32986 – Firefox 115.9.1

Bug 32986 - Firefox 115.9.1

Summary: Firefox 115.9.1

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	32987
	Show dependency tree / graph

Reported:	2024-03-20 09:22 CET by Nicolas Salguero
Modified:	2024-03-27 20:25 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	nss, firefox, firefox-l10n
CVE:	CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2616, CVE-2023-5388, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, CVE-2024-2614, CVE-2024-29944
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-20 09:22:21 CET

Mozilla has released Firefox 115.9 on March 19:
https://www.mozilla.org/en-US/firefox/115.9.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/

Mozilla has released NSS 3.99 on March 15:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html

Nicolas Salguero 2024-03-20 09:22:37 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => nss, firefox, firefox-l10n

Nicolas Salguero 2024-03-20 09:24:31 CET

Blocks: (none) => 32987

Nicolas Salguero 2024-03-20 09:28:49 CET

CVE: (none) => CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2616, CVE-2023-5388, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, CVE-2024-2614

Comment 1 Lewis Smith 2024-03-20 20:49:22 CET

excuse me assigning this to you, but you normally update these pkgs.

Assignee: bugsquad => nicolas.salguero

Comment 2 Morgan Leijström 2024-03-21 14:33:31 CET

mga9-64 OK here, clean update
Remembered settings and a hundred+ open tabs
Swedish locale
Video sites
Banking sites
Webshops
Mageia pages :)
Printing

Seem to be OK to set to QA

Assignee: nicolas.salguero => qa-bugs
CC: (none) => fri

Comment 3 Nicolas Salguero 2024-03-21 15:06:27 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Crash in NSS TLS method. (CVE-2024-0743)

JIT code failed to save return registers on Armv7-A. (CVE-2024-2607)

Integer overflow could have led to out of bounds write. (CVE-2024-2608)

Improve handling of out-of-memory conditions in ICU. (CVE-2024-2616)

NSS susceptible to timing attack against RSA decryption. (CVE-2023-5388)

Improper handling of html and body tags enabled CSP nonce leakage. (CVE-2024-2610)

Clickjacking vulnerability could have led to a user accidentally granting permissions. (CVE-2024-2611)

Self referencing object could have potentially led to a use-after-free. (CVE-2024-2612)

Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. (CVE-2024-2614)

References:
https://www.mozilla.org/en-US/firefox/115.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html
========================

Updated packages in core/updates_testing:
========================
lib64nss3-3.99.0-1.mga9
lib64nss-devel-3.99.0-1.mga9
lib64nss-static-devel-3.99.0-1.mga9
nss-3.99.0-1.mga9
nss-doc-3.99.0-1.mga9

firefox-115.9.0-1.mga9
firefox-af-115.9.0-1.mga9
firefox-an-115.9.0-1.mga9
firefox-ar-115.9.0-1.mga9
firefox-ast-115.9.0-1.mga9
firefox-az-115.9.0-1.mga9
firefox-be-115.9.0-1.mga9
firefox-bg-115.9.0-1.mga9
firefox-bn-115.9.0-1.mga9
firefox-br-115.9.0-1.mga9
firefox-bs-115.9.0-1.mga9
firefox-ca-115.9.0-1.mga9
firefox-cs-115.9.0-1.mga9
firefox-cy-115.9.0-1.mga9
firefox-da-115.9.0-1.mga9
firefox-de-115.9.0-1.mga9
firefox-el-115.9.0-1.mga9
firefox-en_CA-115.9.0-1.mga9
firefox-en_GB-115.9.0-1.mga9
firefox-en_US-115.9.0-1.mga9
firefox-eo-115.9.0-1.mga9
firefox-es_AR-115.9.0-1.mga9
firefox-es_CL-115.9.0-1.mga9
firefox-es_ES-115.9.0-1.mga9
firefox-es_MX-115.9.0-1.mga9
firefox-et-115.9.0-1.mga9
firefox-eu-115.9.0-1.mga9
firefox-fa-115.9.0-1.mga9
firefox-ff-115.9.0-1.mga9
firefox-fi-115.9.0-1.mga9
firefox-fr-115.9.0-1.mga9
firefox-fur-115.9.0-1.mga9
firefox-fy_NL-115.9.0-1.mga9
firefox-ga_IE-115.9.0-1.mga9
firefox-gd-115.9.0-1.mga9
firefox-gl-115.9.0-1.mga9
firefox-gu_IN-115.9.0-1.mga9
firefox-he-115.9.0-1.mga9
firefox-hi_IN-115.9.0-1.mga9
firefox-hr-115.9.0-1.mga9
firefox-hsb-115.9.0-1.mga9
firefox-hu-115.9.0-1.mga9
firefox-hy_AM-115.9.0-1.mga9
firefox-ia-115.9.0-1.mga9
firefox-id-115.9.0-1.mga9
firefox-is-115.9.0-1.mga9
firefox-it-115.9.0-1.mga9
firefox-ja-115.9.0-1.mga9
firefox-ka-115.9.0-1.mga9
firefox-kab-115.9.0-1.mga9
firefox-kk-115.9.0-1.mga9
firefox-km-115.9.0-1.mga9
firefox-kn-115.9.0-1.mga9
firefox-ko-115.9.0-1.mga9
firefox-lij-115.9.0-1.mga9
firefox-lt-115.9.0-1.mga9
firefox-lv-115.9.0-1.mga9
firefox-mk-115.9.0-1.mga9
firefox-mr-115.9.0-1.mga9
firefox-ms-115.9.0-1.mga9
firefox-my-115.9.0-1.mga9
firefox-nb_NO-115.9.0-1.mga9
firefox-nl-115.9.0-1.mga9
firefox-nn_NO-115.9.0-1.mga9
firefox-oc-115.9.0-1.mga9
firefox-pa_IN-115.9.0-1.mga9
firefox-pl-115.9.0-1.mga9
firefox-pt_BR-115.9.0-1.mga9
firefox-pt_PT-115.9.0-1.mga9
firefox-ro-115.9.0-1.mga9
firefox-ru-115.9.0-1.mga9
firefox-sc-115.9.0-1.mga9
firefox-si-115.9.0-1.mga9
firefox-sk-115.9.0-1.mga9
firefox-sl-115.9.0-1.mga9
firefox-sq-115.9.0-1.mga9
firefox-sr-115.9.0-1.mga9
firefox-sv_SE-115.9.0-1.mga9
firefox-szl-115.9.0-1.mga9
firefox-ta-115.9.0-1.mga9
firefox-te-115.9.0-1.mga9
firefox-tg-115.9.0-1.mga9
firefox-th-115.9.0-1.mga9
firefox-tl-115.9.0-1.mga9
firefox-tr-115.9.0-1.mga9
firefox-uk-115.9.0-1.mga9
firefox-ur-115.9.0-1.mga9
firefox-uz-115.9.0-1.mga9
firefox-vi-115.9.0-1.mga9
firefox-xh-115.9.0-1.mga9
firefox-zh_CN-115.9.0-1.mga9
firefox-zh_TW-115.9.0-1.mga9

from SRPMS:
nss-3.99.0-1.mga9.src.rpm
firefox-115.9.0-1.mga9.src.rpm
firefox-l10n-115.9.0-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9

katnatek 2024-03-21 18:50:35 CET

Keywords: (none) => advisory

Comment 4 Jose Manuel López 2024-03-22 06:53:37 CET

Hi,

Updated in Mageia 9 Plasma x86_64, works fine for now, I have working for this version from yesterday. Banks, Youtube, audio and video, digital certificates, ok. Spanish translation ok, settings and addons ok.


Greetings!

CC: (none) => joselp

Comment 5 Brian Rockwell 2024-03-22 23:26:57 CET

MGA9-32bit, Nouveau

The following 6 packages are going to be installed:

- firefox-115.9.0-1.mga9.i586
- firefox-en_CA-115.9.0-1.mga9.noarch
- firefox-en_GB-115.9.0-1.mga9.noarch
- firefox-en_US-115.9.0-1.mga9.noarch
- libnss3-3.99.0-1.mga9.i586
- nss-3.99.0-1.mga9.i586


--

restarted, browsed some pages and interactive apps - working as expected.

CC: (none) => brtians1

Comment 6 Herman Viaene 2024-03-23 12:09:59 CET

MGA9-64 Plasma Wayland on HP-Pavillion.
No installation issues.
No flaws detected.

CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2024-03-23 13:52:29 CET

MGA9-64 Plasma on HP Pavilion, A8-4555, AMD 7600G graphics, also on an i5-7500 with nvidia Quadro K620 graphics.

No installation issues, and no issues to report with either machine.

CC: (none) => andrewsfarm

Comment 8 Len Lawrence 2024-03-23 20:46:16 CET

Firefox working fine here on Mate for x64, Intel CPU and graphics.  Had to switch mirror to get it because cz.muni was out of action as second tier to coffee which TJ has already reported as down.

CC: (none) => tarazed25

Comment 9 Nicolas Salguero 2024-03-25 12:08:19 CET

Mozilla has released Firefox 115.9.1 on March 22:
https://www.mozilla.org/en-US/firefox/115.9.1/releasenotes/

Security issue fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/

Assignee: qa-bugs => nicolas.salguero
Summary: Firefox 115.9 => Firefox 115.9.1
CVE: CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2616, CVE-2023-5388, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, CVE-2024-2614 => CVE-2024-0743, CVE-2024-2607, CVE-2024-2608, CVE-2024-2616, CVE-2023-5388, CVE-2024-2610, CVE-2024-2611, CVE-2024-2612, CVE-2024-2614, CVE-2024-29944
Keywords: advisory => (none)
Severity: major => critical

Comment 10 Thomas Andrews 2024-03-25 13:28:55 CET

And I was just about ready to let it go. Oh, well.

Comment 11 Nicolas Salguero 2024-03-26 10:14:27 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Crash in NSS TLS method. (CVE-2024-0743)

JIT code failed to save return registers on Armv7-A. (CVE-2024-2607)

Integer overflow could have led to out of bounds write. (CVE-2024-2608)

Improve handling of out-of-memory conditions in ICU. (CVE-2024-2616)

NSS susceptible to timing attack against RSA decryption. (CVE-2023-5388)

Improper handling of html and body tags enabled CSP nonce leakage. (CVE-2024-2610)

Clickjacking vulnerability could have led to a user accidentally granting permissions. (CVE-2024-2611)

Self referencing object could have potentially led to a use-after-free. (CVE-2024-2612)

Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. (CVE-2024-2614)

Privileged JavaScript Execution via Event Handlers.(CVE-2024-29944)

References:
https://www.mozilla.org/en-US/firefox/115.9.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/
https://www.mozilla.org/en-US/firefox/115.9.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_99.html
========================

Updated packages in core/updates_testing:
========================
lib64nss3-3.99.0-1.mga9
lib64nss-devel-3.99.0-1.mga9
lib64nss-static-devel-3.99.0-1.mga9
nss-3.99.0-1.mga9
nss-doc-3.99.0-1.mga9

firefox-115.9.1-1.mga9
firefox-af-115.9.1-1.mga9
firefox-an-115.9.1-1.mga9
firefox-ar-115.9.1-1.mga9
firefox-ast-115.9.1-1.mga9
firefox-az-115.9.1-1.mga9
firefox-be-115.9.1-1.mga9
firefox-bg-115.9.1-1.mga9
firefox-bn-115.9.1-1.mga9
firefox-br-115.9.1-1.mga9
firefox-bs-115.9.1-1.mga9
firefox-ca-115.9.1-1.mga9
firefox-cs-115.9.1-1.mga9
firefox-cy-115.9.1-1.mga9
firefox-da-115.9.1-1.mga9
firefox-de-115.9.1-1.mga9
firefox-el-115.9.1-1.mga9
firefox-en_CA-115.9.1-1.mga9
firefox-en_GB-115.9.1-1.mga9
firefox-en_US-115.9.1-1.mga9
firefox-eo-115.9.1-1.mga9
firefox-es_AR-115.9.1-1.mga9
firefox-es_CL-115.9.1-1.mga9
firefox-es_ES-115.9.1-1.mga9
firefox-es_MX-115.9.1-1.mga9
firefox-et-115.9.1-1.mga9
firefox-eu-115.9.1-1.mga9
firefox-fa-115.9.1-1.mga9
firefox-ff-115.9.1-1.mga9
firefox-fi-115.9.1-1.mga9
firefox-fr-115.9.1-1.mga9
firefox-fur-115.9.1-1.mga9
firefox-fy_NL-115.9.1-1.mga9
firefox-ga_IE-115.9.1-1.mga9
firefox-gd-115.9.1-1.mga9
firefox-gl-115.9.1-1.mga9
firefox-gu_IN-115.9.1-1.mga9
firefox-he-115.9.1-1.mga9
firefox-hi_IN-115.9.1-1.mga9
firefox-hr-115.9.1-1.mga9
firefox-hsb-115.9.1-1.mga9
firefox-hu-115.9.1-1.mga9
firefox-hy_AM-115.9.1-1.mga9
firefox-ia-115.9.1-1.mga9
firefox-id-115.9.1-1.mga9
firefox-is-115.9.1-1.mga9
firefox-it-115.9.1-1.mga9
firefox-ja-115.9.1-1.mga9
firefox-ka-115.9.1-1.mga9
firefox-kab-115.9.1-1.mga9
firefox-kk-115.9.1-1.mga9
firefox-km-115.9.1-1.mga9
firefox-kn-115.9.1-1.mga9
firefox-ko-115.9.1-1.mga9
firefox-lij-115.9.1-1.mga9
firefox-lt-115.9.1-1.mga9
firefox-lv-115.9.1-1.mga9
firefox-mk-115.9.1-1.mga9
firefox-mr-115.9.1-1.mga9
firefox-ms-115.9.1-1.mga9
firefox-my-115.9.1-1.mga9
firefox-nb_NO-115.9.1-1.mga9
firefox-nl-115.9.1-1.mga9
firefox-nn_NO-115.9.1-1.mga9
firefox-oc-115.9.1-1.mga9
firefox-pa_IN-115.9.1-1.mga9
firefox-pl-115.9.1-1.mga9
firefox-pt_BR-115.9.1-1.mga9
firefox-pt_PT-115.9.1-1.mga9
firefox-ro-115.9.1-1.mga9
firefox-ru-115.9.1-1.mga9
firefox-sc-115.9.1-1.mga9
firefox-si-115.9.1-1.mga9
firefox-sk-115.9.1-1.mga9
firefox-sl-115.9.1-1.mga9
firefox-sq-115.9.1-1.mga9
firefox-sr-115.9.1-1.mga9
firefox-sv_SE-115.9.1-1.mga9
firefox-szl-115.9.1-1.mga9
firefox-ta-115.9.1-1.mga9
firefox-te-115.9.1-1.mga9
firefox-tg-115.9.1-1.mga9
firefox-th-115.9.1-1.mga9
firefox-tl-115.9.1-1.mga9
firefox-tr-115.9.1-1.mga9
firefox-uk-115.9.1-1.mga9
firefox-ur-115.9.1-1.mga9
firefox-uz-115.9.1-1.mga9
firefox-vi-115.9.1-1.mga9
firefox-xh-115.9.1-1.mga9
firefox-zh_CN-115.9.1-1.mga9
firefox-zh_TW-115.9.1-1.mga9

from SRPMS:
nss-3.99.0-1.mga9.src.rpm
firefox-115.9.1-1.mga9.src.rpm
firefox-l10n-115.9.1-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs

katnatek 2024-03-26 17:53:40 CET

Keywords: (none) => advisory

Comment 12 Thomas Andrews 2024-03-26 18:13:02 CET

Still good on the hardware from Comment 7.

Comment 13 katnatek 2024-03-26 18:28:25 CET

VM mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release" is up-to-date
medium "Core Updates" is up-to-date
medium "Nonfree Release" is up-to-date
medium "Nonfree Updates" is up-to-date
medium "Tainted Release" is up-to-date
medium "Tainted Updates" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date


installing firefox-en_CA-115.9.1-1.mga9.noarch.rpm firefox-en_US-115.9.1-1.mga9.noarch.rpm firefox-es_ES-115.9.1-1.mga9.noarch.rpm firefox-en_GB-115.9.1-1.mga9.noarch.rpm firefox-es_MX-115.9.1-1.mga9.noarch.rpm firefox-115.9.1-1.mga9.x86_64.rpm lib64nss3-3.99.0-1.mga9.x86_64.rpm nss-3.99.0-1.mga9.x86_64.rpm firefox-es_CL-115.9.1-1.mga9.noarch.rpm firefox-es_AR-115.9.1-1.mga9.noarch.rpm from //home/qateam/qa-testing/x86_64
Preparing...                     ###########################################################################################
     1/10: nss                   ###########################################################################################
     2/10: lib64nss3             ###########################################################################################
     3/10: firefox               ###########################################################################################
     4/10: firefox-en_CA         ###########################################################################################
     5/10: firefox-en_US         ###########################################################################################
     6/10: firefox-es_ES         ###########################################################################################
     7/10: firefox-en_GB         ###########################################################################################
     8/10: firefox-es_MX         ###########################################################################################
     9/10: firefox-es_CL         ###########################################################################################
    10/10: firefox-es_AR         ###########################################################################################
     1/10: removing firefox-es_AR-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     2/10: removing firefox-es_CL-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     3/10: removing firefox-es_MX-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     4/10: removing firefox-en_GB-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     5/10: removing firefox-es_ES-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     6/10: removing firefox-en_US-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     7/10: removing firefox-0:115.8.0-1.mga9.x86_64
                                 ###########################################################################################
     8/10: removing firefox-en_CA-115.8.0-1.mga9.noarch
                                 ###########################################################################################
     9/10: removing lib64nss3-2:3.98.0-1.mga9.x86_64
                                 ###########################################################################################
    10/10: removing nss-2:3.98.0-1.mga9.x86_64
                                 ###########################################################################################

Updated without issues
Test browse my usual sites not issues
OK

Comment 14 Morgan Leijström 2024-03-27 12:08:15 CET

OK for me same tests like the previous version

Whiteboard: (none) => MGA9-64-OK

Comment 15 Thomas Andrews 2024-03-27 14:59:28 CET

I used this this morning on an HP Probook 6550b, again with no issues.

Time to let it go. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2024-03-27 20:25:24 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0092.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.