Mandriva issued this advisory on February 3: http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:006 It fixes several CVEs, listed in another advisory: http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:013 It also updates some packages that we need to follow suit with to allow upgrades from MDV 2010.2, and rebuilds some that we may need to as well. Needed updates: libvpx 0.9.6-4.mga1 0.9.7-0.1mdv2010.2 python-cython 0.14.1-1.mga1 0.15-0.1mdv2010.2 Might need rebuilt: networkmanager (including -applet, -openvpn, -pptp, and -vpnc) libproxy sqlite3 yasm
Just as an addendum, updated Mandriva adivsory today (February 5): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:007 "This is a maintenance and bugfix release for firefox 10.0 which utilizes better compilation optimizarions. Additionally a few more language packs has been added."
If we choose to go with ESR release and Mandriva will continue with standard release, then what we'll do? Assigning to package maintainer.
CC: (none) => sander.lepikHardware: i586 => AllAssignee: bugsquad => dmorganec
That's a good question Sander. Someone should check with Mandriva and see what they are planning to do with this. I'm actually surprised they are still updating FF for 2010.2, since it is technically supposed to be EOL for desktop support at this point. I think the decision reached on mageia-dev was to stick with the ESR/LTS release, so if MDV keeps updating the 2010.2 version past FF10, we might need to use an epoch.
Another update for Mandriva's Firefox 10 today (February 9): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:014 "This is a maintenance and bugfix release for firefox 10.0 which utilizes slightlty better compilation optimizarions and fixes a problem with an empty printer list on Mandriva Linux 2011 (#65237)."
*** Bug 4452 has been marked as a duplicate of this bug. ***
CC: (none) => dmorganec
(In reply to comment #2) > If we choose to go with ESR release and Mandriva will continue with standard > release, then what we'll do? > > Assigning to package maintainer. we don't care what mandriva does. We will ( for now ) follow ESR
(In reply to comment #0) > Mandriva issued this advisory on February 3: > http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:006 > > It fixes several CVEs, listed in another advisory: > http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:013 > > It also updates some packages that we need to follow suit with to allow > upgrades from MDV 2010.2, and rebuilds some that we may need to as well. > > Needed updates: > libvpx 0.9.6-4.mga1 0.9.7-0.1mdv2010.2 > python-cython 0.14.1-1.mga1 0.15-0.1mdv2010.2 > > Might need rebuilt: > networkmanager (including -applet, -openvpn, -pptp, and -vpnc) > libproxy > sqlite3 > yasm not at all :( why python-cytho ? why rebuild sqlite3 yasm nm ? this is not needed afaik
src.rpm: xulrunner libvpx firefox Rebuild against new FF: perl-Gtk2-MozEmbed gnome-python-extras gjs eclipse some does not build ( gjs and gnome-python-extras ) for now.
src.rpm: + firefox-l10n
At the very least we need to update python-cython because it now has a newer version in MDV 2010.2 which breaks upgrades. Why that was done as a part of this update, I don't know, but for Mageia 1 we have to deal with this sort of thing. As far as why the other packages were rebuilt, I don't know. If you think they don't need rebuilt, that's fine. As far as Firefox itself goes, in the future, if MDV upgrades the 2010.2 version to 11 or newer (which I doubt they will, but just saying if), we'll have to deal with it somehow. We could use an epoch and just stick with FF10 ESR, which would be just fine IMO.
python-cython have been updated for this update then
there is now firefox 1O.0.1 is testing
Just to clarify, we have to test firefox + language packs, which also tests xulrunner. libvpx-utils and python-cython. Am I missing anything?
CC: (none) => davidwhodgins
i rebuilded some packages see : https://wiki.mageia.org/en/Updates/Firefox gjs and gnome-python-extras do not rebuild yet
Testing complete on i586 for the srpms firefox-10.0.1-0.1.mga1.src.rpm xulrunner-10.0.1-0.1.mga1.src.rpm As usual, testing with flash and java sites, and some general browsing. I'll look for testing procedures for libvpx-utils, python-cython, gjs, and gnome-python-extras.
After looking more into libvpx, I think it's sufficient to test that firefox can play a webm/vp8 video, such as http://devfiles.myopera.com/articles/1891/sunflower-webm.html Note that the video does not have an audio track. I consider testing of the srpm libvpx-0.9.7-1.1.mga1.src.rpm complete on i586.
For testing python-cython, I used the hello world example from http://docs.cython.org/src/userguide/tutorial.html Testing on i586 complete for the srpm python-cython-0.15.1-0.1.mga1.src.rpm
When gjs is ready for testing, as per http://townx.org/blog/elliot/introduction-sorts-javascript-desktop-application-development-gjs-and-clutter Testing will simply consist of $ gjs gjs > 1+1 2 gjs > ctrl+d to exit
Assignee: dmorganec => qa-bugs
When gnome-python-extras is ready for testing, I'll be testing that gajim continues to work.
Testing on i586 complete for the srpm eclipse-3.6.2-12.3.mga1.src.rpm Testing that ecplipse can open pages in firefox. Started eclipse, click on workbench basics, firefox opens showing the workbench user guide.
(In reply to comment #20) > Testing on i586 complete for the srpm > eclipse-3.6.2-12.3.mga1.src.rpm > > Testing that ecplipse can open pages in firefox. > > Started eclipse, click on workbench basics, firefox > opens showing the workbench user guide. Not that it's a huge deal, but testing that Eclipse can open a page externally in Firefox doesn't really test what effect rebuilding Eclipse against xulrunner has. I think the only way to test that is by testing a Java/SWT program that uses the Browser widget (where it basically uses Gecko internally in a program). A simple Snippet such as the following should suffice: http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/examples/org.eclipse.swt.snippets/src/org/eclipse/swt/snippets/Snippet148.java Instructions for running SWT snippets are on the Snippets page: http://www.eclipse.org/swt/snippets/
(In reply to comment #21) > Not that it's a huge deal, but testing that Eclipse can open a page externally > in Firefox doesn't really test what effect rebuilding Eclipse against xulrunner > has. I think the only way to test that is by testing a Java/SWT program that > uses the Browser widget (where it basically uses Gecko internally in a > program). > > A simple Snippet such as the following should suffice: > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/examples/org.eclipse.swt.snippets/src/org/eclipse/swt/snippets/Snippet148.java > > Instructions for running SWT snippets are on the Snippets page: > http://www.eclipse.org/swt/snippets/ Looking at the snippet, all it's doing is checking to see if the browser is available, and, if so, if it's open, which displaying the workbench guide does as well. Note that it doesn't just open an external page, it starts a web server on a random port and opens pages from that webserver in firefox. Given that, I think that is sufficient testing for a firefox related update.
(In reply to comment #22) > (In reply to comment #21) > > Not that it's a huge deal, but testing that Eclipse can open a page externally > > in Firefox doesn't really test what effect rebuilding Eclipse against xulrunner > > has. I think the only way to test that is by testing a Java/SWT program that > > uses the Browser widget (where it basically uses Gecko internally in a > > program). > > > > A simple Snippet such as the following should suffice: > > http://git.eclipse.org/c/platform/eclipse.platform.swt.git/tree/examples/org.eclipse.swt.snippets/src/org/eclipse/swt/snippets/Snippet148.java > > > > Instructions for running SWT snippets are on the Snippets page: > > http://www.eclipse.org/swt/snippets/ > > Looking at the snippet, all it's doing is checking to see if the browser > is available, and, if so, if it's open, which displaying the workbench > guide does as well. Note that it doesn't just open an external page, > it starts a web server on a random port and opens pages from that webserver > in firefox. Given that, I think that is sufficient testing for a firefox > related update. No, the snippet does not use Firefox at all. It does not start a web server. It just is a simple Java app that opens a window (Shell in SWT) that displays the page www.eclipse.org in the window. Internally, it uses xulrunner to do this. If the linking to xulrunner is broken, there will be a Java exception. Using features that open pages in Firefox, be it help pages or Javadocs, does not use xulrunner or test that the rebuild didn't break anything.
Testing complete for the srpm firefox-10.0.1-0.1.mga1.src.rpm on Mageia release 1 (Official) for x86_64 ,work fine for me and nothing to report. Tested linked srpms : -xulrunner-10.0.1-0.1.mga1.src.rpm -libvpx-0.9.7-1.1.mga1.src.rpm -firefox-l10n-10.0.1-0.1.mga1.src.rpm
CC: (none) => geiger.david68210
Blocks: (none) => 3177
Mandriva has issued a new advisory for Firefox today (February 12): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:017 There is a new CVE fixed in 10.0.1 (which dmorgan has built), so we can add it to the advisory. Do the maintainers of Thunderbird and Seamonkey know about this? "Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding (CVE-2012-0452)."
(In reply to comment #23) > No, the snippet does not use Firefox at all. It does not start a web server. > It just is a simple Java app that opens a window (Shell in SWT) that displays > the page www.eclipse.org in the window. Internally, it uses xulrunner to do > this. If the linking to xulrunner is broken, there will be a Java exception. I went through the tutorial to build and run a java SWT HelloWorld application without any problems, so it looks ok. (In reply to comment #25) Does that mean another update is being built, or just that the cve is fixed in the current version. I.E. 10.0.1-0.1? If the latter, then I think the only things holding up this update are gjs and gnome-python-extras.
(In reply to comment #26) > (In reply to comment #23) > > No, the snippet does not use Firefox at all. It does not start a web server. > > It just is a simple Java app that opens a window (Shell in SWT) that displays > > the page www.eclipse.org in the window. Internally, it uses xulrunner to do > > this. If the linking to xulrunner is broken, there will be a Java exception. > > I went through the tutorial to build and run a java SWT HelloWorld application > without any problems, so it looks ok. A HelloWorld application doesn't test what is needed. It needs to be an SWT program that uses the Browser widget, like the one I linked in Comment 21. > (In reply to comment #25) > > Does that mean another update is being built, or just that the cve is fixed > in the current version. I.E. 10.0.1-0.1? > > If the latter, then I think the only things holding up this update are > gjs and gnome-python-extras. The CVE is fixed in Firefox 10.0.1 which has already been built. I hadn't noticed the %release tag though, so I'm glad you pointed that out. We aren't supposed to use 0 as a release number. I believe that's to ensure our version is newer than MDV: https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29
I finally managed to get the snippet to run. I was surprised the see that the webpage opens without any toolbar, etc. Part of what took me so long, is that when it says select the project, and then paste, it's literally that. Not creating a new class, etc.
Regarding gnome-python-extras, I now realize that while that package is required for gajim, it doesn't use gnome-python-gtkmozembed. None of the Mageia 1 packages require it, so I'll be using the small sample from http://www.pygtk.org/pygtkmozembed/class-gtkmozembed.html Currently, it segfaults, I'm assuming because we don't have the new version yet, and I do have the newer firefox installed.
I just noticed, when I ran the snippet, although it works, there is an error message ... /home/iurt/rpm/BUILD/icedtea-web-1.1.4/plugin/icedteanp/IcedTeaNPPlugin.cc:2020: thread 0xb69e1c60: Error: Invalid plugin function table. Is that a problem?
FF10, well done in x86_64 and i586
CC: (none) => jkowalzik
x86_64 Firefox updates with firefox-en_GB. Java tested at http://java.com/en/download/testjava.jsp Flash tested at youtube.com Everything else seems OK webm plays after updating lib64vpx0 and devel python-cython ------------- # python setup.py build_ext --inplace running build_ext cythoning helloworld.pyx to helloworld.c building 'helloworld' extension creating build creating build/temp.linux-x86_64-2.7 gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -DNDEBUG -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -g -fPIC -I/usr/include/python2.7 -c helloworld.c -o build/temp.linux-x86_64-2.7/helloworld.o gcc -pthread -shared -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id -Wl,--enable-new-dtags build/temp.linux-x86_64-2.7/helloworld.o -L/usr/lib64 -lpython2.7 -o /root/helloworld.so # python Python 2.7.1 (r271:86832, Sep 5 2011, 14:50:51) [GCC 4.5.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import helloworld Hello World Still to test ------------- eclipse - Can't connect to their website at the moment gjs - No update yet gnome-python-extras - No update yet -------------
It would be better for future updates, rather than bit by bit like this (same as with php), to assign to QA only when everything is ready for QA - with an advisory of course to say what has been updated and if possible a testcase/PoC https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29 It only causes confusion which can/will lead to mistakes being made or something being missed otherwise. Thankyou. :)
Firefox 10.0.2 is now available from Mozilla. Thomas Backlund noted that TB 10.0.2 is also out, addressing some CVEs, so I'd imagine that's the case with FF as well. Assigning back to dmorgan.
CC: (none) => qa-bugsAssignee: qa-bugs => dmorganec
Testing complete for the srpm firefox-10.0.2-0.1.mga1.src.rpm on Mageia release 1 (Official) for x86_64 ,work fine for me and nothing to report. Tested linked srpms : -xulrunner-10.0.2-0.1.mga1.src.rpm -firefox-l10n-10.0.2-0.1.mga1.src.rpm
D Morgan, the release on these packages is 0, and it should be 1 (with no subrel). https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29
I found a regression since installing firefox-10.0.2-0.1.mga1.src.rpm . When I go into Settings chromium-browser-stable-16.0.912.63-0.1.mga1.src.rpm, it can not find Firefox (or another browser) to import favorites and data: Customize and configure chromium ->> Preferences ->> Data personal ->> Import data from another browser ->> Can not find a supported browser the result is : " Can not find a supported browser " I did some tests and come back with firefox-9.0.1-0.1.mga1.src.rpm and always chromium-browser-stable-16.0.912.63-0.1.mga1.src.rpm While with firefox-9.0.1-0.1.mga1.src.rpm it's good, chromium found Firefox (or another browser) to import the data and favorites.
Hi, I updated to FF 10.0.2 from Testing and it seems to work fine apart from one strange thing - it sometimes very slow on certain websites. This behavior is quite random though. For example, a page may take a minute or more to load, but if I don't wait and go back and then go to the same page again - it loads almost instantaneously. As I said, this behavior is random, so I can't give you any particular link as an example. Previous FF 9.0.1 worked totally fine on the same pages. P.S. BTW, on one of the forums I bumped into a message describing the same behavior of FF 10.0.2 in Mageia1 and the guy said he tried FF 10.0.2 rpm for SUSE and in that case all the problems were gone. Thank you.
CC: (none) => schlecht
Depends on: (none) => 4701
Depends on: (none) => 4664
Depends on: (none) => 4563
Depends on: (none) => 4784
No progress here. Why? Next security fix will be released soon and we haven't got this one out.
gjs and gnome-python-extras are supposed to be rebuilt but haven't been. In my opinion, we are going to have to validate the update without them. Objections?
I know that security updates are important, but I really feel bad when we push updates known to break other packages. The solution, in my opinion, is not to push security fixes early and forget about other packages, but rather to be organized to rebuild quickly packages that need it. Usually a rebuild is really nothing for a packager, unless the build fails. So keeping a good list of what needs rebuild so that each update simply needs packagers to follow a check-list would be very nice.
CC: (none) => stormi
(In reply to comment #40) > gjs and gnome-python-extras are supposed to be rebuilt but haven't been. > > In my opinion, we are going to have to validate the update without them. > > Objections? Don't forget the blockers. There's also openjdk/icedtea-web, rootcerts, and nss that need to be rebuilt or updated. There's also libvpx, but that one has been built (still needs testing). I'm willing to try building all of these, but I'd like to give D Morgan a chance to do it, or at least give some guidance on how he wants it all handled.
another regression in this update, the mozilla kde integration is missing in firefox-10.0.2-0.1.mga1. kmozillahelper is installed on my system, but firefox 10.0.2 uses gnome/gtk components and libraries to open files, or to search mimetype, instead of using kde components (when using kde 4).
CC: (none) => lmenut
Yesterday, Firefox 11 was released. ftp://ftp.mozilla.org/pub/firefox/candidates/11.0-candidates/build1/linux-x86_64/es-ES/firefox-11.0.tar.bz2
CC: (none) => alejandrocobo
dmorgan is in bed with flu at the moment I think. The hold up here is still the dependant packages requiring rebuilds.
> Yesterday, Firefox 11 was released. > > ftp://ftp.mozilla.org/pub/firefox/candidates/11.0-candidates/build1/linux-x86_64/es-ES/firefox-11.0.tar.bz2 Actually we are going with 10.0.x ESR, so it will be either 10.0.3 ESR or maybe 10.0.4 ESR if there will be problems that need extra release (e.g. some 0-days from pwn2own - https://www.zdnet.com/blog/security/researchers-hack-into-newest-firefox-with-zero-day-flaw/10663).(In reply to comment #44).
Can anyone verify if iceatea-web is working with these FF10 builds right now? Mandriva has a patch to icedtea-web that says it fixes working with FF10, but it doesn't quite apply to our icedtea-web package. The upstream bug they reference talks about FF10+icedtea-web+java-1.7.0-openjdk, so since we don't have the last piece (we have 1.6.0) I don't know if it is needed. See Bug 4563 for more info. Upstream bug I mentioned: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=866
(In reply to comment #30) > I just noticed, when I ran the snippet, although it works, there is an > error message ... > /home/iurt/rpm/BUILD/icedtea-web-1.1.4/plugin/icedteanp/IcedTeaNPPlugin.cc:2020: > thread 0xb69e1c60: Error: Invalid plugin function table. > > Is that a problem? I wonder if that's what this patch is for: http://svn.mandriva.com/svn/packages/cooker/icedtea-web/current/SOURCES/icedtea-web-1.0.2-mutex_and_leak.patch
I've taken care of all of the blockers except for Eclipse. What is the status of Eclipse? What is the status of this package (Firefox)? What is the way forward to finish this update?
According to https://wiki.mageia.org/en/Updates/Firefox we still need gnome-python-extras and gjs.
Created attachment 1966 [details] log from eclipse crash on startup
Mandriva issued an advisory for Mozilla on 2010.2 today (April 17): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:032-1 They have not only updated FF to 10.0.3, but they have also updated some packages to newer versions than we currently have, so we now have to update these as well. icedtea-web-1.1.5-0.1mdv2010.2.src.rpm nspr-4.9.0-0.1mdv2010.2.src.rpm nss-3.13.4-0.1mdv2010.2.src.rpm
Can we get this one fixed please. Current mga1 FF is 9.0.1 which is no longer supported.
Depends on: (none) => 5458
(In reply to comment #52) > Mandriva issued an advisory for Mozilla on 2010.2 today (April 17): > http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:032-1 > > They have not only updated FF to 10.0.3, but they have also updated some > packages to newer versions than we currently have, so we now have to update > these as well. > > icedtea-web-1.1.5-0.1mdv2010.2.src.rpm > nspr-4.9.0-0.1mdv2010.2.src.rpm > nss-3.13.4-0.1mdv2010.2.src.rpm Opened Bug 5539 for nspr and nss and Bug 5540 for icedtea-web.
Depends on: (none) => 5539, 5540
And according to a message from Funda Wang on the mageia-dev list, Firefox and Thunderbird 10.0.4 are out now. :o)
CC: (none) => fundawang
Funda Wang has built xulrunner, firefox, and firefox-l10n 10.0.4 for Mageia 1.
Are there any more packages that need to be rebuilt or can the testing begin? If there are more can someone please list them fast so we can close this bug once and for all. It's getting so long that it's already hard to track what's going on..
No, this isn't ready for testing yet. nspr and nss need to be updated, xulrunner and firefox need to be rebuilt against those, gjs and gnome-python-extras need to be rebuilt against those, and apparently something needs to be fixed with Eclipse. Once this is done, the SRPMS will be: nspr nss xulrunner firefox firefox-l10n python-cython perl-Gtk2-MozEmbed gnome-python-extras gjs eclipse (and possibly icedtea-web and gnash if they don't work with FF9.0.1) References: nspr and nss - Bug 5539 gnome-python-extras and gjs - Comment 8, Comment 14, and Comment 50 Eclipse - Comment 51 and Bug 4784 gnash - Bug 5458 icedtea-web - Bug 5540 I need to fix something in nspr in Cauldron before it can be backported.
Ok, i understand nss, nspr, gnash and icedtea-web. But i don't understand how is eclipse bloking this update? Or gnome-python-extras and gjs. Those packages are not rebuilt for Firefox in mdv2010.2. Can someone explain please?
(In reply to comment #59) > Ok, i understand nss, nspr, gnash and icedtea-web. But i don't understand how > is eclipse bloking this update? Or gnome-python-extras and gjs. Those packages > are not rebuilt for Firefox in mdv2010.2. Can someone explain please? gjs, eclipse-swt, and gnome-python-gtkmozembed all use xulrunner/libxulrunner, and if they aren't rebuilt, they will continue to use the old vulnerable versions. That being said, we haven't rebuilt those for previous updates, and the reason they aren't currently available is because they don't build properly with current xulrunner. As a matter of fact, I just finished looking into Eclipse specifically, and a whole bunch of stuff in the xulrunner API in nsXPCOMGlue.h has been removed (some Googling suggested it was removed in FF 6.0), so we are not going to be able to rebuild Eclipse anyway. I'm guessing the reason gjs and gnome-python-extras won't build is similar reasons, so I will now say that I don't agree that those should hold up this update. So here's what really needs to be done: Packages generated from eclipse SRPM in updates_testing should be removed. nspr and nss should be updated. xulrunner, firefox, firefox-l10n should be rebuilt. QA Testing. Release! :o)
In progress.
Assignee: dmorganec => luigiwalser
*** Bug 5540 has been marked as a duplicate of this bug. ***
*** Bug 5539 has been marked as a duplicate of this bug. ***
Confirmed that gjs and gnome-python-extras cannot be rebuilt with current xulrunner. Mandriva hasn't rebuilt them since issuing the Firefox 3.6.26 update. Our packages will done in a few minutes. I'll post an advisory then.
Depends on: 5458 => (none)
Have at it everyone! Advisory: ======================== Updated firefox and other packages fix security vulnerabilities: Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes (CVE-2011-3659). Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages (CVE-2011-3670). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0442). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0443). Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file (CVE-2012-0444). Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to bypass the HTML5 frame-navigation policy and replace arbitrary sub-frames by creating a form submission target with a sub-frame's name attribute (CVE-2012-0445). Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to inject arbitrary web script or HTML via a (1) web page or (2) Firefox extension, related to improper enforcement of XPConnect security restrictions for frame scripts that call untrusted objects (CVE-2012-0446). Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize data for image/vnd.microsoft.icon images, which allows remote attackers to obtain potentially sensitive information by reading a PNG image that was created through conversion from an ICO image (CVE-2012-0447). Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document (CVE-2012-0449). Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations (CVE-2012-0450). Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding (CVE-2012-0452). Integer overflow in libpng, as used in Firefox before 10.0.2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation (CVE-2011-3026). Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable (CVE-2012-0454). Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection (CVE-2012-0455). Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content (CVE-2012-0457, CVE-2012-0456). Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability (CVE-2012-0451). Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the home button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context (CVE-2012-0458). Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable (CVE-2012-0459). Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes window.fullScreen read only by untrusted content, forcing the use of the DOM fullscreen API in normal usage (CVE-2012-0460). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464). Additionally, the nspr and nss libraries have been updated to their newest versions. The python-cython and icedtea-web packages have been updated as well, as they were in Mandriva's updates for 2010.2. Finally, perl-Gtk2-MozEmbed has been rebuilt against the new version of xulrunner. Note: Any applications using the gjs library, gnome-python-gtkmozembed, or eclipse-swt remain vulnerable to these issues, as they cannot be rebuilt against the current version of xulrunner. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0464 http://www.mozilla.org/security/announce/2012/mfsa2012-01.html http://www.mozilla.org/security/announce/2012/mfsa2012-02.html http://www.mozilla.org/security/announce/2012/mfsa2012-03.html http://www.mozilla.org/security/announce/2012/mfsa2012-04.html http://www.mozilla.org/security/announce/2012/mfsa2012-05.html http://www.mozilla.org/security/announce/2012/mfsa2012-06.html http://www.mozilla.org/security/announce/2012/mfsa2012-07.html http://www.mozilla.org/security/announce/2012/mfsa2012-08.html http://www.mozilla.org/security/announce/2012/mfsa2012-09.html http://www.mozilla.org/security/announce/2012/mfsa2012-10.html http://www.mozilla.org/security/announce/2012/mfsa2012-11.html http://www.mozilla.org/security/announce/2012/mfsa2012-12.html http://www.mozilla.org/security/announce/2012/mfsa2012-13.html http://www.mozilla.org/security/announce/2012/mfsa2012-14.html http://www.mozilla.org/security/announce/2012/mfsa2012-15.html http://www.mozilla.org/security/announce/2012/mfsa2012-16.html http://www.mozilla.org/security/announce/2012/mfsa2012-17.html http://www.mozilla.org/security/announce/2012/mfsa2012-18.html http://www.mozilla.org/security/announce/2012/mfsa2012-19.html http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:006 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:013 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:017 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:032-1 ======================== Updated packages in core/updates_testing: ======================== libnspr4-4.9.0-1.mga1 libnspr-devel-4.9.0-1.mga1 nss-3.13.4-1.mga1 nss-doc-3.13.4-1.mga1 libnss3-3.13.4-1.mga1 libnss-devel-3.13.4-1.mga1 libnss-static-devel-3.13.4-1.mga1 xulrunner-10.0.4-1.mga1 libxulrunner10.0.4-10.0.4-1.mga1 firefox-10.0.4-1.mga1 firefox-devel-10.0.4-1.mga1 firefox-af-10.0.4-1.mga1 firefox-ar-10.0.4-1.mga1 firefox-ast-10.0.4-1.mga1 firefox-be-10.0.4-1.mga1 firefox-bg-10.0.4-1.mga1 firefox-bn_IN-10.0.4-1.mga1 firefox-bn_BD-10.0.4-1.mga1 firefox-br-10.0.4-1.mga1 firefox-bs-10.0.4-1.mga1 firefox-ca-10.0.4-1.mga1 firefox-cs-10.0.4-1.mga1 firefox-cy-10.0.4-1.mga1 firefox-da-10.0.4-1.mga1 firefox-de-10.0.4-1.mga1 firefox-el-10.0.4-1.mga1 firefox-en_GB-10.0.4-1.mga1 firefox-en_ZA-10.0.4-1.mga1 firefox-eo-10.0.4-1.mga1 firefox-es_AR-10.0.4-1.mga1 firefox-es_CL-10.0.4-1.mga1 firefox-es_ES-10.0.4-1.mga1 firefox-es_MX-10.0.4-1.mga1 firefox-et-10.0.4-1.mga1 firefox-eu-10.0.4-1.mga1 firefox-fa-10.0.4-1.mga1 firefox-fi-10.0.4-1.mga1 firefox-fr-10.0.4-1.mga1 firefox-fy-10.0.4-1.mga1 firefox-ga_IE-10.0.4-1.mga1 firefox-gd-10.0.4-1.mga1 firefox-gl-10.0.4-1.mga1 firefox-gu_IN-10.0.4-1.mga1 firefox-he-10.0.4-1.mga1 firefox-hi-10.0.4-1.mga1 firefox-hr-10.0.4-1.mga1 firefox-hu-10.0.4-1.mga1 firefox-hy-10.0.4-1.mga1 firefox-id-10.0.4-1.mga1 firefox-is-10.0.4-1.mga1 firefox-it-10.0.4-1.mga1 firefox-ja-10.0.4-1.mga1 firefox-kk-10.0.4-1.mga1 firefox-ko-10.0.4-1.mga1 firefox-kn-10.0.4-1.mga1 firefox-ku-10.0.4-1.mga1 firefox-lg-10.0.4-1.mga1 firefox-lt-10.0.4-1.mga1 firefox-lv-10.0.4-1.mga1 firefox-mai-10.0.4-1.mga1 firefox-mk-10.0.4-1.mga1 firefox-ml-10.0.4-1.mga1 firefox-mr-10.0.4-1.mga1 firefox-nb_NO-10.0.4-1.mga1 firefox-nl-10.0.4-1.mga1 firefox-nn_NO-10.0.4-1.mga1 firefox-nso-10.0.4-1.mga1 firefox-or-10.0.4-1.mga1 firefox-pa_IN-10.0.4-1.mga1 firefox-pl-10.0.4-1.mga1 firefox-pt_BR-10.0.4-1.mga1 firefox-pt_PT-10.0.4-1.mga1 firefox-ro-10.0.4-1.mga1 firefox-ru-10.0.4-1.mga1 firefox-si-10.0.4-1.mga1 firefox-sk-10.0.4-1.mga1 firefox-sl-10.0.4-1.mga1 firefox-sq-10.0.4-1.mga1 firefox-sr-10.0.4-1.mga1 firefox-sv_SE-10.0.4-1.mga1 firefox-ta-10.0.4-1.mga1 firefox-ta_LK-10.0.4-1.mga1 firefox-te-10.0.4-1.mga1 firefox-th-10.0.4-1.mga1 firefox-tr-10.0.4-1.mga1 firefox-uk-10.0.4-1.mga1 firefox-vi-10.0.4-1.mga1 firefox-zh_CN-10.0.4-1.mga1 firefox-zh_TW-10.0.4-1.mga1 firefox-zu-10.0.4-1.mga1 python-cython-0.15.1-0.1.mga1 perl-Gtk2-MozEmbed-0.80.0-10.3.mga1 icedtea-web-1.1.5-1.mga1 icedtea-web-javadoc-1.1.5-1.mga1 from SRPMS: nspr-4.9.0-1.mga1.src.rpm nss-3.13.4-1.mga1.src.rpm xulrunner-10.0.4-1.mga1.src.rpm firefox-10.0.4-1.mga1.src.rpm firefox-l10n-10.0.4-1.mga1.src.rpm python-cython-0.15.1-0.1.mga1.src.rpm perl-Gtk2-MozEmbed-0.80.0-10.3.mga1.src.rpm icedtea-web-1.1.5-1.mga1.src.rpm
Assignee: luigiwalser => qa-bugs
Blocks: 3177 => (none)
perl-Gtk2-MozEmbed still needed rebuilt against the updated xulrunner. Fixed. Advisory: ======================== Updated firefox and other packages fix security vulnerabilities: Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes (CVE-2011-3659). Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages (CVE-2011-3670). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0442). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0443). Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file (CVE-2012-0444). Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to bypass the HTML5 frame-navigation policy and replace arbitrary sub-frames by creating a form submission target with a sub-frame's name attribute (CVE-2012-0445). Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to inject arbitrary web script or HTML via a (1) web page or (2) Firefox extension, related to improper enforcement of XPConnect security restrictions for frame scripts that call untrusted objects (CVE-2012-0446). Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize data for image/vnd.microsoft.icon images, which allows remote attackers to obtain potentially sensitive information by reading a PNG image that was created through conversion from an ICO image (CVE-2012-0447). Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document (CVE-2012-0449). Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations (CVE-2012-0450). Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding (CVE-2012-0452). Integer overflow in libpng, as used in Firefox before 10.0.2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation (CVE-2011-3026). Security researchers Blair Strang and Scott Bell of Security Assessment found that when a parent window spawns and closes a child window that uses the file open dialog, a crash can be induced in shlwapi.dll on 32-bit Windows 7 systems. This crash may be potentially exploitable (CVE-2012-0454). Firefox prevents the dropping of javascript: links onto a frame to prevent malicious sites from tricking users into performing a cross-site scripting (XSS) attacks on themselves. Security researcher Soroush Dalili reported a way to bypass this protection (CVE-2012-0455). Security researcher Atte Kettunen from OUSPG found two issues with Firefox's handling of SVG using the Address Sanitizer tool. The first issue, critically rated, is a use-after-free in SVG animation that could potentially lead to arbitrary code execution. The second issue is rated moderate and is an out of bounds read in SVG Filters. This could potentially incorporate data from the user's memory, making it accessible to the page content (CVE-2012-0457, CVE-2012-0456). Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability (CVE-2012-0451). Security researcher Mariusz Mlynski reported that an attacker able to convince a potential victim to set a new home page by dragging a link to the home button can set that user's home page to a javascript: URL. Once this is done the attacker's page can cause repeated crashes of the browser, eventually getting the script URL loaded in the privileged about:sessionrestore context (CVE-2012-0458). Mozilla community member Daniel Glazman of Disruptive Innovations reported a crash when accessing a keyframe's cssText after dynamic modification. This crash may be potentially exploitable (CVE-2012-0459). Mozilla developer Matt Brubeck reported that window.fullScreen is writeable by untrusted content now that the DOM fullscreen API is enabled. Because window.fullScreen does not include mozRequestFullscreen's security protections, it could be used for UI spoofing. This code change makes window.fullScreen read only by untrusted content, forcing the use of the DOM fullscreen API in normal usage (CVE-2012-0460). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464). Additionally, the nspr and nss libraries have been updated to their newest versions. The python-cython and icedtea-web packages have been updated as well, as they were in Mandriva's updates for 2010.2. Finally, perl-Gtk2-MozEmbed has been rebuilt against the new version of xulrunner. Note: Any applications using the gjs library, gnome-python-gtkmozembed, or eclipse-swt remain vulnerable to these issues, as they cannot be rebuilt against the current version of xulrunner. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0464 http://www.mozilla.org/security/announce/2012/mfsa2012-01.html http://www.mozilla.org/security/announce/2012/mfsa2012-02.html http://www.mozilla.org/security/announce/2012/mfsa2012-03.html http://www.mozilla.org/security/announce/2012/mfsa2012-04.html http://www.mozilla.org/security/announce/2012/mfsa2012-05.html http://www.mozilla.org/security/announce/2012/mfsa2012-06.html http://www.mozilla.org/security/announce/2012/mfsa2012-07.html http://www.mozilla.org/security/announce/2012/mfsa2012-08.html http://www.mozilla.org/security/announce/2012/mfsa2012-09.html http://www.mozilla.org/security/announce/2012/mfsa2012-10.html http://www.mozilla.org/security/announce/2012/mfsa2012-11.html http://www.mozilla.org/security/announce/2012/mfsa2012-12.html http://www.mozilla.org/security/announce/2012/mfsa2012-13.html http://www.mozilla.org/security/announce/2012/mfsa2012-14.html http://www.mozilla.org/security/announce/2012/mfsa2012-15.html http://www.mozilla.org/security/announce/2012/mfsa2012-16.html http://www.mozilla.org/security/announce/2012/mfsa2012-17.html http://www.mozilla.org/security/announce/2012/mfsa2012-18.html http://www.mozilla.org/security/announce/2012/mfsa2012-19.html http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVA-2012:006 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:013 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:017 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:032-1 ======================== Updated packages in core/updates_testing: ======================== libnspr4-4.9.0-1.mga1 libnspr-devel-4.9.0-1.mga1 nss-3.13.4-1.mga1 nss-doc-3.13.4-1.mga1 libnss3-3.13.4-1.mga1 libnss-devel-3.13.4-1.mga1 libnss-static-devel-3.13.4-1.mga1 xulrunner-10.0.4-1.mga1 libxulrunner10.0.4-10.0.4-1.mga1 firefox-10.0.4-1.mga1 firefox-devel-10.0.4-1.mga1 firefox-af-10.0.4-1.mga1 firefox-ar-10.0.4-1.mga1 firefox-ast-10.0.4-1.mga1 firefox-be-10.0.4-1.mga1 firefox-bg-10.0.4-1.mga1 firefox-bn_IN-10.0.4-1.mga1 firefox-bn_BD-10.0.4-1.mga1 firefox-br-10.0.4-1.mga1 firefox-bs-10.0.4-1.mga1 firefox-ca-10.0.4-1.mga1 firefox-cs-10.0.4-1.mga1 firefox-cy-10.0.4-1.mga1 firefox-da-10.0.4-1.mga1 firefox-de-10.0.4-1.mga1 firefox-el-10.0.4-1.mga1 firefox-en_GB-10.0.4-1.mga1 firefox-en_ZA-10.0.4-1.mga1 firefox-eo-10.0.4-1.mga1 firefox-es_AR-10.0.4-1.mga1 firefox-es_CL-10.0.4-1.mga1 firefox-es_ES-10.0.4-1.mga1 firefox-es_MX-10.0.4-1.mga1 firefox-et-10.0.4-1.mga1 firefox-eu-10.0.4-1.mga1 firefox-fa-10.0.4-1.mga1 firefox-fi-10.0.4-1.mga1 firefox-fr-10.0.4-1.mga1 firefox-fy-10.0.4-1.mga1 firefox-ga_IE-10.0.4-1.mga1 firefox-gd-10.0.4-1.mga1 firefox-gl-10.0.4-1.mga1 firefox-gu_IN-10.0.4-1.mga1 firefox-he-10.0.4-1.mga1 firefox-hi-10.0.4-1.mga1 firefox-hr-10.0.4-1.mga1 firefox-hu-10.0.4-1.mga1 firefox-hy-10.0.4-1.mga1 firefox-id-10.0.4-1.mga1 firefox-is-10.0.4-1.mga1 firefox-it-10.0.4-1.mga1 firefox-ja-10.0.4-1.mga1 firefox-kk-10.0.4-1.mga1 firefox-ko-10.0.4-1.mga1 firefox-kn-10.0.4-1.mga1 firefox-ku-10.0.4-1.mga1 firefox-lg-10.0.4-1.mga1 firefox-lt-10.0.4-1.mga1 firefox-lv-10.0.4-1.mga1 firefox-mai-10.0.4-1.mga1 firefox-mk-10.0.4-1.mga1 firefox-ml-10.0.4-1.mga1 firefox-mr-10.0.4-1.mga1 firefox-nb_NO-10.0.4-1.mga1 firefox-nl-10.0.4-1.mga1 firefox-nn_NO-10.0.4-1.mga1 firefox-nso-10.0.4-1.mga1 firefox-or-10.0.4-1.mga1 firefox-pa_IN-10.0.4-1.mga1 firefox-pl-10.0.4-1.mga1 firefox-pt_BR-10.0.4-1.mga1 firefox-pt_PT-10.0.4-1.mga1 firefox-ro-10.0.4-1.mga1 firefox-ru-10.0.4-1.mga1 firefox-si-10.0.4-1.mga1 firefox-sk-10.0.4-1.mga1 firefox-sl-10.0.4-1.mga1 firefox-sq-10.0.4-1.mga1 firefox-sr-10.0.4-1.mga1 firefox-sv_SE-10.0.4-1.mga1 firefox-ta-10.0.4-1.mga1 firefox-ta_LK-10.0.4-1.mga1 firefox-te-10.0.4-1.mga1 firefox-th-10.0.4-1.mga1 firefox-tr-10.0.4-1.mga1 firefox-uk-10.0.4-1.mga1 firefox-vi-10.0.4-1.mga1 firefox-zh_CN-10.0.4-1.mga1 firefox-zh_TW-10.0.4-1.mga1 firefox-zu-10.0.4-1.mga1 python-cython-0.15.1-0.1.mga1 perl-Gtk2-MozEmbed-0.80.0-10.4.mga1 icedtea-web-1.1.5-1.mga1 icedtea-web-javadoc-1.1.5-1.mga1 from SRPMS: nspr-4.9.0-1.mga1.src.rpm nss-3.13.4-1.mga1.src.rpm xulrunner-10.0.4-1.mga1.src.rpm firefox-10.0.4-1.mga1.src.rpm firefox-l10n-10.0.4-1.mga1.src.rpm python-cython-0.15.1-0.1.mga1.src.rpm perl-Gtk2-MozEmbed-0.80.0-10.4.mga1.src.rpm icedtea-web-1.1.5-1.mga1.src.rpm
Testing done on 64-bits Mageia 1. It works well. Just one remark, I installed firefox 10.0.4 with the following command urpmi firefox firefox-fr lib64xulrunner10.0.4 xulrunner Then, I got Pour satisfaire les dépendances, les paquetages suivants vont être installés : Paquetage Version Révision Arch (média « Core Updates Testing (distrib5) ») firefox 10.0.4 1.mga1 x86_64 lib64nspr4 4.9.0 1.mga1 x86_64 lib64nss3 3.13.4 1.mga1 x86_64 lib64xulrunner10.0.4 10.0.4 1.mga1 x86_64 xulrunner 10.0.4 1.mga1 x86_64 (média « Core 32bit Updates Testing (distrib35) ») firefox-fr 10.0.4 1.mga1 noarch un espace additionnel de 43Mo sera utilisé. 25Mo de paquets seront récupérés. Procéder à l'installation des 6 paquetages ? (O/n) I see that lib64nspr4 and lib64nss3 are proposed but not "nss" package, is it normal?
CC: (none) => olivier.delaune
(In reply to comment #67) > I see that lib64nspr4 and lib64nss3 are proposed but not "nss" package, is it > normal? Based on the way you installed it, yes. libnss3 doesn't actually require nss, it only Requires(post) it, and that's a non-versioned Requires. Maybe it should be versioned, but it probably doesn't need to be. People installing updates the normal way will have both packages updated at the same time.
Testing complete on i586. Could someone from the sysadmin team push firefox from Core Updates Testing to Core Updates. See comment 66 for the list of srpms, and advisory.
(In reply to comment #69) > Testing complete on i586. > > Could someone from the sysadmin team push firefox > from Core Updates Testing to Core Updates. > > See comment 66 for the list of srpms, and advisory. I don't see the sysadmin list in the CCs.
Testing completed by the QA Could sysadmin please push from core/updates_testing to core/updates: nspr-4.9.0-1.mga1.src.rpm nss-3.13.4-1.mga1.src.rpm xulrunner-10.0.4-1.mga1.src.rpm firefox-10.0.4-1.mga1.src.rpm firefox-l10n-10.0.4-1.mga1.src.rpm python-cython-0.15.1-0.1.mga1.src.rpm perl-Gtk2-MozEmbed-0.80.0-10.4.mga1.src.rpm icedtea-web-1.1.5-1.mga1.src.rpm for the advisory and details: https://bugs.mageia.org/show_bug.cgi?id=4405#c66 Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsSource RPM: firefox-9.0.1-0.1.mga1.src.rpm => firefox-10.0.4-1.mga1.src.rpm
Thank you everyone. Could the sysadmins please also remove the older xulrunner packages from updates_testing?
(In reply to comment #70) > I don't see the sysadmin list in the CCs. Thanks for catching that. Guess I forgot to add them to the list. Sorry about that.
Old xulrunner packages removed from testing. Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED