If this is ready for qa testing, i586 testing complete for the srpm packages
firefox-l10n-8.0.1-0.1.mga1.src.rpm
firefox-8.0.1-0.3.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm

Usual browser tests (java/flash etc.), plus confirming
https://utmshare.utm.my now shows an invalid signature
on the certificate.

For the esteid extension, just confirming the Estonian
Card PKCS11 extension is not disabled.

No, it's not ready, needs to be resubmitted with a fix to not automatically disable our language packs (and maybe other systemwide installed addons).

Ok.  I'll retest when it is ready.  Thanks for the update.

For reference, Dave, are you using any language pack? Upgrading from 7.0.1 to 8/8.0.1 did you have a dialog before the next start of firefox about the addons?

/note to self:

For reproduction purposes of the auto-disabling of addons after upgrade to firefox 8, this is how to safely trigger that event, if it would not be fixed properly:

1. If some firefox 8 version is already installed, remove it (f.ex. via
urpme -a firefox)

2. urpmi firefox-xx-7.0.1 --auto --noclean (replace xx by your language code, i.e. "de" for german language pack)

3. run firefox, check by entering "about:config" in adress bar for the existence of those preferences:
"extensions.autoDisableScopes"
"extensions.shownSelectionUI"
they should not be there with firefox < 8. If they are, please report this here.
QUIT firefox!

4. install latest firefox update candidate and language pack:
urpmi firefox-xx-8.0.1  --auto --noclean (replace xx by your language code, i.e. "de" for german language pack)

5. run firefox, check there is no "disabling addon selection dialog" before firefox main window opens (this does not mean the default "checking for updates for addons dialog which you see for every firefox update) and check that no addons have been disabled, especially not the language packs
You should now have above mentioned preferences, and the proper values, check via "about:config":
"extensions.autoDisableScopes, 0"
"extensions.shownSelectionUI, true"

I just repeated the test using a clean install.

Installed firefox 7, and all ext in our repositories (using core release
and updates, not updates testing).

firefox-ext-mozvoikko-1.10.0-1.2.mga1 could not be installed, as it's still
only setup for firefox 6.

After enabling core updates testing as an update repository, used mgaapplet
to update to firefox 8.

I was given the option to disable all addons, a screen which is new with
firefox 8.  I selected keep for all items.  The following are disabled,
and marked as "will enable when compatible" after firefox starts.
Adblock plus
Bugzilla tweaks
Download statusbar
Grease monkey

Note that after the experience with firefox 7, qa will not wait for the
addons in the repositories to be updated, before validating the firefox
update, especially as the above updates can all be updated by the user
within firefox.

The language pack I use (en_GB) was in the list of addons that would
have been disabled, if I didn't select to keep it.

(In reply to comment #6)
> Note that after the experience with firefox 7, qa will not wait for the
> addons in the repositories to be updated, before validating the firefox
> update, especially as the above updates can all be updated by the user
> within firefox.
> 
Yep go for that. (And it was the same for firefox 7)

seems for mga2 we can remove all firefox-ext-*...

(In reply to comment #6)
> 
> I was given the option to disable all addons, a screen which is new with
> firefox 8.  I selected keep for all items.  The following are disabled,
> and marked as "will enable when compatible" after firefox starts.
> Adblock plus
> Bugzilla tweaks
> Download statusbar
> Grease monkey
[...]
> 
> The language pack I use (en_GB) was in the list of addons that would
> have been disabled, if I didn't select to keep it.

Thanks for reproducing, that is exactly the new "feature" from firefox 8 that we have to fix, this should be properly fixed in coming firefox-8.0.1-0.4.mga1.

Testing complete on i586 for firefox 8.0.1-0.4.

In addition to normal browser testing, the startup screen defaulting
to disabling all addons no longer appears, and the language pack is retained.

The list of srpms now is
firefox-8.0.1-0.4.mga1.src.rpm
firefox-8.0.1-0.3.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm

Sorry, messed up the copy/paste.  The list of srpms is

firefox-8.0.1-0.4.mga1.src.rpm
firefox-l10n-8.0.1-0.1.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm

Just noticed this still hasn't been assigned to qa.  Is it ready to
assign?

now it is.

Assignee: dmorganec => qa-bugs

We still need x86-64 testing for firefox 8.0.1.

In addition to normal browser tests, confirm the language
pack does not get disabled by the update.

I just finish test this on x86_64 Mageia1 installation, and find no problem with language pack disable after update.

CC: (none) => pham182b

Can someone from the sysadmin team push the srpms
firefox-8.0.1-0.4.mga1.src.rpm
firefox-l10n-8.0.1-0.1.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm
from Core Updates Testing to Core Updates

Advisory:  This security update for firefox corrects the following:

CVE-2011-3640

Untrusted search path vulnerability in Mozilla Network Security
Services (NSS) might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory.

CVE-2011-3648

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0
through 7.0 allows remote attackers to inject arbitrary web script
or HTML via crafted text with Shift JIS encoding.

CVE-2011-3650

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird
before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript
files that contain many functions, which allows user-assisted
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
crafted file that is accessed by debugging APIs, as demonstrated by
Firebug.

CVE-2011-3651

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to
cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors.

CVE-2011-3652

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors.

CVE-2011-3654

The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.

CVE-2011-3655

Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site.

https://bugs.mageia.org/show_bug.cgi?id=3335

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED