32551 – Firefox 115.5

Bug 32551 - Firefox 115.5

Summary: Firefox 115.5

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	32552
	Show dependency tree / graph

Reported:	2023-11-22 10:13 CET by Nicolas Salguero
Modified:	2023-12-08 12:57 CET (History)
CC List:	8 users (show)

See Also:
Source RPM:	rootcerts, nss, firefox, firefox-l10n
CVE:	CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-22 10:13:12 CET

Mozilla has released Firefox 115.5 on November 21:
https://www.mozilla.org/en-US/firefox/115.5.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/

Comment 1 Nicolas Salguero 2023-11-22 10:14:05 CET

There is also an update for rootcerts (2023-11-13).

CC: (none) => nicolas.salguero
Source RPM: (none) => rootcerts, firefox, firefox-l10n
Whiteboard: (none) => MGA9TOO

Comment 2 Lewis Smith 2023-11-22 21:13:41 CET

Nicolas, once again excuse me for assigning this to you - being the principle maintainer of Firefox.

Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => (none)

Nicolas Salguero 2023-11-24 11:36:32 CET

Assignee: nicolas.salguero => pkg-bugs

Comment 3 Nicolas Salguero 2023-11-27 15:30:38 CET

(In reply to Nicolas Salguero from comment #1)
> There is also an update for rootcerts (2023-11-13).

In fact, rootcerts (2023-11-16).

Comment 4 Nicolas Salguero 2023-11-27 15:50:17 CET

For Cauldron and Mageia 9, new versions of rootcerts, firefox and firefox-l10n are into SVN.

Comment 5 Nicolas Salguero 2023-11-30 10:26:34 CET

NSS 3.95 was released on November 16:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html

Source RPM: rootcerts, firefox, firefox-l10n => rootcerts, nss, firefox, firefox-l10n

Nicolas Salguero 2023-11-30 10:28:12 CET

Blocks: (none) => 32552

Comment 6 Nicolas Salguero 2023-11-30 16:15:39 CET

firefox-115.5.0-3.mga9 will include a patch from Centos for CVE-2023-44488 (see bug 32586).

Comment 7 Nicolas Salguero 2023-12-01 15:51:19 CET

For Mageia 9, all is built.  For Cauldron, firefox and firefox-l10n need to be built.

Updated packages in core/updates_testing:
========================
rootcerts-20231116.00-1.mga9
rootcerts-java-20231116.00-1.mga9

lib(64)nss3-3.95.0-1.mga9
lib(64)nss-devel-3.95.0-1.mga9
lib(64)nss-static-devel-3.95.0-1.mga9
nss-3.95.0-1.mga9
nss-doc-3.95.0-1.mga9

firefox-115.5.0-3.mga9
firefox-af-115.5.0-1.mga9
firefox-an-115.5.0-1.mga9
firefox-ar-115.5.0-1.mga9
firefox-ast-115.5.0-1.mga9
firefox-az-115.5.0-1.mga9
firefox-be-115.5.0-1.mga9
firefox-bg-115.5.0-1.mga9
firefox-bn-115.5.0-1.mga9
firefox-br-115.5.0-1.mga9
firefox-bs-115.5.0-1.mga9
firefox-ca-115.5.0-1.mga9
firefox-cs-115.5.0-1.mga9
firefox-cy-115.5.0-1.mga9
firefox-da-115.5.0-1.mga9
firefox-de-115.5.0-1.mga9
firefox-el-115.5.0-1.mga9
firefox-en_CA-115.5.0-1.mga9
firefox-en_GB-115.5.0-1.mga9
firefox-en_US-115.5.0-1.mga9
firefox-eo-115.5.0-1.mga9
firefox-es_AR-115.5.0-1.mga9
firefox-es_CL-115.5.0-1.mga9
firefox-es_ES-115.5.0-1.mga9
firefox-es_MX-115.5.0-1.mga9
firefox-et-115.5.0-1.mga9
firefox-eu-115.5.0-1.mga9
firefox-fa-115.5.0-1.mga9
firefox-ff-115.5.0-1.mga9
firefox-fi-115.5.0-1.mga9
firefox-fr-115.5.0-1.mga9
firefox-fur-115.5.0-1.mga9
firefox-fy_NL-115.5.0-1.mga9
firefox-ga_IE-115.5.0-1.mga9
firefox-gd-115.5.0-1.mga9
firefox-gl-115.5.0-1.mga9
firefox-gu_IN-115.5.0-1.mga9
firefox-he-115.5.0-1.mga9
firefox-hi_IN-115.5.0-1.mga9
firefox-hr-115.5.0-1.mga9
firefox-hsb-115.5.0-1.mga9
firefox-hu-115.5.0-1.mga9
firefox-hy_AM-115.5.0-1.mga9
firefox-ia-115.5.0-1.mga9
firefox-id-115.5.0-1.mga9
firefox-is-115.5.0-1.mga9
firefox-it-115.5.0-1.mga9
firefox-ja-115.5.0-1.mga9
firefox-ka-115.5.0-1.mga9
firefox-kab-115.5.0-1.mga9
firefox-kk-115.5.0-1.mga9
firefox-km-115.5.0-1.mga9
firefox-kn-115.5.0-1.mga9
firefox-ko-115.5.0-1.mga9
firefox-lij-115.5.0-1.mga9
firefox-lt-115.5.0-1.mga9
firefox-lv-115.5.0-1.mga9
firefox-mk-115.5.0-1.mga9
firefox-mr-115.5.0-1.mga9
firefox-ms-115.5.0-1.mga9
firefox-my-115.5.0-1.mga9
firefox-nb_NO-115.5.0-1.mga9
firefox-nl-115.5.0-1.mga9
firefox-nn_NO-115.5.0-1.mga9
firefox-oc-115.5.0-1.mga9
firefox-pa_IN-115.5.0-1.mga9
firefox-pl-115.5.0-1.mga9
firefox-pt_BR-115.5.0-1.mga9
firefox-pt_PT-115.5.0-1.mga9
firefox-ro-115.5.0-1.mga9
firefox-ru-115.5.0-1.mga9
firefox-sc-115.5.0-1.mga9
firefox-si-115.5.0-1.mga9
firefox-sk-115.5.0-1.mga9
firefox-sl-115.5.0-1.mga9
firefox-sq-115.5.0-1.mga9
firefox-sr-115.5.0-1.mga9
firefox-sv_SE-115.5.0-1.mga9
firefox-szl-115.5.0-1.mga9
firefox-ta-115.5.0-1.mga9
firefox-te-115.5.0-1.mga9
firefox-tg-115.5.0-1.mga9
firefox-th-115.5.0-1.mga9
firefox-tl-115.5.0-1.mga9
firefox-tr-115.5.0-1.mga9
firefox-uk-115.5.0-1.mga9
firefox-ur-115.5.0-1.mga9
firefox-uz-115.5.0-1.mga9
firefox-vi-115.5.0-1.mga9
firefox-xh-115.5.0-1.mga9
firefox-zh_CN-115.5.0-1.mga9
firefox-zh_TW-115.5.0-1.mga9

from SRPMS:
rootcerts-20231116.00-1.mga9.src.rpm
nss-3.95.0-1.mga9.src.rpm
firefox-115.5.0-3.mga9.src.rpm
firefox-l10n-115.5.0-1.mga9.src.rpm

Comment 8 Morgan Leijström 2023-12-03 19:28:32 CET

Ready for QA?
If so, assign to QA :)

CC: (none) => fri

Comment 9 Nicolas Salguero 2023-12-04 17:57:16 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Out-of-bound memory access in WebGL2 blitFramebuffer. (CVE-2023-6204)

Use-after-free in MessagePort::Entangled. (CVE-2023-6205)

Clickjacking permission prompts using the fullscreen transition. (CVE-2023-6206)

Use-after-free in ReadableByteStreamQueueEntry::Buffer. (CVE-2023-6207)

Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

Incorrect parsing of relative URLs starting with "///". (CVE-2023-6209)

Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. (CVE-2023-6212)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6212
https://www.mozilla.org/en-US/firefox/115.5.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_95.html

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)

Comment 10 Morgan Leijström 2023-12-04 18:53:33 CET

This version as well as our last update do not list the article in this catalogue at page https://se.rs-online.com/web/c/displays-optoelectronics/led-lighting-components/cob-leds/

Just me? (maybe I have some plugin or too many tabs or some setting...)
Even stranger, other listings on that site works.

Our chromium display the content (232 products), as well as Firefox flatpak 119.0.1.

Comment 11 Marja Van Waes 2023-12-04 23:57:34 CET

Advisory from comment 9 with SRPMs from comment 7 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 12 Nicolas Salguero 2023-12-05 14:21:39 CET

(In reply to Morgan Leijström from comment #10)
> This version as well as our last update do not list the article in this
> catalogue at page
> https://se.rs-online.com/web/c/displays-optoelectronics/led-lighting-
> components/cob-leds/
> 
> Just me? (maybe I have some plugin or too many tabs or some setting...)
> Even stranger, other listings on that site works.

In my tests, I did not see any difference between what is displayed with firefox 115.5 and chromium.

Comment 13 Len Lawrence 2023-12-05 20:51:36 CET

Mageia9, x86_64
Before updating the indicated page worked fine for the current firefox 115.4 and chromium-browser and continued to work for the updated firefox all with en_GB/CA/US.  The updated browser works fine.

CC: (none) => tarazed25

Comment 14 Guillaume Royer 2023-12-05 21:26:23 CET

MGA9 x86_64 GNOME

Updated with QArepo and RPM:

firefox                        115.5.0      3.mga9        x86_64  
firefox-fr                     115.5.0      1.mga9        noarch  
lib64nss3                      3.95.0       1.mga9        x86_64  
nss                            3.95.0       1.mga9        x86_64  
rootcerts                      20231116.00  1.mga9        noarch  
rootcerts-java                 20231116.00  1.mga9        noarch  

Browsing OK, sites:

Bank Ok
Streaming (Netflix) Ok
Element web matrix Ok

CC: (none) => guillaume.royer

Comment 15 Jens Persson 2023-12-05 23:26:20 CET

Could you please consider adding support for Wayland?

--enable-default-toolkit=cairo-gtk3-wayland


https://svnweb.mageia.org/packages/cauldron/firefox/current/SPECS/firefox.spec?revision=2013416&view=markup&pathrev=2013501#l296

CC: (none) => xerxes2

Marja Van Waes 2023-12-06 12:37:18 CET

CVE: (none) => CVE-2023-6204, CVE-2023-6205, CVE-2023-6206, CVE-2023-6207, CVE-2023-6208, CVE-2023-6209, CVE-2023-6212

Comment 16 Herman Viaene 2023-12-06 16:36:29 CET

MGA9-64 MATE  on HPPavillion
No installation issues

Doing this update, usual newspaper site with text, images, livestream all OK.

CC: (none) => herman.viaene

Comment 17 Morgan Leijström 2023-12-06 16:38:56 CET

OK mga9-64 Plasma nvidia470 Swedish

Translation OK, settings and tabs restored.

Videos, banking, Tax office, shops, news

Weird issue in comment 10 can not be packaging related.

Comment 18 Thomas Andrews 2023-12-08 05:31:31 CET

I've used this on three mga9-64 Plasma installs and one mga9-32 Xfce install over the last two days without issues. 

I use DuckDuckGo as my home page, and for a while today I wondered about the update because when the search site came up it immediately scrolled to the bottom of the page, unlike before. But I checked with the older Firefox, and it was doing the same, and then about two hours ago it displayed the way it's supposed to again.

I've decided it was a glitch with the page, and not with Firefox.

So it looks OK on all those systems.

CC: (none) => andrewsfarm

Comment 19 Thomas Andrews 2023-12-08 05:34:53 CET

(In reply to Morgan Leijström from comment #10)
> This version as well as our last update do not list the article in this
> catalogue at page
> https://se.rs-online.com/web/c/displays-optoelectronics/led-lighting-
> components/cob-leds/
> 
> Just me? (maybe I have some plugin or too many tabs or some setting...)
> Even stranger, other listings on that site works.
> 
> Our chromium display the content (232 products), as well as Firefox flatpak
> 119.0.1.

That page displayed the content on my system with our Firefox, but after I told it I would accept all cookies. (At least I think that's what it was - it wasn't in English.) Could it be you are somehow set to reject their cookies in our Firefox?

Comment 20 Thomas Andrews 2023-12-08 05:37:43 CET

Given that this is a critical security update, I think it's time to send it on. Validating.

Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 21 Mageia Robot 2023-12-08 12:57:48 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0342.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.