Bug 30976 - Firefox 102.4
Summary: Firefox 102.4
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-17 18:11 CEST by David Walser
Modified: 2022-10-21 19:33 CEST (History)
4 users (show)

See Also:
Source RPM: nss, firefox
CVE:
Status comment:


Attachments

Description David Walser 2022-10-17 18:11:55 CEST
Mozilla has released Firefox 102.4.0 today (October 17):
https://www.mozilla.org/en-US/firefox/102.4.0/releasenotes/

The release notes have not been posted yet.

There is also an nss update:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uV-FYp6SUr8
https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
libnss3-3.84.0-1.mga8
libnss-devel-3.84.0-1.mga8
libnss-static-devel-3.84.0-1.mga8
nss-3.84.0-1.mga8
nss-doc-3.84.0-1.mga8
firefox-102.4.0-1.mga8
firefox-af-102.4.0-1.mga8
firefox-an-102.4.0-1.mga8
firefox-ar-102.4.0-1.mga8
firefox-ast-102.4.0-1.mga8
firefox-az-102.4.0-1.mga8
firefox-be-102.4.0-1.mga8
firefox-bg-102.4.0-1.mga8
firefox-bn-102.4.0-1.mga8
firefox-br-102.4.0-1.mga8
firefox-bs-102.4.0-1.mga8
firefox-ca-102.4.0-1.mga8
firefox-cs-102.4.0-1.mga8
firefox-cy-102.4.0-1.mga8
firefox-da-102.4.0-1.mga8
firefox-de-102.4.0-1.mga8
firefox-el-102.4.0-1.mga8
firefox-en_CA-102.4.0-1.mga8
firefox-en_GB-102.4.0-1.mga8
firefox-en_US-102.4.0-1.mga8
firefox-eo-102.4.0-1.mga8
firefox-es_AR-102.4.0-1.mga8
firefox-es_CL-102.4.0-1.mga8
firefox-es_ES-102.4.0-1.mga8
firefox-es_MX-102.4.0-1.mga8
firefox-et-102.4.0-1.mga8
firefox-eu-102.4.0-1.mga8
firefox-fa-102.4.0-1.mga8
firefox-ff-102.4.0-1.mga8
firefox-fi-102.4.0-1.mga8
firefox-fr-102.4.0-1.mga8
firefox-fy_NL-102.4.0-1.mga8
firefox-ga_IE-102.4.0-1.mga8
firefox-gd-102.4.0-1.mga8
firefox-gl-102.4.0-1.mga8
firefox-gu_IN-102.4.0-1.mga8
firefox-he-102.4.0-1.mga8
firefox-hi_IN-102.4.0-1.mga8
firefox-hr-102.4.0-1.mga8
firefox-hsb-102.4.0-1.mga8
firefox-hu-102.4.0-1.mga8
firefox-hy_AM-102.4.0-1.mga8
firefox-ia-102.4.0-1.mga8
firefox-id-102.4.0-1.mga8
firefox-is-102.4.0-1.mga8
firefox-it-102.4.0-1.mga8
firefox-ja-102.4.0-1.mga8
firefox-ka-102.4.0-1.mga8
firefox-kab-102.4.0-1.mga8
firefox-kk-102.4.0-1.mga8
firefox-km-102.4.0-1.mga8
firefox-kn-102.4.0-1.mga8
firefox-ko-102.4.0-1.mga8
firefox-lij-102.4.0-1.mga8
firefox-lt-102.4.0-1.mga8
firefox-lv-102.4.0-1.mga8
firefox-mk-102.4.0-1.mga8
firefox-mr-102.4.0-1.mga8
firefox-ms-102.4.0-1.mga8
firefox-my-102.4.0-1.mga8
firefox-nb_NO-102.4.0-1.mga8
firefox-nl-102.4.0-1.mga8
firefox-nn_NO-102.4.0-1.mga8
firefox-oc-102.4.0-1.mga8
firefox-pa_IN-102.4.0-1.mga8
firefox-pl-102.4.0-1.mga8
firefox-pt_BR-102.4.0-1.mga8
firefox-pt_PT-102.4.0-1.mga8
firefox-ro-102.4.0-1.mga8
firefox-ru-102.4.0-1.mga8
firefox-si-102.4.0-1.mga8
firefox-sk-102.4.0-1.mga8
firefox-sl-102.4.0-1.mga8
firefox-sq-102.4.0-1.mga8
firefox-sr-102.4.0-1.mga8
firefox-sv_SE-102.4.0-1.mga8
firefox-szl-102.4.0-1.mga8
firefox-ta-102.4.0-1.mga8
firefox-te-102.4.0-1.mga8
firefox-th-102.4.0-1.mga8
firefox-tl-102.4.0-1.mga8
firefox-tr-102.4.0-1.mga8
firefox-uk-102.4.0-1.mga8
firefox-ur-102.4.0-1.mga8
firefox-uz-102.4.0-1.mga8
firefox-vi-102.4.0-1.mga8
firefox-xh-102.4.0-1.mga8
firefox-zh_CN-102.4.0-1.mga8
firefox-zh_TW-102.4.0-1.mga8

from SRPMS:
nss-3.84.0-1.mga8.src.rpm
firefox-102.4.0-1.mga8.src.rpm
firefox-l10n-102.4.0-1.mga8.src.rpm
Comment 1 David Walser 2022-10-17 20:23:49 CEST
Updates have been submitted to the build system and should be available by the end of the day.  Release notes should be available tomorrow.

Assignee: luigiwalser => qa-bugs

Comment 2 Jose Manuel López 2022-10-18 10:52:41 CEST
Installed in MGA8-64 Plasma, all works fine for the moment. 

- Audio and video ok.
- Addons ok.
- Settings and spanish translation ok.

Updated from 102.3 version without issues in firefox profile.

CC: (none) => joselp

Comment 3 Morgan Leijström 2022-10-18 11:48:08 CEST
mga8-64 Plasma nvidia-current i7


OK, been using it today:
clean update
Settings and open tabs kept
Swedish localisation
Some video sites
Some banking and shops


Old minor problem: The about box say "mageia 1.0"
https://bugs.mageia.org/show_bug.cgi?id=30867#c4

CC: (none) => fri

Comment 4 David Walser 2022-10-18 15:01:26 CEST
Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-45/

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A same-origin policy violation could have allowed the theft of cross-origin URL
entries, leaking the result of a redirect, via performance.getEntries()
(CVE-2022-42927).

Certain types of allocations were missing annotations that, if the Garbage
Collector was in a specific state, could have lead to memory corruption in the
JS engine and a potentially exploitable crash (CVE-2022-42928).

If a website called window.print() in a particular way, it could cause a denial
of service of the browser, which may persist beyond browser restart depending on
the user's session restore settings (CVE-2022-42929).

Mozilla developers Ashley Hale and the Mozilla Fuzzing Team reported memory
safety bugs present in Firefox ESR 102.3. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code (CVE-2022-42932).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42932
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uV-FYp6SUr8
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html
https://www.mozilla.org/en-US/security/advisories/mfsa2022-45/
Comment 5 Dave Hodgins 2022-10-18 23:11:16 CEST
Advisory committed to svn. Validating the update.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2022-10-19 01:16:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0378.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2022-10-21 19:33:53 CEST
RedHat has issued an advisory for this on October 20:
https://access.redhat.com/errata/RHSA-2022:7071

Note You need to log in before you can comment on or make changes to this bug.