Bug 7752 - Firefox 10.0.8
: Firefox 10.0.8
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/519136/
: MGA1TOO, MGA1-32-OK, MGA1-64-OK, MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-10 03:52 CEST by David Walser
Modified: 2012-10-11 09:25 CEST (History)
8 users (show)

See Also:
Source RPM: firefox-10.0.7-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-10-10 03:52:02 CEST
RedHat has issued an advisory today (October 9):
https://rhn.redhat.com/errata/RHSA-2012-1350.html

Funda Wang has uploaded updated packages for Mageia 1 and Mageia 2.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995,
CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183,
CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188).

Two flaws in Firefox could allow a malicious website to bypass intended
restrictions, possibly leading to information disclosure, or Firefox
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in Firefox.
Malicious content could be used to perform cross-site scripting attacks,
script injection, or spoofing attacks (CVE-2012-1956, CVE-2012-3992,
CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Firefox to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2012-1350.html
========================

Updated packages in core/updates_testing:
========================
firefox-10.0.8-1.mga1
firefox-devel-10.0.8-1.mga1
firefox-af-10.0.8-1.mga1
firefox-ar-10.0.8-1.mga1
firefox-ast-10.0.8-1.mga1
firefox-be-10.0.8-1.mga1
firefox-bg-10.0.8-1.mga1
firefox-bn_IN-10.0.8-1.mga1
firefox-bn_BD-10.0.8-1.mga1
firefox-br-10.0.8-1.mga1
firefox-bs-10.0.8-1.mga1
firefox-ca-10.0.8-1.mga1
firefox-cs-10.0.8-1.mga1
firefox-cy-10.0.8-1.mga1
firefox-da-10.0.8-1.mga1
firefox-de-10.0.8-1.mga1
firefox-el-10.0.8-1.mga1
firefox-en_GB-10.0.8-1.mga1
firefox-en_ZA-10.0.8-1.mga1
firefox-eo-10.0.8-1.mga1
firefox-es_AR-10.0.8-1.mga1
firefox-es_CL-10.0.8-1.mga1
firefox-es_ES-10.0.8-1.mga1
firefox-es_MX-10.0.8-1.mga1
firefox-et-10.0.8-1.mga1
firefox-eu-10.0.8-1.mga1
firefox-fa-10.0.8-1.mga1
firefox-fi-10.0.8-1.mga1
firefox-fr-10.0.8-1.mga1
firefox-fy-10.0.8-1.mga1
firefox-ga_IE-10.0.8-1.mga1
firefox-gd-10.0.8-1.mga1
firefox-gl-10.0.8-1.mga1
firefox-gu_IN-10.0.8-1.mga1
firefox-he-10.0.8-1.mga1
firefox-hi-10.0.8-1.mga1
firefox-hr-10.0.8-1.mga1
firefox-hu-10.0.8-1.mga1
firefox-hy-10.0.8-1.mga1
firefox-id-10.0.8-1.mga1
firefox-is-10.0.8-1.mga1
firefox-it-10.0.8-1.mga1
firefox-ja-10.0.8-1.mga1
firefox-kk-10.0.8-1.mga1
firefox-ko-10.0.8-1.mga1
firefox-kn-10.0.8-1.mga1
firefox-ku-10.0.8-1.mga1
firefox-lg-10.0.8-1.mga1
firefox-lt-10.0.8-1.mga1
firefox-lv-10.0.8-1.mga1
firefox-mai-10.0.8-1.mga1
firefox-mk-10.0.8-1.mga1
firefox-ml-10.0.8-1.mga1
firefox-mr-10.0.8-1.mga1
firefox-nb_NO-10.0.8-1.mga1
firefox-nl-10.0.8-1.mga1
firefox-nn_NO-10.0.8-1.mga1
firefox-nso-10.0.8-1.mga1
firefox-or-10.0.8-1.mga1
firefox-pa_IN-10.0.8-1.mga1
firefox-pl-10.0.8-1.mga1
firefox-pt_BR-10.0.8-1.mga1
firefox-pt_PT-10.0.8-1.mga1
firefox-ro-10.0.8-1.mga1
firefox-ru-10.0.8-1.mga1
firefox-si-10.0.8-1.mga1
firefox-sk-10.0.8-1.mga1
firefox-sl-10.0.8-1.mga1
firefox-sq-10.0.8-1.mga1
firefox-sr-10.0.8-1.mga1
firefox-sv_SE-10.0.8-1.mga1
firefox-ta-10.0.8-1.mga1
firefox-ta_LK-10.0.8-1.mga1
firefox-te-10.0.8-1.mga1
firefox-th-10.0.8-1.mga1
firefox-tr-10.0.8-1.mga1
firefox-uk-10.0.8-1.mga1
firefox-vi-10.0.8-1.mga1
firefox-zh_CN-10.0.8-1.mga1
firefox-zh_TW-10.0.8-1.mga1
firefox-zu-10.0.8-1.mga1
firefox-10.0.8-1.mga2
firefox-devel-10.0.8-1.mga2
firefox-af-10.0.8-1.mga2
firefox-ar-10.0.8-1.mga2
firefox-ast-10.0.8-1.mga2
firefox-be-10.0.8-1.mga2
firefox-bg-10.0.8-1.mga2
firefox-bn_IN-10.0.8-1.mga2
firefox-bn_BD-10.0.8-1.mga2
firefox-br-10.0.8-1.mga2
firefox-bs-10.0.8-1.mga2
firefox-ca-10.0.8-1.mga2
firefox-cs-10.0.8-1.mga2
firefox-cy-10.0.8-1.mga2
firefox-da-10.0.8-1.mga2
firefox-de-10.0.8-1.mga2
firefox-el-10.0.8-1.mga2
firefox-en_GB-10.0.8-1.mga2
firefox-en_ZA-10.0.8-1.mga2
firefox-eo-10.0.8-1.mga2
firefox-es_AR-10.0.8-1.mga2
firefox-es_CL-10.0.8-1.mga2
firefox-es_ES-10.0.8-1.mga2
firefox-es_MX-10.0.8-1.mga2
firefox-et-10.0.8-1.mga2
firefox-eu-10.0.8-1.mga2
firefox-fa-10.0.8-1.mga2
firefox-fi-10.0.8-1.mga2
firefox-fr-10.0.8-1.mga2
firefox-fy-10.0.8-1.mga2
firefox-ga_IE-10.0.8-1.mga2
firefox-gd-10.0.8-1.mga2
firefox-gl-10.0.8-1.mga2
firefox-gu_IN-10.0.8-1.mga2
firefox-he-10.0.8-1.mga2
firefox-hi-10.0.8-1.mga2
firefox-hr-10.0.8-1.mga2
firefox-hu-10.0.8-1.mga2
firefox-hy-10.0.8-1.mga2
firefox-id-10.0.8-1.mga2
firefox-is-10.0.8-1.mga2
firefox-it-10.0.8-1.mga2
firefox-ja-10.0.8-1.mga2
firefox-kk-10.0.8-1.mga2
firefox-ko-10.0.8-1.mga2
firefox-kn-10.0.8-1.mga2
firefox-ku-10.0.8-1.mga2
firefox-lg-10.0.8-1.mga2
firefox-lt-10.0.8-1.mga2
firefox-lv-10.0.8-1.mga2
firefox-mai-10.0.8-1.mga2
firefox-mk-10.0.8-1.mga2
firefox-ml-10.0.8-1.mga2
firefox-mr-10.0.8-1.mga2
firefox-nb_NO-10.0.8-1.mga2
firefox-nl-10.0.8-1.mga2
firefox-nn_NO-10.0.8-1.mga2
firefox-nso-10.0.8-1.mga2
firefox-or-10.0.8-1.mga2
firefox-pa_IN-10.0.8-1.mga2
firefox-pl-10.0.8-1.mga2
firefox-pt_BR-10.0.8-1.mga2
firefox-pt_PT-10.0.8-1.mga2
firefox-ro-10.0.8-1.mga2
firefox-ru-10.0.8-1.mga2
firefox-si-10.0.8-1.mga2
firefox-sk-10.0.8-1.mga2
firefox-sl-10.0.8-1.mga2
firefox-sq-10.0.8-1.mga2
firefox-sr-10.0.8-1.mga2
firefox-sv_SE-10.0.8-1.mga2
firefox-ta-10.0.8-1.mga2
firefox-ta_LK-10.0.8-1.mga2
firefox-te-10.0.8-1.mga2
firefox-th-10.0.8-1.mga2
firefox-tr-10.0.8-1.mga2
firefox-uk-10.0.8-1.mga2
firefox-vi-10.0.8-1.mga2
firefox-zh_CN-10.0.8-1.mga2
firefox-zh_TW-10.0.8-1.mga2
firefox-zu-10.0.8-1.mga2

from SRPMS:
firefox-10.0.8-1.mga1.src.rpm
firefox-l10n-10.0.8-1.mga1.src.rpm
firefox-10.0.8-1.mga2.src.rpm
firefox-l10n-10.0.8-1.mga2.src.rpm
Comment 1 Simon Putt 2012-10-10 12:42:28 CEST
All my extensions/plugins including the new flash are working as previous versions

checked all my usual sites, facebook, neowin, phoronix, youtube work fine.
Comment 2 David GEIGER 2012-10-10 21:36:26 CEST
Testing complete for firefox-10.0.8-1.mga2 on Mageia release 2 (Official) for x86_64 ,it's ok for me it works fine and nothing to report.
Comment 3 Marc Lattemann 2012-10-10 23:33:32 CEST
tested mga1 i586 and x86_64: java, flash (over https), personas, german and english localization - everything works fine. 
Added MGA2-64-OK as well to the whiteboard.
Simon on which arch did you your tests?
Comment 4 Simon Putt 2012-10-10 23:43:53 CEST
Sorry forgot, Mageia 2 x86_64 (as always)
Comment 5 Marc Lattemann 2012-10-11 01:41:49 CEST
OK - also tested for mga2 i586 (same tests as in Comment 3).
Comment 6 Eduard Beliaev 2012-10-11 02:25:38 CEST
Works ok on Mageia 2 x86_64.
Comment 7 Dave Hodgins 2012-10-11 05:24:49 CEST
Validating the update.

Could someone from the sysadmin team push the srpms
firefox-10.0.8-1.mga2.src.rpm
firefox-l10n-10.0.8-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
firefox-10.0.8-1.mga1.src.rpm
firefox-l10n-10.0.8-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995,
CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183,
CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188).

Two flaws in Firefox could allow a malicious website to bypass intended
restrictions, possibly leading to information disclosure, or Firefox
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in Firefox.
Malicious content could be used to perform cross-site scripting attacks,
script injection, or spoofing attacks (CVE-2012-1956, CVE-2012-3992,
CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Firefox to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2012-1350.html

https://bugs.mageia.org/show_bug.cgi?id=7752
Comment 8 Thomas Backlund 2012-10-11 09:25:14 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0288

Note You need to log in before you can comment on or make changes to this bug.