Bug 7752 - Firefox 10.0.8
Summary: Firefox 10.0.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/519136/
Whiteboard: MGA1TOO, MGA1-32-OK, MGA1-64-OK, MGA2...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-10-10 03:52 CEST by David Walser
Modified: 2012-10-11 09:25 CEST (History)
8 users (show)

See Also:
Source RPM: firefox-10.0.7-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-10-10 03:52:02 CEST
RedHat has issued an advisory today (October 9):
https://rhn.redhat.com/errata/RHSA-2012-1350.html

Funda Wang has uploaded updated packages for Mageia 1 and Mageia 2.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995,
CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183,
CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188).

Two flaws in Firefox could allow a malicious website to bypass intended
restrictions, possibly leading to information disclosure, or Firefox
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in Firefox.
Malicious content could be used to perform cross-site scripting attacks,
script injection, or spoofing attacks (CVE-2012-1956, CVE-2012-3992,
CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Firefox to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2012-1350.html
========================

Updated packages in core/updates_testing:
========================
firefox-10.0.8-1.mga1
firefox-devel-10.0.8-1.mga1
firefox-af-10.0.8-1.mga1
firefox-ar-10.0.8-1.mga1
firefox-ast-10.0.8-1.mga1
firefox-be-10.0.8-1.mga1
firefox-bg-10.0.8-1.mga1
firefox-bn_IN-10.0.8-1.mga1
firefox-bn_BD-10.0.8-1.mga1
firefox-br-10.0.8-1.mga1
firefox-bs-10.0.8-1.mga1
firefox-ca-10.0.8-1.mga1
firefox-cs-10.0.8-1.mga1
firefox-cy-10.0.8-1.mga1
firefox-da-10.0.8-1.mga1
firefox-de-10.0.8-1.mga1
firefox-el-10.0.8-1.mga1
firefox-en_GB-10.0.8-1.mga1
firefox-en_ZA-10.0.8-1.mga1
firefox-eo-10.0.8-1.mga1
firefox-es_AR-10.0.8-1.mga1
firefox-es_CL-10.0.8-1.mga1
firefox-es_ES-10.0.8-1.mga1
firefox-es_MX-10.0.8-1.mga1
firefox-et-10.0.8-1.mga1
firefox-eu-10.0.8-1.mga1
firefox-fa-10.0.8-1.mga1
firefox-fi-10.0.8-1.mga1
firefox-fr-10.0.8-1.mga1
firefox-fy-10.0.8-1.mga1
firefox-ga_IE-10.0.8-1.mga1
firefox-gd-10.0.8-1.mga1
firefox-gl-10.0.8-1.mga1
firefox-gu_IN-10.0.8-1.mga1
firefox-he-10.0.8-1.mga1
firefox-hi-10.0.8-1.mga1
firefox-hr-10.0.8-1.mga1
firefox-hu-10.0.8-1.mga1
firefox-hy-10.0.8-1.mga1
firefox-id-10.0.8-1.mga1
firefox-is-10.0.8-1.mga1
firefox-it-10.0.8-1.mga1
firefox-ja-10.0.8-1.mga1
firefox-kk-10.0.8-1.mga1
firefox-ko-10.0.8-1.mga1
firefox-kn-10.0.8-1.mga1
firefox-ku-10.0.8-1.mga1
firefox-lg-10.0.8-1.mga1
firefox-lt-10.0.8-1.mga1
firefox-lv-10.0.8-1.mga1
firefox-mai-10.0.8-1.mga1
firefox-mk-10.0.8-1.mga1
firefox-ml-10.0.8-1.mga1
firefox-mr-10.0.8-1.mga1
firefox-nb_NO-10.0.8-1.mga1
firefox-nl-10.0.8-1.mga1
firefox-nn_NO-10.0.8-1.mga1
firefox-nso-10.0.8-1.mga1
firefox-or-10.0.8-1.mga1
firefox-pa_IN-10.0.8-1.mga1
firefox-pl-10.0.8-1.mga1
firefox-pt_BR-10.0.8-1.mga1
firefox-pt_PT-10.0.8-1.mga1
firefox-ro-10.0.8-1.mga1
firefox-ru-10.0.8-1.mga1
firefox-si-10.0.8-1.mga1
firefox-sk-10.0.8-1.mga1
firefox-sl-10.0.8-1.mga1
firefox-sq-10.0.8-1.mga1
firefox-sr-10.0.8-1.mga1
firefox-sv_SE-10.0.8-1.mga1
firefox-ta-10.0.8-1.mga1
firefox-ta_LK-10.0.8-1.mga1
firefox-te-10.0.8-1.mga1
firefox-th-10.0.8-1.mga1
firefox-tr-10.0.8-1.mga1
firefox-uk-10.0.8-1.mga1
firefox-vi-10.0.8-1.mga1
firefox-zh_CN-10.0.8-1.mga1
firefox-zh_TW-10.0.8-1.mga1
firefox-zu-10.0.8-1.mga1
firefox-10.0.8-1.mga2
firefox-devel-10.0.8-1.mga2
firefox-af-10.0.8-1.mga2
firefox-ar-10.0.8-1.mga2
firefox-ast-10.0.8-1.mga2
firefox-be-10.0.8-1.mga2
firefox-bg-10.0.8-1.mga2
firefox-bn_IN-10.0.8-1.mga2
firefox-bn_BD-10.0.8-1.mga2
firefox-br-10.0.8-1.mga2
firefox-bs-10.0.8-1.mga2
firefox-ca-10.0.8-1.mga2
firefox-cs-10.0.8-1.mga2
firefox-cy-10.0.8-1.mga2
firefox-da-10.0.8-1.mga2
firefox-de-10.0.8-1.mga2
firefox-el-10.0.8-1.mga2
firefox-en_GB-10.0.8-1.mga2
firefox-en_ZA-10.0.8-1.mga2
firefox-eo-10.0.8-1.mga2
firefox-es_AR-10.0.8-1.mga2
firefox-es_CL-10.0.8-1.mga2
firefox-es_ES-10.0.8-1.mga2
firefox-es_MX-10.0.8-1.mga2
firefox-et-10.0.8-1.mga2
firefox-eu-10.0.8-1.mga2
firefox-fa-10.0.8-1.mga2
firefox-fi-10.0.8-1.mga2
firefox-fr-10.0.8-1.mga2
firefox-fy-10.0.8-1.mga2
firefox-ga_IE-10.0.8-1.mga2
firefox-gd-10.0.8-1.mga2
firefox-gl-10.0.8-1.mga2
firefox-gu_IN-10.0.8-1.mga2
firefox-he-10.0.8-1.mga2
firefox-hi-10.0.8-1.mga2
firefox-hr-10.0.8-1.mga2
firefox-hu-10.0.8-1.mga2
firefox-hy-10.0.8-1.mga2
firefox-id-10.0.8-1.mga2
firefox-is-10.0.8-1.mga2
firefox-it-10.0.8-1.mga2
firefox-ja-10.0.8-1.mga2
firefox-kk-10.0.8-1.mga2
firefox-ko-10.0.8-1.mga2
firefox-kn-10.0.8-1.mga2
firefox-ku-10.0.8-1.mga2
firefox-lg-10.0.8-1.mga2
firefox-lt-10.0.8-1.mga2
firefox-lv-10.0.8-1.mga2
firefox-mai-10.0.8-1.mga2
firefox-mk-10.0.8-1.mga2
firefox-ml-10.0.8-1.mga2
firefox-mr-10.0.8-1.mga2
firefox-nb_NO-10.0.8-1.mga2
firefox-nl-10.0.8-1.mga2
firefox-nn_NO-10.0.8-1.mga2
firefox-nso-10.0.8-1.mga2
firefox-or-10.0.8-1.mga2
firefox-pa_IN-10.0.8-1.mga2
firefox-pl-10.0.8-1.mga2
firefox-pt_BR-10.0.8-1.mga2
firefox-pt_PT-10.0.8-1.mga2
firefox-ro-10.0.8-1.mga2
firefox-ru-10.0.8-1.mga2
firefox-si-10.0.8-1.mga2
firefox-sk-10.0.8-1.mga2
firefox-sl-10.0.8-1.mga2
firefox-sq-10.0.8-1.mga2
firefox-sr-10.0.8-1.mga2
firefox-sv_SE-10.0.8-1.mga2
firefox-ta-10.0.8-1.mga2
firefox-ta_LK-10.0.8-1.mga2
firefox-te-10.0.8-1.mga2
firefox-th-10.0.8-1.mga2
firefox-tr-10.0.8-1.mga2
firefox-uk-10.0.8-1.mga2
firefox-vi-10.0.8-1.mga2
firefox-zh_CN-10.0.8-1.mga2
firefox-zh_TW-10.0.8-1.mga2
firefox-zu-10.0.8-1.mga2

from SRPMS:
firefox-10.0.8-1.mga1.src.rpm
firefox-l10n-10.0.8-1.mga1.src.rpm
firefox-10.0.8-1.mga2.src.rpm
firefox-l10n-10.0.8-1.mga2.src.rpm
David Walser 2012-10-10 03:52:16 CEST

CC: (none) => fundawang
Whiteboard: (none) => MGA1TOO

Comment 1 Simon Putt 2012-10-10 12:42:28 CEST
All my extensions/plugins including the new flash are working as previous versions

checked all my usual sites, facebook, neowin, phoronix, youtube work fine.

CC: (none) => lemonzest

Comment 2 David GEIGER 2012-10-10 21:36:26 CEST
Testing complete for firefox-10.0.8-1.mga2 on Mageia release 2 (Official) for x86_64 ,it's ok for me it works fine and nothing to report.

CC: (none) => geiger.david68210

Comment 3 Marc Lattemann 2012-10-10 23:33:32 CEST
tested mga1 i586 and x86_64: java, flash (over https), personas, german and english localization - everything works fine. 
Added MGA2-64-OK as well to the whiteboard.
Simon on which arch did you your tests?

CC: (none) => marc.lattemann
Whiteboard: MGA1TOO => MGA1TOO, MGA1-32-OK, MGA1-64-OK

Marc Lattemann 2012-10-10 23:34:33 CEST

Whiteboard: MGA1TOO, MGA1-32-OK, MGA1-64-OK => MGA1TOO, MGA1-32-OK, MGA1-64-OK, MGA2-64-OK

Comment 4 Simon Putt 2012-10-10 23:43:53 CEST
Sorry forgot, Mageia 2 x86_64 (as always)
David Walser 2012-10-10 23:51:54 CEST

URL: (none) => http://lwn.net/Vulnerabilities/519136/

Comment 5 Marc Lattemann 2012-10-11 01:41:49 CEST
OK - also tested for mga2 i586 (same tests as in Comment 3).

Whiteboard: MGA1TOO, MGA1-32-OK, MGA1-64-OK, MGA2-64-OK => MGA1TOO, MGA1-32-OK, MGA1-64-OK, MGA2-64-OK, MGA2-32-OK

Comment 6 Eduard Beliaev 2012-10-11 02:25:38 CEST
Works ok on Mageia 2 x86_64.

CC: (none) => ed_rus099

Comment 7 Dave Hodgins 2012-10-11 05:24:49 CEST
Validating the update.

Could someone from the sysadmin team push the srpms
firefox-10.0.8-1.mga2.src.rpm
firefox-l10n-10.0.8-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
firefox-10.0.8-1.mga1.src.rpm
firefox-l10n-10.0.8-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995,
CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183,
CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188).

Two flaws in Firefox could allow a malicious website to bypass intended
restrictions, possibly leading to information disclosure, or Firefox
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in Firefox.
Malicious content could be used to perform cross-site scripting attacks,
script injection, or spoofing attacks (CVE-2012-1956, CVE-2012-3992,
CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Firefox to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2012-1350.html

https://bugs.mageia.org/show_bug.cgi?id=7752

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Thomas Backlund 2012-10-11 09:25:14 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0288

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.