Bug 7215 - Firefox 10.0.7
: Firefox 10.0.7
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: MGA1TOO mga2-64-OK mga1-32-OK mga2-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-26 23:12 CEST by David Walser
Modified: 2012-08-30 11:07 CEST (History)
5 users (show)

See Also:
Source RPM: firefox-10.0.6-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-08-26 23:12:31 CEST
Mozilla Firefox 10.0.7 has been released.

Updated packages uploaded for Mageia 1 and Mageia 2.

Testing may begin now.  The advisory will be available at a later time.

Source RPMs:
------------
nspr-4.9.2-1.mga1
nss-3.13.6-1.mga1
firefox-10.0.7-1.mga1
firefox-l10n-10.0.7-1.mga1
nspr-4.9.2-1.mga2
nss-3.13.6-1.mga2
firefox-10.0.7-1.mga2
firefox-l10n-10.0.7-1.mga2

Full RPMs list (Mageia 1):
--------------------------
libnspr4-4.9.2-1.mga1
libnspr-devel-4.9.2-1.mga1
nss-3.13.6-1.mga1
nss-doc-3.13.6-1.mga1
libnss3-3.13.6-1.mga1
libnss-devel-3.13.6-1.mga1
libnss-static-devel-3.13.6-1.mga1
firefox-10.0.7-1.mga1
firefox-devel-10.0.7-1.mga1
firefox-af-10.0.7-1.mga1
firefox-ar-10.0.7-1.mga1
firefox-ast-10.0.7-1.mga1
firefox-be-10.0.7-1.mga1
firefox-bg-10.0.7-1.mga1
firefox-bn_IN-10.0.7-1.mga1
firefox-bn_BD-10.0.7-1.mga1
firefox-br-10.0.7-1.mga1
firefox-bs-10.0.7-1.mga1
firefox-ca-10.0.7-1.mga1
firefox-cs-10.0.7-1.mga1
firefox-cy-10.0.7-1.mga1
firefox-da-10.0.7-1.mga1
firefox-de-10.0.7-1.mga1
firefox-el-10.0.7-1.mga1
firefox-en_GB-10.0.7-1.mga1
firefox-en_ZA-10.0.7-1.mga1
firefox-eo-10.0.7-1.mga1
firefox-es_AR-10.0.7-1.mga1
firefox-es_CL-10.0.7-1.mga1
firefox-es_ES-10.0.7-1.mga1
firefox-es_MX-10.0.7-1.mga1
firefox-et-10.0.7-1.mga1
firefox-eu-10.0.7-1.mga1
firefox-fa-10.0.7-1.mga1
firefox-fi-10.0.7-1.mga1
firefox-fr-10.0.7-1.mga1
firefox-fy-10.0.7-1.mga1
firefox-ga_IE-10.0.7-1.mga1
firefox-gd-10.0.7-1.mga1
firefox-gl-10.0.7-1.mga1
firefox-gu_IN-10.0.7-1.mga1
firefox-he-10.0.7-1.mga1
firefox-hi-10.0.7-1.mga1
firefox-hr-10.0.7-1.mga1
firefox-hu-10.0.7-1.mga1
firefox-hy-10.0.7-1.mga1
firefox-id-10.0.7-1.mga1
firefox-is-10.0.7-1.mga1
firefox-it-10.0.7-1.mga1
firefox-ja-10.0.7-1.mga1
firefox-kk-10.0.7-1.mga1
firefox-ko-10.0.7-1.mga1
firefox-kn-10.0.7-1.mga1
firefox-ku-10.0.7-1.mga1
firefox-lg-10.0.7-1.mga1
firefox-lt-10.0.7-1.mga1
firefox-lv-10.0.7-1.mga1
firefox-mai-10.0.7-1.mga1
firefox-mk-10.0.7-1.mga1
firefox-ml-10.0.7-1.mga1
firefox-mr-10.0.7-1.mga1
firefox-nb_NO-10.0.7-1.mga1
firefox-nl-10.0.7-1.mga1
firefox-nn_NO-10.0.7-1.mga1
firefox-nso-10.0.7-1.mga1
firefox-or-10.0.7-1.mga1
firefox-pa_IN-10.0.7-1.mga1
firefox-pl-10.0.7-1.mga1
firefox-pt_BR-10.0.7-1.mga1
firefox-pt_PT-10.0.7-1.mga1
firefox-ro-10.0.7-1.mga1
firefox-ru-10.0.7-1.mga1
firefox-si-10.0.7-1.mga1
firefox-sk-10.0.7-1.mga1
firefox-sl-10.0.7-1.mga1
firefox-sq-10.0.7-1.mga1
firefox-sr-10.0.7-1.mga1
firefox-sv_SE-10.0.7-1.mga1
firefox-ta-10.0.7-1.mga1
firefox-ta_LK-10.0.7-1.mga1
firefox-te-10.0.7-1.mga1
firefox-th-10.0.7-1.mga1
firefox-tr-10.0.7-1.mga1
firefox-uk-10.0.7-1.mga1
firefox-vi-10.0.7-1.mga1
firefox-zh_CN-10.0.7-1.mga1
firefox-zh_TW-10.0.7-1.mga1
firefox-zu-10.0.7-1.mga1


Full RPMs list (Mageia 2):
--------------------------
libnspr4-4.9.2-1.mga2
libnspr-devel-4.9.2-1.mga2
nss-3.13.6-1.mga2
nss-doc-3.13.6-1.mga2
libnss3-3.13.6-1.mga2
libnss-devel-3.13.6-1.mga2
libnss-static-devel-3.13.6-1.mga2
firefox-10.0.7-1.mga2
firefox-devel-10.0.7-1.mga2
firefox-af-10.0.7-1.mga2
firefox-ar-10.0.7-1.mga2
firefox-ast-10.0.7-1.mga2
firefox-be-10.0.7-1.mga2
firefox-bg-10.0.7-1.mga2
firefox-bn_IN-10.0.7-1.mga2
firefox-bn_BD-10.0.7-1.mga2
firefox-br-10.0.7-1.mga2
firefox-bs-10.0.7-1.mga2
firefox-ca-10.0.7-1.mga2
firefox-cs-10.0.7-1.mga2
firefox-cy-10.0.7-1.mga2
firefox-da-10.0.7-1.mga2
firefox-de-10.0.7-1.mga2
firefox-el-10.0.7-1.mga2
firefox-en_GB-10.0.7-1.mga2
firefox-en_ZA-10.0.7-1.mga2
firefox-eo-10.0.7-1.mga2
firefox-es_AR-10.0.7-1.mga2
firefox-es_CL-10.0.7-1.mga2
firefox-es_ES-10.0.7-1.mga2
firefox-es_MX-10.0.7-1.mga2
firefox-et-10.0.7-1.mga2
firefox-eu-10.0.7-1.mga2
firefox-fa-10.0.7-1.mga2
firefox-fi-10.0.7-1.mga2
firefox-fr-10.0.7-1.mga2
firefox-fy-10.0.7-1.mga2
firefox-ga_IE-10.0.7-1.mga2
firefox-gd-10.0.7-1.mga2
firefox-gl-10.0.7-1.mga2
firefox-gu_IN-10.0.7-1.mga2
firefox-he-10.0.7-1.mga2
firefox-hi-10.0.7-1.mga2
firefox-hr-10.0.7-1.mga2
firefox-hu-10.0.7-1.mga2
firefox-hy-10.0.7-1.mga2
firefox-id-10.0.7-1.mga2
firefox-is-10.0.7-1.mga2
firefox-it-10.0.7-1.mga2
firefox-ja-10.0.7-1.mga2
firefox-kk-10.0.7-1.mga2
firefox-ko-10.0.7-1.mga2
firefox-kn-10.0.7-1.mga2
firefox-ku-10.0.7-1.mga2
firefox-lg-10.0.7-1.mga2
firefox-lt-10.0.7-1.mga2
firefox-lv-10.0.7-1.mga2
firefox-mai-10.0.7-1.mga2
firefox-mk-10.0.7-1.mga2
firefox-ml-10.0.7-1.mga2
firefox-mr-10.0.7-1.mga2
firefox-nb_NO-10.0.7-1.mga2
firefox-nl-10.0.7-1.mga2
firefox-nn_NO-10.0.7-1.mga2
firefox-nso-10.0.7-1.mga2
firefox-or-10.0.7-1.mga2
firefox-pa_IN-10.0.7-1.mga2
firefox-pl-10.0.7-1.mga2
firefox-pt_BR-10.0.7-1.mga2
firefox-pt_PT-10.0.7-1.mga2
firefox-ro-10.0.7-1.mga2
firefox-ru-10.0.7-1.mga2
firefox-si-10.0.7-1.mga2
firefox-sk-10.0.7-1.mga2
firefox-sl-10.0.7-1.mga2
firefox-sq-10.0.7-1.mga2
firefox-sr-10.0.7-1.mga2
firefox-sv_SE-10.0.7-1.mga2
firefox-ta-10.0.7-1.mga2
firefox-ta_LK-10.0.7-1.mga2
firefox-te-10.0.7-1.mga2
firefox-th-10.0.7-1.mga2
firefox-tr-10.0.7-1.mga2
firefox-uk-10.0.7-1.mga2
firefox-vi-10.0.7-1.mga2
firefox-zh_CN-10.0.7-1.mga2
firefox-zh_TW-10.0.7-1.mga2
firefox-zu-10.0.7-1.mga2
Comment 1 Eduard Beliaev 2012-08-26 23:54:55 CEST
Testing on Mageia 2 x86_64, afterwards I will install Mageia 2 x86/i568 version on the VM.
Comment 2 Carolyn Rowse 2012-08-27 07:57:32 CEST
Testing on Mga1 i586.
Comment 3 David GEIGER 2012-08-27 08:03:28 CEST
Testing complete for Firefox-10.0.7 on  Mageia release 2 (Official) for x86_64 ,

for me it's Ok ,nothing to report and no regression since the update.

-firefox-10.0.7-1.mga2
-firefox-fr-10.0.7-1.mga2
-nss-3.13.6-1.mga2
-libnss3-3.13.6-1.mga2
-libnspr4-4.9.2-1.mga2
Comment 4 Carolyn Rowse 2012-08-27 12:11:34 CEST
No problems encountered with Mga1 or Mga2 on i586.
Comment 5 Eduard Beliaev 2012-08-27 16:50:06 CEST
Works ok on Mageia 2 x86_64 and Mageia 2 x86/i568.
Comment 6 Eduard Beliaev 2012-08-27 19:53:15 CEST
For those who want to test firefox with other languages you should install a plugin called quick locale switcher.
Comment 7 claire robinson 2012-08-28 11:08:03 CEST
Testing complete mga2 x86_64

Java, flash, https, flash over https, spellcheck
Bookmarks, Addons, personas

Nothing to report.
Comment 8 claire robinson 2012-08-28 14:25:15 CEST
Testing complete mga1 i586
Comment 9 David Walser 2012-08-28 20:39:48 CEST
Upstream advisories are available now, so we have references.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3980
http://www.mozilla.org/security/announce/2012/mfsa2012-57.html
http://www.mozilla.org/security/announce/2012/mfsa2012-58.html
http://www.mozilla.org/security/announce/2012/mfsa2012-61.html
http://www.mozilla.org/security/announce/2012/mfsa2012-62.html
http://www.mozilla.org/security/announce/2012/mfsa2012-63.html
http://www.mozilla.org/security/announce/2012/mfsa2012-65.html
http://www.mozilla.org/security/announce/2012/mfsa2012-67.html
http://www.mozilla.org/security/announce/2012/mfsa2012-69.html
http://www.mozilla.org/security/announce/2012/mfsa2012-70.html
http://www.mozilla.org/security/announce/2012/mfsa2012-72.html
Comment 10 Dave Hodgins 2012-08-29 03:25:22 CEST
Testing complete on both arches both releases.

Could someone from the sysadmin team push the srpms
nspr-4.9.2-1.mga2
nss-3.13.6-1.mga2
firefox-10.0.7-1.mga2
firefox-l10n-10.0.7-1.mga2
from Mageia 2 Core Updates Testing to Core Updates and the srpms
nspr-4.9.2-1.mga1
nss-3.13.6-1.mga1
firefox-10.0.7-1.mga1
firefox-l10n-10.0.7-1.mga1
from Mageia 1 Core Updates Testing to Core Updates.

Advisory:  Security update for firefox corrects the following items
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3980

Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-57.html
http://www.mozilla.org/security/announce/2012/mfsa2012-58.html
http://www.mozilla.org/security/announce/2012/mfsa2012-61.html
http://www.mozilla.org/security/announce/2012/mfsa2012-62.html
http://www.mozilla.org/security/announce/2012/mfsa2012-63.html
http://www.mozilla.org/security/announce/2012/mfsa2012-65.html
http://www.mozilla.org/security/announce/2012/mfsa2012-67.html
http://www.mozilla.org/security/announce/2012/mfsa2012-69.html
http://www.mozilla.org/security/announce/2012/mfsa2012-70.html
http://www.mozilla.org/security/announce/2012/mfsa2012-72.html

https://bugs.mageia.org/show_bug.cgi?id=7215
Comment 11 David Walser 2012-08-29 13:48:02 CEST
CVE descriptions are now available from RedHat.

Note that the CVE list has been fixed, as one of the Mozilla advisories I had listed previously only affects Windows.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974,
CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958,
CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963,
CVE-2012-3964)

A web page containing a malicious Scalable Vector Graphics (SVG) image file
could cause Firefox to crash or, potentially, execute arbitrary code with
the privileges of the user running Firefox. (CVE-2012-3969, CVE-2012-3970)

Two flaws were found in the way Firefox rendered certain images using
WebGL. A web page containing malicious content could cause Firefox to crash
or, under certain conditions, possibly execute arbitrary code with the
privileges of the user running Firefox. (CVE-2012-3967, CVE-2012-3968)

A flaw was found in the way Firefox decoded embedded bitmap images in Icon
Format (ICO) files. A web page containing a malicious ICO file could cause
Firefox to crash or, under certain conditions, possibly execute arbitrary
code with the privileges of the user running Firefox. (CVE-2012-3966)

A flaw was found in the way the "eval" command was handled by the Firefox
Web Console. Running "eval" in the Web Console while viewing a web page
containing malicious content could possibly cause Firefox to execute
arbitrary code with the privileges of the user running Firefox.
(CVE-2012-3980)

An out-of-bounds memory read flaw was found in the way Firefox used the
format-number feature of XSLT (Extensible Stylesheet Language
Transformations). A web page containing malicious content could possibly
cause an information leak, or cause Firefox to crash. (CVE-2012-3972)

It was found that the SSL certificate information for a previously visited
site could be displayed in the address bar while the main window displayed
a new page. This could lead to phishing attacks as attackers could use this
flaw to trick users into believing they are viewing a trusted site.
(CVE-2012-3976)

A flaw was found in the location object implementation in Firefox.
Malicious content could use this flaw to possibly allow restricted content
to be loaded. (CVE-2012-3978)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3980
http://www.mozilla.org/security/announce/2012/mfsa2012-57.html
http://www.mozilla.org/security/announce/2012/mfsa2012-58.html
http://www.mozilla.org/security/announce/2012/mfsa2012-61.html
http://www.mozilla.org/security/announce/2012/mfsa2012-62.html
http://www.mozilla.org/security/announce/2012/mfsa2012-63.html
http://www.mozilla.org/security/announce/2012/mfsa2012-65.html
http://www.mozilla.org/security/announce/2012/mfsa2012-69.html
http://www.mozilla.org/security/announce/2012/mfsa2012-70.html
http://www.mozilla.org/security/announce/2012/mfsa2012-72.html
https://rhn.redhat.com/errata/RHSA-2012-1210.html
Comment 12 Thomas Backlund 2012-08-30 11:07:11 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0245

Note You need to log in before you can comment on or make changes to this bug.