33713 – Firefox 128.4

Bug 33713 - Firefox 128.4

Summary: Firefox 128.4

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK,MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	33714
	Show dependency tree / graph

Reported:	2024-11-04 10:59 CET by Nicolas Salguero
Modified:	2024-11-09 06:18 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	nspr, nss, firefox, firefox-l10n, rust
CVE:	CVE-2024-10458, CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, CVE-2024-10467
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-04 10:59:57 CET

Mozilla has released Firefox 128.4 on October 29:
https://www.mozilla.org/en-US/firefox/128.4.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-56/

Mozilla has released NSS 3.106 on October 24:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_106.html#mozilla-projects-nss-nss-3-106-release-notes

NSS 3.106 needs NSPR 4.36.

Nicolas Salguero 2024-11-04 11:01:59 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => nspr, nss, firefox, firefox-l10n
CVE: (none) => CVE-2024-10458, CVE-2024-10459, CVE-2024-10460, CVE-2024-10461, CVE-2024-10462, CVE-2024-10463, CVE-2024-10464, CVE-2024-10465, CVE-2024-10466, CVE-2024-10467

Nicolas Salguero 2024-11-04 11:05:04 CET

Blocks: (none) => 33714

Comment 1 Lewis Smith 2024-11-04 20:46:16 CET

Assigning back to you, Nicolas, for Firefox.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-11-05 09:59:51 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Permission leak via embed or object elements. (CVE-2024-10458)

Use-after-free in layout with accessibility. (CVE-2024-10459)

Confusing display of origin for external protocol handler prompt. (CVE-2024-10460)

XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response. (CVE-2024-10461)

Origin of permission prompt could be spoofed by long URL. (CVE-2024-10462)

Cross origin video frame leak. (CVE-2024-10463)

History interface could have been used to cause a Denial of Service condition in the browser. (CVE-2024-10464)

Clipboard "paste" button persisted across tabs. (CVE-2024-10465)

DOM push subscription message could hang Firefox. (CVE-2024-10466)

Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4. (CVE-2024-10467)

References:
https://www.mozilla.org/en-US/firefox/128.4.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-56/
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_106.html#mozilla-projects-nss-nss-3-106-release-notes
========================

Updated packages in core/updates_testing:
========================
lib(64)nspr4-4.36-1.mga9
lib(64)nspr-devel-4.36-1.mga9

lib(64)nss3-3.106.0-1.mga9
lib(64)nss-devel-3.106.0-1.mga9
lib(64)nss-static-devel-3.106.0-1.mga9
nss-3.106.0-1.mga9
nss-doc-3.106.0-1.mga9

firefox-128.4.0-1.mga9
firefox-af-128.4.0-1.mga9
firefox-an-128.4.0-1.mga9
firefox-ar-128.4.0-1.mga9
firefox-ast-128.4.0-1.mga9
firefox-az-128.4.0-1.mga9
firefox-be-128.4.0-1.mga9
firefox-bg-128.4.0-1.mga9
firefox-bn-128.4.0-1.mga9
firefox-br-128.4.0-1.mga9
firefox-bs-128.4.0-1.mga9
firefox-ca-128.4.0-1.mga9
firefox-cs-128.4.0-1.mga9
firefox-cy-128.4.0-1.mga9
firefox-da-128.4.0-1.mga9
firefox-de-128.4.0-1.mga9
firefox-el-128.4.0-1.mga9
firefox-en_CA-128.4.0-1.mga9
firefox-en_GB-128.4.0-1.mga9
firefox-en_US-128.4.0-1.mga9
firefox-eo-128.4.0-1.mga9
firefox-es_AR-128.4.0-1.mga9
firefox-es_CL-128.4.0-1.mga9
firefox-es_ES-128.4.0-1.mga9
firefox-es_MX-128.4.0-1.mga9
firefox-et-128.4.0-1.mga9
firefox-eu-128.4.0-1.mga9
firefox-fa-128.4.0-1.mga9
firefox-ff-128.4.0-1.mga9
firefox-fi-128.4.0-1.mga9
firefox-fr-128.4.0-1.mga9
firefox-fur-128.4.0-1.mga9
firefox-fy_NL-128.4.0-1.mga9
firefox-ga_IE-128.4.0-1.mga9
firefox-gd-128.4.0-1.mga9
firefox-gl-128.4.0-1.mga9
firefox-gu_IN-128.4.0-1.mga9
firefox-he-128.4.0-1.mga9
firefox-hi_IN-128.4.0-1.mga9
firefox-hr-128.4.0-1.mga9
firefox-hsb-128.4.0-1.mga9
firefox-hu-128.4.0-1.mga9
firefox-hy_AM-128.4.0-1.mga9
firefox-ia-128.4.0-1.mga9
firefox-id-128.4.0-1.mga9
firefox-is-128.4.0-1.mga9
firefox-it-128.4.0-1.mga9
firefox-ja-128.4.0-1.mga9
firefox-ka-128.4.0-1.mga9
firefox-kab-128.4.0-1.mga9
firefox-kk-128.4.0-1.mga9
firefox-km-128.4.0-1.mga9
firefox-kn-128.4.0-1.mga9
firefox-ko-128.4.0-1.mga9
firefox-lij-128.4.0-1.mga9
firefox-lt-128.4.0-1.mga9
firefox-lv-128.4.0-1.mga9
firefox-mk-128.4.0-1.mga9
firefox-mr-128.4.0-1.mga9
firefox-ms-128.4.0-1.mga9
firefox-my-128.4.0-1.mga9
firefox-nb_NO-128.4.0-1.mga9
firefox-nl-128.4.0-1.mga9
firefox-nn_NO-128.4.0-1.mga9
firefox-oc-128.4.0-1.mga9
firefox-pa_IN-128.4.0-1.mga9
firefox-pl-128.4.0-1.mga9
firefox-pt_BR-128.4.0-1.mga9
firefox-pt_PT-128.4.0-1.mga9
firefox-ro-128.4.0-1.mga9
firefox-ru-128.4.0-1.mga9
firefox-sc-128.4.0-1.mga9
firefox-si-128.4.0-1.mga9
firefox-sk-128.4.0-1.mga9
firefox-sl-128.4.0-1.mga9
firefox-sq-128.4.0-1.mga9
firefox-sr-128.4.0-1.mga9
firefox-sv_SE-128.4.0-1.mga9
firefox-szl-128.4.0-1.mga9
firefox-ta-128.4.0-1.mga9
firefox-te-128.4.0-1.mga9
firefox-tg-128.4.0-1.mga9
firefox-th-128.4.0-1.mga9
firefox-tl-128.4.0-1.mga9
firefox-tr-128.4.0-1.mga9
firefox-uk-128.4.0-1.mga9
firefox-ur-128.4.0-1.mga9
firefox-uz-128.4.0-1.mga9
firefox-vi-128.4.0-1.mga9
firefox-xh-128.4.0-1.mga9
firefox-zh_CN-128.4.0-1.mga9
firefox-zh_TW-128.4.0-1.mga9

cargo-1.76.0-3.mga9
clippy-1.76.0-3.mga9
rust-1.76.0-3.mga9
rust-analyzer-1.76.0-3.mga9
rust-debugger-common-1.76.0-3.mga9
rust-doc-1.76.0-3.mga9
rust-gdb-1.76.0-3.mga9
rust-lldb-1.76.0-3.mga9
rust-src-1.76.0-3.mga9
rust-std-static-1.76.0-3.mga9
rust-std-static-i686-pc-windows-gnu-1.76.0-3.mga9
rust-std-static-wasm32-unknown-unknown-1.76.0-3.mga9
rust-std-static-wasm32-wasi-1.76.0-3.mga9
rust-std-static-x86_64-pc-windows-gnu-1.76.0-3.mga9
rust-std-static-x86_64-unknown-none-1.76.0-3.mga9
rust-std-static-x86_64-unknown-uefi-1.76.0-3.mga9
rustfmt-1.76.0-3.mga9

from SRPMS:
nspr-4.36-1.mga9.src.rpm
nss-3.106.0-1.mga9.src.rpm
firefox-128.4.0-1.mga9.src.rpm
firefox-l10n-128.4.0-1.mga9.src.rpm
rust-1.76.0-3.mga9.src.rpm

Version: Cauldron => 9
Status: NEW => ASSIGNED
Source RPM: nspr, nss, firefox, firefox-l10n => nspr, nss, firefox, firefox-l10n, rust
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA9TOO => (none)

katnatek 2024-11-05 17:52:38 CET

Keywords: (none) => advisory

Comment 3 Morgan Leijström 2024-11-05 19:05:04 CET

mga9-64 OK
Plasma, Intel CPU, AMD GPU

Updated now to:
- firefox-128.4.0-1.mga9.x86_64
- firefox-sv_SE-128.4.0-1.mga9.noarch
- lib64nspr4-4.36-1.mga9.x86_64
- lib64nss3-3.106.0-1.mga9.x86_64
- nss-3.106.0-1.mga9.x86_64

Closed FF, updated, start again.
Actually rebooted because I also try new mesa (no bug number)

Help -> about say "128.4.0esr (64-bitars)", and "mageia - 9.0"

Restored previous tabs, settings kept, localisation OK.
Used banking sites, tax office, shops, video sites, saved file, opened and viewed pdf.
Printed a receipt pages from within Paypal to network printer.

CC: (none) => fri

Comment 4 Brian Rockwell 2024-11-05 19:06:20 CET

MGA9-64, Plasma, Ryzen 3015i APU

The following 7 packages are going to be installed:

- firefox-128.4.0-1.mga9.x86_64
- firefox-en_CA-128.4.0-1.mga9.noarch
- firefox-en_GB-128.4.0-1.mga9.noarch
- firefox-en_US-128.4.0-1.mga9.noarch
- lib64nspr4-4.36-1.mga9.x86_64
- lib64nss3-3.106.0-1.mga9.x86_64
- nss-3.106.0-1.mga9.x86_64

175KB of additional disk space will be used.

---

using it for awhile - working as expected

CC: (none) => brtians1

Comment 5 Thomas Andrews 2024-11-06 22:16:41 CET

MGA9-64 Plasma. 

The following 6 packages are going to be installed:

- firefox-128.4.0-1.mga9.x86_64
- firefox-en_US-128.4.0-1.mga9.noarch
- lib64archive13-3.6.2-5.2.mga9.x86_64
- lib64nspr4-4.36-1.mga9.x86_64
- lib64nss3-3.106.0-1.mga9.x86_64
- nss-3.106.0-1.mga9.x86_64

Put it through a few paces, no issues to report.

CC: (none) => andrewsfarm

Comment 6 Morgan Leijström 2024-11-06 23:08:29 CET

mga9-32 OK

Used to browse some sites, listen to pod, checking bugzilla :)

[ettan@localhost ~]$ inxi -SMCG
System:
  Host: localhost Kernel: 6.6.58-desktop-2.mga9 arch: i686 bits: 32
    Desktop: LXDE v: 0.10.2.r1 Distro: Mageia 9
Machine:
  Type: Laptop System: IBM product: 2668R1G v: ThinkPad T43
    serial: <superuser required>
  Mobo: IBM model: 2668R1G serial: <superuser required> BIOS: IBM
    v: 1YET62WW (1.27 ) date: 05/18/2006
CPU:
  Info: single core model: Intel Pentium M bits: 32 cache: 2 MiB note: check
  Speed (MHz): 800 min/max: 800/1866 core: 1: 800
Graphics:
  Device-1: AMD RV370/M22 [Mobility Radeon X300] driver: radeon v: kernel
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 22.1.9 driver: X:
    loaded: radeon,v4l dri: r300 gpu: radeon resolution: 1024x768~60Hz
  API: OpenGL v: 2.1 Mesa 24.2.6 renderer: ATI RV370

Comment 7 Thomas Andrews 2024-11-06 23:40:21 CET

Note to QA: 

As explained in bug 33522 comment 12, the rust packages have already received sufficient testing by being used to build Firefox.

Comment 8 Morgan Leijström 2024-11-07 01:02:08 CET

Also in use by my wife on her laptop for some hours, and I have used it some hours on some laptops total many sites.

I guess we can send it on.

Comment 9 Jose Manuel López 2024-11-07 12:37:14 CET

Installed in Mga x64 Intel I5 with X11.

Works fine for me, I have been working whit this version since day 7.

Addons ok.
Translation ok.
Settings ok.
Sync ok.
Digital certificates ok.
Banks ok.
Audio and video ok.
Youtube and social networks ok.
Print ok.

Launched from terminal:

[jose@localhost ~]$ LC_ALL=C firefox
ATTENTION: default value of option mesa_glthread overridden by environment.
[Parent 772551, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/firefox-128.3.1/toolkit/xre/nsSigHandlers.cpp:187

(firefox:772551): GLib-GIO-WARNING **: 12:36:07.228: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.


Greetings!

CC: (none) => Joselp

Comment 10 Brian Rockwell 2024-11-07 19:49:51 CET

MGA9-64, Xfce

working as expected.

Comment 11 Brian Rockwell 2024-11-07 21:13:01 CET

MGA9-32, AMD A6-3420M APU with Radeon(tm) HD Graphics, old Laptop

The following 7 packages are going to be installed:

- firefox-128.4.0-1.mga9.i586
- firefox-en_CA-128.4.0-1.mga9.noarch
- firefox-en_GB-128.4.0-1.mga9.noarch
- firefox-en_US-128.4.0-1.mga9.noarch
- libnspr4-4.36-1.mga9.i586
- libnss3-3.106.0-1.mga9.i586
- nss-3.106.0-1.mga9.i586

244KB of additional disk space will be used.

---rebooted

spending time using firefox, etc.  - working

Comment 12 Guillaume Royer 2024-11-08 18:23:24 CET

MGA9 64 GNOME Core I5 16Go RAM

Updated with RPM: 

firefox                        128.4.0      1.mga9        x86_64  
firefox-fr                     128.4.0      1.mga9        noarch  
lib64nspr4                     4.36         1.mga9        x86_64  
lib64nss3                      3.106.0      1.mga9        x86_64  
nss                            3.106.0      1.mga9        x86_64  

No issues after installation:

Netflix OK
Bank Site OK
Element Matrix client OK
Audio OK

CC: (none) => guillaume.royer

Comment 13 Len Lawrence 2024-11-08 20:09:00 CET

Mageia9, x86_64

At first left out the i686, wasm32 and pc-windows-gnu entries, assuming them to be irrelevant but added them later via qarepo/drakrpm-edit which hauled in all the mingw stuff and, it appears, the ones deliberately omitted.

These are the packages installed:

$ rpm -qa | grep 1.76.0
rust-std-static-1.76.0-3.mga9
rust-1.76.0-3.mga9
cargo-1.76.0-3.mga9
rust-debugger-common-1.76.0-3.mga9
rust-src-1.76.0-3.mga9
rust-analyzer-1.76.0-3.mga9
rust-gdb-1.76.0-3.mga9
rust-lldb-1.76.0-3.mga9
rustfmt-1.76.0-3.mga9
clippy-1.76.0-3.mga9
rust-std-static-x86_64-unknown-none-1.76.0-3.mga9
rust-std-static-x86_64-unknown-uefi-1.76.0-3.mga9
rust-doc-1.76.0-3.mga9

$ rpm -qa | grep 128.4.0
firefox-en_GB-128.4.0-1.mga9
firefox-128.4.0-1.mga9

$ rpm -qa | grep lib64nss
lib64nss-mdns2-0.15.1-2.mga9
lib64nss3-3.106.0-1.mga9
lib64nss-devel-3.106.0-1.mga9
lib64nss-static-devel-3.106.0-1.mga9
$ rpm -qa | grep nspr
lib64nspr4-4.36-1.mga9
lib64nspr-devel-4.36-1.mga9

$ rpm -qa | grep rust-std-static
rust-std-static-1.76.0-3.mga9
rust-std-static-x86_64-unknown-none-1.76.0-3.mga9
rust-std-static-x86_64-unknown-uefi-1.76.0-3.mga9
rust-std-static-i686-pc-windows-gnu-1.76.0-3.mga9
rust-std-static-x86_64-pc-windows-gnu-1.76.0-3.mga9
rust-std-static-wasm32-unknown-unknown-1.76.0-3.mga9
rust-std-static-wasm32-wasi-1.76.0-3.mga9

Firefox restarted OK with all bookmarks in place.  Logged into banking site and
checked balances.  Tried Youtube - sound and video OK.  APOD looks good.  Played Quordle online.  Used the commandline to launch a magazine PDF in the browser and read it, page by page.
$ firefox file:AN_2024_September.pdf
Posting this on the new madb site.  Looks fine from here.

CC: (none) => tarazed25

Comment 14 katnatek 2024-11-08 21:45:57 CET

Good set of test, and we need rust packages for new chromium-browser

Whiteboard: (none) => MGA9-64-OK,MGA9-32-OK

Comment 15 Thomas Andrews 2024-11-09 02:07:42 CET

Agreed. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2024-11-09 06:18:40 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0349.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.