3.0-1.mga8
firefox-da-91.3.0-1.mga8
firefox-fi-91.3.0-1.mga8
firefox-eu-91.3.0-1.mga8
firefox-ia-91.3.0-1.mga8
firefox-nn_NO-91.3.0-1.mga8
firefox-nb_NO-91.3.0-1.mga8
firefox-br-91.3.0-1.mga8
firefox-id-91.3.0-1.mga8
firefox-tl-91.3.0-1.mga8
firefox-my-91.3.0-1.mga8
firefox-ta-91.3.0-1.mga8
firefox-en_GB-91.3.0-1.mga8
firefox-szl-91.3.0-1.mga8
firefox-en_CA-91.3.0-1.mga8
firefox-an-91.3.0-1.mga8
firefox-ast-91.3.0-1.mga8
firefox-kn-91.3.0-1.mga8
firefox-az-91.3.0-1.mga8
firefox-si-91.3.0-1.mga8
firefox-en_US-91.3.0-1.mga8
firefox-et-91.3.0-1.mga8
firefox-ff-91.3.0-1.mga8
firefox-lij-91.3.0-1.mga8
firefox-uz-91.3.0-1.mga8
firefox-is-91.3.0-1.mga8
firefox-mk-91.3.0-1.mga8
firefox-lv-91.3.0-1.mga8
firefox-bs-91.3.0-1.mga8
firefox-ga_IE-91.3.0-1.mga8
firefox-it-91.3.0-1.mga8
firefox-ms-91.3.0-1.mga8
firefox-xh-91.3.0-1.mga8
firefox-af-91.3.0-1.mga8

from SRPMS:
nss-3.72.0-1.mga8.src.rpm
firefox-91.3.0-1.mga8.src.rpm
firefox-l10n-91.3.0-1.mga8.src.rpm
Comment 1 David Walser 2021-11-04 15:52:17 CET
RedHat has issued an advisory for this on November 3:
https://access.redhat.com/errata/RHSA-2021:4123

Packages are uploading now and should be available in the next few hours.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

The iframe sandbox rules were not correctly applied to XSLT stylesheets,
allowing an iframe to bypass restrictions such as executing scripts or
navigating the top-level frame (CVE-2021-38503).

When interacting with an HTML input element's file picker dialog with
webkitdirectory set, a use-after-free could have resulted, leading to memory
corruption and a potentially exploitable crash (CVE-2021-38504).

Through a series of navigations, Firefox could have entered fullscreen mode
without notification or warning to the user. This could lead to spoofing
attacks on the browser UI including phishing (CVE-2021-38506).

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection
to be transparently upgraded to TLS while retaining the visual properties of
an HTTP connection, including being same-origin with unencrypted connections
on port 80. However, if a second encrypted port on the same IP address (e.g.
port 8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser to port 443 to port 8443, causing
the browser to treat the content of port 8443 as same-origin with HTTP. This
was resolved by disabling the Opportunistic Encryption feature, which had low
usage (CVE-2021-38507).

A use-after-free could have occured when an HTTP2 session object was released
on a different thread, leading to memory corruption and a potentially
exploitable crash (MOZ-2021-0008).

By displaying a form validity message in the correct location at the same time
as a permission prompt (such as for geolocation), the validity message could
have obscured the prompt, resulting in the user potentially being tricked into
granting the permission (CVE-2021-38508).

Due to an unusual sequence of attacker-controlled events, a Javascript alert()
dialog with arbitrary (although unstyled) contents could be displayed over top
an uncontrolled webpage of the attacker's choosing (CVE-2021-38509).

Mozilla developers and community members Christian Holler, Valentin Gosu, and
Andrew McCreight reported memory safety bugs present in Firefox ESR 91.2. Some
of these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
(MOZ-2021-0007).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38506
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38509
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_72.html

Assignee: luigiwalser => qa-bugs

Comment 2 Jose Manuel López 2021-11-05 09:26:41 CET
Hi!

I have tried the new version. Works fine, banks, downloads, settings, language correct in spanish.

Greetings!

CC: (none) => joselpddj

Comment 3 Hugues Detavernier 2021-11-05 14:48:29 CET
Hi,

tested on Mageia Gnome X64.

I've tried several websites, legal streaming audio and videos websites, bank ... settings, installed extensions, french settings.

All is ok and work. fine

CC: (none) => hdetavernier

David Walser 2021-11-05 16:48:43 CET

Blocks: (none) => 29625

Comment 4 Herman Viaene 2021-11-05 22:04:23 CET
MGA8-64 Plasma on Lenovo B50
No installation issues. 
Dutch  settings, no issues seen on usual operations.

CC: (none) => herman.viaene

Comment 5 Morgan Leijström 2021-11-06 17:52:26 CET
OK mga8-64, Plasma, nvidia-current, Swedish
Open tabs and settings retained.
Banking apps, a bunch of sites I normally visit, video, ...

CC: (none) => fri

Comment 6 Guillaume Royer 2021-11-06 19:29:51 CET
MGA 64 XFCE with nvidia 520M driver 390.
French version.

No issues after update.
Try with: 

- Bank
- Element client matrix
- Netflix

I can't test it with visio like Jitisi or BBB

CC: (none) => guillaume.royer

Comment 7 Thomas Andrews 2021-11-08 00:00:59 CET
MGA8-64 Plasma, tested US English version. Tried several websites, Facebook, newspaper, Youtube, Mageia Bugzilla. No issues noted.

CC: (none) => andrewsfarm

Comment 8 Thomas Andrews 2021-11-08 00:44:53 CET
MGA8-32 Xfce on real 32-bit hardware, updating US, CA, and GB English.

No installation issues. No problems using the existing profile. Tried some websites, including the GOES visible satellite loop for the Northeastern US. Lights of Toronto, Buffalo, Rochester, Syracuse, Albany, Pittsburgh, Cleveland, Washington DC, New York City, Boston, and others in the image. Pretty.

No issues noted.

Giving this an OK, and validating. Advisory in Comment 1.

Whiteboard: (none) => MGA8-64-OK MGA8-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 papoteur 2021-11-08 17:45:08 CET
Tested 64bits version.
No regression seen.

CC: (none) => yves.brungard_mageia

Dave Hodgins 2021-11-10 18:48:26 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2021-11-10 23:54:43 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0505.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 David Walser 2022-10-26 18:39:15 CEST
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs.  SVN advisory updated.

Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0505.html
Mozilla Advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Suggested change(s):
MOZ-2021-0008 -> CVE-2021-43535
MOZ-2021-0007 -> CVE-2021-43534

Note You need to log in before you can comment on or make changes to this bug.