32762 – Firefox 115.7

Bug 32762 - Firefox 115.7

Summary: Firefox 115.7

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	32706 32763
	Show dependency tree / graph

Reported:	2024-01-24 10:27 CET by Nicolas Salguero
Modified:	2024-02-04 03:51 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	nss, firefox, firefox-l10n
CVE:	CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0755
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-01-24 10:27:23 CET

Mozilla has released Firefox 115.7 on January 23:
https://www.mozilla.org/en-US/firefox/115.7.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/

Comment 1 Nicolas Salguero 2024-01-24 10:28:33 CET

NSS 3.97 seems to have been released on January 22.

Source RPM: (none) => nss, firefox, firefox-l10n

Nicolas Salguero 2024-01-24 10:30:07 CET

Blocks: (none) => 32706

Nicolas Salguero 2024-01-24 10:35:41 CET

Blocks: (none) => 32763

Comment 2 Lewis Smith 2024-01-24 21:25:41 CET

Nicolas, you being the maintainer of Firefox, assigning this to you.

Assignee: bugsquad => nicolas.salguero

Comment 3 Nicolas Salguero 2024-01-29 15:29:42 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Out of bounds write in ANGLE. (CVE-2024-0741)

Failure to update user input timestamp. (CVE-2024-0742)

Crash when listing printers on Linux. (CVE-2024-0746)

Bypass of Content Security Policy when directive unsafe-inline was set. (CVE-2024-0747)

Phishing site popup could show local origin in address bar. (CVE-2024-0749)

Potential permissions request bypass via clickjacking. (CVE-2024-0750)

Privilege escalation through devtools. (CVE-2024-0751)

HSTS policy on subdomain could bypass policy of upper domain. (CVE-2024-0753)

Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. (CVE-2024-0755)

References:
https://www.mozilla.org/en-US/firefox/115.7.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/
========================

Updated packages in core/updates_testing:
========================
lib(64)nss3-3.97.0-1.mga9
lib(64)nss-devel-3.97.0-1.mga9
lib(64)nss-static-devel-3.97.0-1.mga9
nss-3.97.0-1.mga9
nss-doc-3.97.0-1.mga9

firefox-115.7.0-1.mga9
firefox-af-115.7.0-1.mga9
firefox-an-115.7.0-1.mga9
firefox-ar-115.7.0-1.mga9
firefox-ast-115.7.0-1.mga9
firefox-az-115.7.0-1.mga9
firefox-be-115.7.0-1.mga9
firefox-bg-115.7.0-1.mga9
firefox-bn-115.7.0-1.mga9
firefox-br-115.7.0-1.mga9
firefox-bs-115.7.0-1.mga9
firefox-ca-115.7.0-1.mga9
firefox-cs-115.7.0-1.mga9
firefox-cy-115.7.0-1.mga9
firefox-da-115.7.0-1.mga9
firefox-de-115.7.0-1.mga9
firefox-el-115.7.0-1.mga9
firefox-en_CA-115.7.0-1.mga9
firefox-en_GB-115.7.0-1.mga9
firefox-en_US-115.7.0-1.mga9
firefox-eo-115.7.0-1.mga9
firefox-es_AR-115.7.0-1.mga9
firefox-es_CL-115.7.0-1.mga9
firefox-es_ES-115.7.0-1.mga9
firefox-es_MX-115.7.0-1.mga9
firefox-et-115.7.0-1.mga9
firefox-eu-115.7.0-1.mga9
firefox-fa-115.7.0-1.mga9
firefox-ff-115.7.0-1.mga9
firefox-fi-115.7.0-1.mga9
firefox-fr-115.7.0-1.mga9
firefox-fur-115.7.0-1.mga9
firefox-fy_NL-115.7.0-1.mga9
firefox-ga_IE-115.7.0-1.mga9
firefox-gd-115.7.0-1.mga9
firefox-gl-115.7.0-1.mga9
firefox-gu_IN-115.7.0-1.mga9
firefox-he-115.7.0-1.mga9
firefox-hi_IN-115.7.0-1.mga9
firefox-hr-115.7.0-1.mga9
firefox-hsb-115.7.0-1.mga9
firefox-hu-115.7.0-1.mga9
firefox-hy_AM-115.7.0-1.mga9
firefox-ia-115.7.0-1.mga9
firefox-id-115.7.0-1.mga9
firefox-is-115.7.0-1.mga9
firefox-it-115.7.0-1.mga9
firefox-ja-115.7.0-1.mga9
firefox-ka-115.7.0-1.mga9
firefox-kab-115.7.0-1.mga9
firefox-kk-115.7.0-1.mga9
firefox-km-115.7.0-1.mga9
firefox-kn-115.7.0-1.mga9
firefox-ko-115.7.0-1.mga9
firefox-lij-115.7.0-1.mga9
firefox-lt-115.7.0-1.mga9
firefox-lv-115.7.0-1.mga9
firefox-mk-115.7.0-1.mga9
firefox-mr-115.7.0-1.mga9
firefox-ms-115.7.0-1.mga9
firefox-my-115.7.0-1.mga9
firefox-nb_NO-115.7.0-1.mga9
firefox-nl-115.7.0-1.mga9
firefox-nn_NO-115.7.0-1.mga9
firefox-oc-115.7.0-1.mga9
firefox-pa_IN-115.7.0-1.mga9
firefox-pl-115.7.0-1.mga9
firefox-pt_BR-115.7.0-1.mga9
firefox-pt_PT-115.7.0-1.mga9
firefox-ro-115.7.0-1.mga9
firefox-ru-115.7.0-1.mga9
firefox-sc-115.7.0-1.mga9
firefox-si-115.7.0-1.mga9
firefox-sk-115.7.0-1.mga9
firefox-sl-115.7.0-1.mga9
firefox-sq-115.7.0-1.mga9
firefox-sr-115.7.0-1.mga9
firefox-sv_SE-115.7.0-1.mga9
firefox-szl-115.7.0-1.mga9
firefox-ta-115.7.0-1.mga9
firefox-te-115.7.0-1.mga9
firefox-tg-115.7.0-1.mga9
firefox-th-115.7.0-1.mga9
firefox-tl-115.7.0-1.mga9
firefox-tr-115.7.0-1.mga9
firefox-uk-115.7.0-1.mga9
firefox-ur-115.7.0-1.mga9
firefox-uz-115.7.0-1.mga9
firefox-vi-115.7.0-1.mga9
firefox-xh-115.7.0-1.mga9
firefox-zh_CN-115.7.0-1.mga9
firefox-zh_TW-115.7.0-1.mga9

from SRPMS:
nss-3.97.0-1.mga9.src.rpm
firefox-115.7.0-1.mga9.src.rpm
firefox-l10n-115.7.0-1.mga9.src.rpm

CVE: (none) => CVE-2024-0741, CVE-2024-0742, CVE-2024-0746, CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753, CVE-2024-0755
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 4 Len Lawrence 2024-01-29 21:19:41 CET

Mageia9, x86_64
Updated these:
lib64nss3-3.97.0-1.mga9
lib64nss-devel-3.97.0-1.mga9
lib64nss-static-devel-3.97.0-1.mga9
nss-3.97.0-1.mga9
nss-doc-3.97.0-1.mga9
firefox-en_CA-115.7.0-1.mga9
firefox-en_GB-115.7.0-1.mga9

Relaunched firefox and restored previous session.
Visited some favourite sites, skimmed Guardian article.
Searched for "dust scifi" and found a film to watch on Youtube.  Sound and video OK.  Logged in to bank and checked balances.
Fine here so far.

CC: (none) => tarazed25

Len Lawrence 2024-01-30 16:56:09 CET

Keywords: (none) => advisory

Comment 5 Brian Rockwell 2024-01-30 23:47:52 CET

Intel N4020

Installed and used it for a few hours without any issues.

CC: (none) => brtians1

Comment 6 Morgan Leijström 2024-01-31 12:13:09 CET

mga9-64 OK for me

nvidia GTX750 using nvidia-current-535.154.05-1
kernel 6.6.14 linus and desktop, CPU Intel i7-870
The new mesa, and X11 in testing

Localisation Swedish OK
Settings and opened tabs preserved
Several banking sites, shops, and different login methods
Some video sites including YouTube

CC: (none) => fri

Comment 7 Herman Viaene 2024-02-01 11:22:15 CET

MGA9-64 Plasma Wayland on HP Pavillion
No isntallation issues
Usual newspaper site, youtube, webmail gmail account, all OK.

CC: (none) => herman.viaene

Comment 8 Brian Rockwell 2024-02-01 14:31:34 CET

MGA9-64, Gnome, Xfce, Plasma

No install issues, Firefox working as expected.   I think this is ready for approval.

Comment 9 Thomas Andrews 2024-02-02 14:24:54 CET

No install issues on two systems, working as expected.

Validating the update.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK

Comment 10 Mageia Robot 2024-02-04 03:51:31 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0023.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.