Mozilla has released Firefox 102.13.0 on July 4: https://www.mozilla.org/en-US/firefox/102.13.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/ There is also an nss update (no rootcerts or nspr updates): https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/i-wiqdBIjMI https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html https://firefox-source-docs.mozilla.org/security/nss/releases/index.html Package list should be as follows. Updated packages in core/updates_testing: ======================================== libnss3-3.91.0-1.mga8 libnss-devel-3.91.0-1.mga8 libnss-static-devel-3.91.0-1.mga8 nss-3.91.0-1.mga8 nss-doc-3.91.0-1.mga8 firefox-102.13.0-1.mga8 firefox-af-102.13.0-1.mga8 firefox-an-102.13.0-1.mga8 firefox-ar-102.13.0-1.mga8 firefox-ast-102.13.0-1.mga8 firefox-az-102.13.0-1.mga8 firefox-be-102.13.0-1.mga8 firefox-bg-102.13.0-1.mga8 firefox-bn-102.13.0-1.mga8 firefox-br-102.13.0-1.mga8 firefox-bs-102.13.0-1.mga8 firefox-ca-102.13.0-1.mga8 firefox-cs-102.13.0-1.mga8 firefox-cy-102.13.0-1.mga8 firefox-da-102.13.0-1.mga8 firefox-de-102.13.0-1.mga8 firefox-el-102.13.0-1.mga8 firefox-en_CA-102.13.0-1.mga8 firefox-en_GB-102.13.0-1.mga8 firefox-en_US-102.13.0-1.mga8 firefox-eo-102.13.0-1.mga8 firefox-es_AR-102.13.0-1.mga8 firefox-es_CL-102.13.0-1.mga8 firefox-es_ES-102.13.0-1.mga8 firefox-es_MX-102.13.0-1.mga8 firefox-et-102.13.0-1.mga8 firefox-eu-102.13.0-1.mga8 firefox-fa-102.13.0-1.mga8 firefox-ff-102.13.0-1.mga8 firefox-fi-102.13.0-1.mga8 firefox-fr-102.13.0-1.mga8 firefox-fy_NL-102.13.0-1.mga8 firefox-ga_IE-102.13.0-1.mga8 firefox-gd-102.13.0-1.mga8 firefox-gl-102.13.0-1.mga8 firefox-gu_IN-102.13.0-1.mga8 firefox-he-102.13.0-1.mga8 firefox-hi_IN-102.13.0-1.mga8 firefox-hr-102.13.0-1.mga8 firefox-hsb-102.13.0-1.mga8 firefox-hu-102.13.0-1.mga8 firefox-hy_AM-102.13.0-1.mga8 firefox-ia-102.13.0-1.mga8 firefox-id-102.13.0-1.mga8 firefox-is-102.13.0-1.mga8 firefox-it-102.13.0-1.mga8 firefox-ja-102.13.0-1.mga8 firefox-ka-102.13.0-1.mga8 firefox-kab-102.13.0-1.mga8 firefox-kk-102.13.0-1.mga8 firefox-km-102.13.0-1.mga8 firefox-kn-102.13.0-1.mga8 firefox-ko-102.13.0-1.mga8 firefox-lij-102.13.0-1.mga8 firefox-lt-102.13.0-1.mga8 firefox-lv-102.13.0-1.mga8 firefox-mk-102.13.0-1.mga8 firefox-mr-102.13.0-1.mga8 firefox-ms-102.13.0-1.mga8 firefox-my-102.13.0-1.mga8 firefox-nb_NO-102.13.0-1.mga8 firefox-nl-102.13.0-1.mga8 firefox-nn_NO-102.13.0-1.mga8 firefox-oc-102.13.0-1.mga8 firefox-pa_IN-102.13.0-1.mga8 firefox-pl-102.13.0-1.mga8 firefox-pt_BR-102.13.0-1.mga8 firefox-pt_PT-102.13.0-1.mga8 firefox-ro-102.13.0-1.mga8 firefox-ru-102.13.0-1.mga8 firefox-si-102.13.0-1.mga8 firefox-sk-102.13.0-1.mga8 firefox-sl-102.13.0-1.mga8 firefox-sq-102.13.0-1.mga8 firefox-sr-102.13.0-1.mga8 firefox-sv_SE-102.13.0-1.mga8 firefox-szl-102.13.0-1.mga8 firefox-ta-102.13.0-1.mga8 firefox-te-102.13.0-1.mga8 firefox-th-102.13.0-1.mga8 firefox-tl-102.13.0-1.mga8 firefox-tr-102.13.0-1.mga8 firefox-uk-102.13.0-1.mga8 firefox-ur-102.13.0-1.mga8 firefox-uz-102.13.0-1.mga8 firefox-vi-102.13.0-1.mga8 firefox-xh-102.13.0-1.mga8 firefox-zh_CN-102.13.0-1.mga8 firefox-zh_TW-102.13.0-1.mga8 from SRPMS: nss-3.91.0-1.mga8.src.rpm firefox-102.13.0-1.mga8.src.rpm firefox-l10n-102.13.0-1.mga8.src.rpm
Whiteboard: (none) => MGA8TOO
Advisory: ======================== Updated firefox packages fix security vulnerabilities: An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS (CVE-2023-37201). Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free in SpiderMonkey (CVE-2023-37202). A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks (CVE-2023-37207). When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code (CVE-2023-37208). Memory safety bugs present in Firefox ESR 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2023-37211). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37201 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37202 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37207 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37208 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37211 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/i-wiqdBIjMI https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/
Updates submitted to the build system, freeze move request posted for Cauldron, updated packages should be available on mirrors by the end of the day.
Assignee: luigiwalser => qa-bugs
I thought we do a regular testing here (qa) and move it afterwards, the regular way (maybe move to core and not to updates)
CC: (none) => mageia
MGA9-64 Plasma on an HP Pavilion 15. This install is an upgrade from a MGA8 install, I believe from the beta1 iso but I'm not sure now. After editing the list in comment 0 to change all "mga8" to "mga9" and "lib" to "lib64" I used it in qarepo to download the packages. I believe this is my first use of qarepo in Cauldron, definitely the first on this install, so it made for a good test of that, too. There were no installation issues for the US English version. Checked this out with my normal morning use of a laptop, read my newspaper, checked in on Facebook, looked at a couple of other sites, then threw in watching a brief video on Youtube. No issues to report.
CC: (none) => andrewsfarm
MGA8-64 MATE on Acer Aspire. No installation issues. Newspaper site all OK
CC: (none) => herman.viaene
Blocks: (none) => 32090
OK-64 on Cauldron, been using it some hours with various sites incl shops, banking and video
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => fri
Mageia8, x86_64 : Mate Running here all afternoon for various sites and links from emails.
CC: (none) => tarazed25
Cauldron packages moved to release and are on second rc build
Giving this an MGA8 OK. Waiting on validation for Bug 32090 (Thunderbird), which has not been assigned to QA yet.
Whiteboard: (none) => MGA8-64-OK
While thunderbird depends on the firefox update, firefox does not depend on thunderbird. Quick testing shows that thunderbird-102.12.0-1.mga8 still works ok with this firefox update installed. Validating the update. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
RedHat has issued an advisory for this on July 13: https://access.redhat.com/errata/RHSA-2023:4071
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0235.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: 32090 => (none)