Description of problem: 20th November, Firefox 17 ESR was released. FF 10 will have no support from 20 th February 2013. Maybe Firefox 17 should be tested from now due the large list of changes introduces since Firefox 10 and add it to updates repositories before 20 th February.
well firefox 17 is in cauldron and will stay in the ESR channel for mageia3 so this is also a place. firefox 10 is waiting to be moved in updates https://bugs.mageia.org/show_bug.cgi?id=8180 so no need to rush maintainer (they are awake of the near eol I don't know the plan but yes they can push it to testing if they have time
CC: (none) => dmorganecSource RPM: (none) => firefox
I don't think we can have multiple versions of firefox in testing. We can submit it if there are no more 10.0.X releases coming. But i don't think we need a bug for that. :)
Status: NEW => RESOLVEDCC: (none) => sander.lepikResolution: (none) => WONTFIX
firefox 17 esr is in updates_testing if you want test
please test FF 17 which is the new esr version
Status: RESOLVED => UNCONFIRMEDResolution: WONTFIX => (none)Ever confirmed: 1 => 0
please wait we just reverted to FF to allow the last update to be pushed. FF 17 will come right after . ( please keep this BR open )
I didn't realize 10.0.x was supposed to still be supported until February. If that's the case, we shouldn't be pushing 17 yet.
CC: (none) => luigiwalser
why shouldn't we ? this would allow to have the same version in mga2/3 ( easiest maintaince ), this add back kde integration, allow to use more plugins, add gstreamer/opus support, ...
Well, the why wouldn't we is if they still support 10 to fix the security issues, sticking with that branch is the least disruptive update we can do, which is what we always try to do. That being said, you raise some good reasons to switch, so it's OK with me.
can't we not pushed this last firefox 10 updates and the works slowly but surely on ff17 ? and please see what's happen in bug 8180
As far as how this screwed the update we're currently trying to push, we just need better communication and to be more careful.
as FF update is pushed, can i update again FF 17 in testing ? so we will have some time to test, test the addons, etc
Thomas had to go back and remove the update from updates even though it had been pushed, so no it's not done yet. We'll let you know when it's done.
OK now it's pushed. You may proceed.
Btw, when you push this... you should update sqlite3 to 3.7.14.1 as it fixes a segfault: http://www.sqlite.org/changes.html
CC: (none) => tmb
Priority: Normal => LowStatus: UNCONFIRMED => NEWHardware: i586 => AllSummary: Firefox 10 EOL => Firefox 17 new ESREver confirmed: 0 => 1
thank you for the advice, i updated sqlite3 to 3.7.14.1
you can start to test FF 17esr
firefox-17.0-2.mga2 is the current version that was just pushed to the build system. It's not quite done building as of this post, but should be on the mirrors within the next couple hours. It will also pull in the updated sqlite and opus packages from updates_testing when you install it.
Been testing this a little, and most of the features work fine, h.264 now works (did not in 10), been testing WebGL, html5 canvas and media playback, opus is not working (no playback of enbeded or .opus files) , nor was it a requires for the install (i am using the latest build, it has --enable-opus in the build string, previous 17 builds did not) also Java, Flash, http/s etc works fine My testing is on x86_64 mga2 Simon/Lemonzest
CC: (none) => lemonzest
Oh i am using 17.0-3.mga2(In reply to comment #18) > Been testing this a little, and most of the features work fine, > > h.264 now works (did not in 10), been testing WebGL, html5 canvas and media > playback, > > opus is not working (no playback of enbeded or .opus files) , nor was it a > requires for the install (i am using the latest build, it has --enable-opus in > the build string, previous 17 builds did not) > > also Java, Flash, http/s etc works fine > > My testing is on x86_64 mga2 > > Simon/Lemonzest Oh i am using 17.0-3.mga2
(In reply to comment #19) > Oh i am using 17.0-3.mga2(In reply to comment #18) > > Been testing this a little, and most of the features work fine, > > > > h.264 now works (did not in 10), been testing WebGL, html5 canvas and media > > playback, > > > > opus is not working (no playback of enbeded or .opus files) , nor was it a > > requires for the install (i am using the latest build, it has --enable-opus in > > the build string, previous 17 builds did not) > > > > also Java, Flash, http/s etc works fine > > > > My testing is on x86_64 mga2 > > > > Simon/Lemonzest > > Oh i am using 17.0-3.mga2 h264 <video> tag needs tainted gstreamer.
Looking at the spec opus is only in buildrequires, and no requires section, manually installing lib64opus0 still does not enable the support
BTW I am testing Opus support with this follow site (its the official mozilla site) Neither the embedded or link work (the latter comes up with an error screen) http://people.xiph.org/~giles/2012/opus/
Anyone who's testing the Mageia 2 updates_testing package here, can you reproduce the following issue reported for the Cauldron package (HTML5 video not working)? https://bugs.mageia.org/show_bug.cgi?id=8193
As I reported in bug 8193, it's working fine for me on Mageia 2 with firefox-17.0.1-3.mga2
CC: (none) => davidwhodgins
CC: (none) => fundawang
Firefox 17.0.2 is out now and is a security release. These are the Mozilla security advisories and CVEs that affect us and will be used in the advisory (broken down by Mozilla security advisory). We will also need to update Thunderbird. Source: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/announce/2012/mfsa2012-98.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4206 http://www.mozilla.org/security/announce/2013/mfsa2013-01.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 http://www.mozilla.org/security/announce/2013/mfsa2013-02.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 http://www.mozilla.org/security/announce/2013/mfsa2013-04.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759 http://www.mozilla.org/security/announce/2013/mfsa2013-05.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744 http://www.mozilla.org/security/announce/2013/mfsa2013-09.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746 http://www.mozilla.org/security/announce/2013/mfsa2013-11.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748 http://www.mozilla.org/security/announce/2013/mfsa2013-12.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750 http://www.mozilla.org/security/announce/2013/mfsa2013-15.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758 http://www.mozilla.org/security/announce/2013/mfsa2013-16.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753 http://www.mozilla.org/security/announce/2013/mfsa2013-17.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754 http://www.mozilla.org/security/announce/2013/mfsa2013-20.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
Priority: Low => NormalSeverity: normal => critical
A FF 17.0.2 build is in updates_testing. I don't know if D Morgan plans to try to fix the Opus issue before official testing, so awaiting word on that. I e-mailed him some notes from cjw/spturtle today on a possible fix upstream.
CC: (none) => oe
CC: (none) => cjw
The rootcerts update is the one that actually fixes the last Mozilla security advisory MFSA 2013-20 (CVE-2013-0743). That one will not need to be listed in the advisory for Thunderbird. Source RPMs: rootcerts-20121229.00-2.mga2 nspr-4.9.4-1.mga2 nss-3.14.1-2.mga3 firefox-17.0.2-1.mga2 firefox-l10n-17.0.2-1.mga2
So it doesn't get lost in the ether, these are the links Christiaan provided regarding a possible fix for the Opus issue: https://bugzilla.mozilla.org/show_bug.cgi?id=799344 https://bugs.launchpad.net/bugs/1051559
Mandriva has issued an advisory today (January 9): http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002
URL: (none) => http://lwn.net/Vulnerabilities/532086/
Christiaan has fixed the Opus issue in iceape-2.15-2.mga3
and what about https://bugs.mageia.org/show_bug.cgi?id=8193 or any other bugs I don't have in the mind ?
(In reply to comment #31) > and what about https://bugs.mageia.org/show_bug.cgi?id=8193 or any other bugs I > don't have in the mind ? Comment 24 says that didn't affect Mageia 2 builds, or do you know different?
oups sorry forget that then.
Component: RPM Packages => Security
When using the search field with duckduckgo, putting value in the field, and pressing enter, the url being sent is https://duckduckgo.com/?q=value it should be https://duckduckgo.com/?q=value,t=mageia so that Mageia will get credit for the searches, as I understand it.
(In reply to comment #34) > When using the search field with duckduckgo, putting value in the field, and > pressing enter, the url being sent is > https://duckduckgo.com/?q=value > it should be > https://duckduckgo.com/?q=value,t=mageia > so that Mageia will get credit for the searches, as I understand it. Shouldn't it be https://duckduckgo.com/?q=value&t=mageia ?
That's what pterjan did: http://svnweb.mageia.org/packages/cauldron/firefox/current/SOURCES/firefox-searchengines-duckduckgo.xml?r1=389214&r2=389233
Please try to avoid holding back a crucial security release for petty bugs (imho).
It was destined to get held up as soon as it was decided to move to 17ESR instead of sticking with 10ESR, unfortunately. I'll try to take a look at it this weekend if nobody beats me to it, but the duckduckgo thing is an easy fix, and hopefully the opus fixes apply easily too. Feel free to have a look. That's all this is waiting on.
(In reply to comment #37) > Please try to avoid holding back a crucial security release for petty bugs > (imho). The minor bug would not have blocked the update, which has not yet been assigned to qa. I was asked on irc to add the note, to the bug report, once I noticed the problem.
Adding this as well as pterjan's duckduckgo fix should be sufficient for this to proceed: http://svnweb.mageia.org/packages/cauldron/iceape/current/SOURCES/iceape-2.15-moz-ogg.patch?revision=344499&view=markup
Firefox 17 seems to need new libproxy which obsoletes the mozjs plugin. https://bugs.mageia.org/show_bug.cgi?id=6299 https://bugzilla.novell.com/show_bug.cgi?id=759123 https://bugzilla.mozilla.org/show_bug.cgi?id=763185 http://svnweb.mageia.org/packages?view=revision&revision=321544 Please, be careful to validate and push new libproxy (libproxy-0.4.11-1.mga2 is in updates_testing) before or at the same time than Firefox 17. regards, Luc
CC: (none) => lmenut
There seems to be no bug about libproxy in updates testing.
(In reply to comment #42) > There seems to be no bug about libproxy in updates testing. It doesn't need a separate bug as it's part of the same update, it'll be with this bug. Thanks Luc for the reminder on that.
This is ready to go now, assigning to QA. DuckDuckGo is fixed. Using it in the search bar should add &t=mageia to the end of the URLs when searching. Christiaan's Opus fixes are included, so Opus should work. It will use Ogg libs directly for Ogg files and not use gstreamer, but otherwise the gstreamer support new with Firefox 17 should work. For Ogg stuff, it uses system ogg libs. When testing, make sure you have the updated packages from all of the associated SRPMS installed. Advisory to come later. Source RPMS: ------------ libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 nspr-4.9.4-1.mga2 nss-3.14.1-2.mga3 firefox-17.0.2-2.mga2 firefox-l10n-17.0.2-1.mga2
Assignee: bugsquad => qa-bugs
Blocks: (none) => 8767
Update to Firefox 10.0.12 checked into Mageia 1 SVN. It includes these packages, which must be built in this order: rootcerts, nspr, nss, firefox, firefox-l10n.
Advisory: ======================== Updated firefox packages fix security vulnerabilities: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743). Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary code execution (CVE-2013-0754). Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited (CVE-2013-0753). Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution (CVE-2013-0758). Security researcher pa_kt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption (CVE-2013-0750). Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections (CVE-2013-0748). Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash (CVE-2013-0746). Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a potentially exploitable crash (CVE-2013-0744). Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release (CVE-2013-0762, CVE-2013-0766, CVE-2013-0767). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-0769). Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site (CVE-2013-0759). Firefox has been updated to version 17.0.2, which fixes these issues, as well as provides several new features. Additionally, the DuckDuckGo search engine has been added as an option in the search bar. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 http://www.mozilla.org/security/announce/2013/mfsa2013-01.html http://www.mozilla.org/security/announce/2013/mfsa2013-02.html http://www.mozilla.org/security/announce/2013/mfsa2013-04.html http://www.mozilla.org/security/announce/2013/mfsa2013-05.html http://www.mozilla.org/security/announce/2013/mfsa2013-09.html http://www.mozilla.org/security/announce/2013/mfsa2013-11.html http://www.mozilla.org/security/announce/2013/mfsa2013-12.html http://www.mozilla.org/security/announce/2013/mfsa2013-15.html http://www.mozilla.org/security/announce/2013/mfsa2013-16.html http://www.mozilla.org/security/announce/2013/mfsa2013-17.html http://www.mozilla.org/security/announce/2013/mfsa2013-20.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002 ======================== Updated packages in core/updates_testing: ======================== libproxy-devel-0.4.11-1.mga2 libproxy-gnome-0.4.11-1.mga2 libproxy-gxsettings-0.4.11-1.mga2 libproxy-kde-0.4.11-1.mga2 libproxy-networkmanager-0.4.11-1.mga2 libproxy-perl-0.4.11-1.mga2 libproxy-utils-0.4.11-1.mga2 libproxy-webkit-0.4.11-1.mga2 libproxy1-0.4.11-1.mga2 python-libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 rootcerts-java-20121229.00-2.mga2 libnspr-devel-4.9.4-1.mga2 libnspr4-4.9.4-1.mga2 libnss-devel-3.14.1-2.mga2 libnss-static-devel-3.14.1-2.mga2 libnss3-3.14.1-2.mga2 nss-3.14.1-2.mga2 nss-doc-3.14.1-2.mga2 firefox-17.0.2-1.mga2 firefox-af-17.0.2-1.mga2 firefox-ar-17.0.2-1.mga2 firefox-ast-17.0.2-1.mga2 firefox-be-17.0.2-1.mga2 firefox-bg-17.0.2-1.mga2 firefox-bn_BD-17.0.2-1.mga2 firefox-bn_IN-17.0.2-1.mga2 firefox-br-17.0.2-1.mga2 firefox-bs-17.0.2-1.mga2 firefox-ca-17.0.2-1.mga2 firefox-cs-17.0.2-1.mga2 firefox-cy-17.0.2-1.mga2 firefox-da-17.0.2-1.mga2 firefox-de-17.0.2-1.mga2 firefox-devel-17.0.2-1.mga2 firefox-el-17.0.2-1.mga2 firefox-en_GB-17.0.2-1.mga2 firefox-en_ZA-17.0.2-1.mga2 firefox-eo-17.0.2-1.mga2 firefox-es_AR-17.0.2-1.mga2 firefox-es_CL-17.0.2-1.mga2 firefox-es_ES-17.0.2-1.mga2 firefox-es_MX-17.0.2-1.mga2 firefox-et-17.0.2-1.mga2 firefox-eu-17.0.2-1.mga2 firefox-fa-17.0.2-1.mga2 firefox-fi-17.0.2-1.mga2 firefox-fr-17.0.2-1.mga2 firefox-fy-17.0.2-1.mga2 firefox-ga_IE-17.0.2-1.mga2 firefox-gd-17.0.2-1.mga2 firefox-gl-17.0.2-1.mga2 firefox-gu_IN-17.0.2-1.mga2 firefox-he-17.0.2-1.mga2 firefox-hi-17.0.2-1.mga2 firefox-hr-17.0.2-1.mga2 firefox-hu-17.0.2-1.mga2 firefox-hy-17.0.2-1.mga2 firefox-id-17.0.2-1.mga2 firefox-is-17.0.2-1.mga2 firefox-it-17.0.2-1.mga2 firefox-ja-17.0.2-1.mga2 firefox-kk-17.0.2-1.mga2 firefox-kn-17.0.2-1.mga2 firefox-ko-17.0.2-1.mga2 firefox-ku-17.0.2-1.mga2 firefox-lg-17.0.2-1.mga2 firefox-lt-17.0.2-1.mga2 firefox-lv-17.0.2-1.mga2 firefox-mai-17.0.2-1.mga2 firefox-mk-17.0.2-1.mga2 firefox-ml-17.0.2-1.mga2 firefox-mr-17.0.2-1.mga2 firefox-nb_NO-17.0.2-1.mga2 firefox-nl-17.0.2-1.mga2 firefox-nn_NO-17.0.2-1.mga2 firefox-nso-17.0.2-1.mga2 firefox-or-17.0.2-1.mga2 firefox-pa_IN-17.0.2-1.mga2 firefox-pl-17.0.2-1.mga2 firefox-pt_BR-17.0.2-1.mga2 firefox-pt_PT-17.0.2-1.mga2 firefox-ro-17.0.2-1.mga2 firefox-ru-17.0.2-1.mga2 firefox-si-17.0.2-1.mga2 firefox-sk-17.0.2-1.mga2 firefox-sl-17.0.2-1.mga2 firefox-sq-17.0.2-1.mga2 firefox-sr-17.0.2-1.mga2 firefox-sv_SE-17.0.2-1.mga2 firefox-ta-17.0.2-1.mga2 firefox-ta_LK-17.0.2-1.mga2 firefox-te-17.0.2-1.mga2 firefox-th-17.0.2-1.mga2 firefox-tr-17.0.2-1.mga2 firefox-uk-17.0.2-1.mga2 firefox-vi-17.0.2-1.mga2 firefox-zh_CN-17.0.2-1.mga2 firefox-zh_TW-17.0.2-1.mga2 firefox-zu-17.0.2-1.mga2 from SRPMS: libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 nspr-4.9.4-1.mga2 nss-3.14.1-2.mga3 firefox-17.0.2-2.mga2 firefox-l10n-17.0.2-1.mga2
Oops, fixing a couple package versions in the advisory. Advisory: ======================== Updated firefox packages fix security vulnerabilities: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743). Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary code execution (CVE-2013-0754). Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited (CVE-2013-0753). Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution (CVE-2013-0758). Security researcher pa_kt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption (CVE-2013-0750). Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections (CVE-2013-0748). Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash (CVE-2013-0746). Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a potentially exploitable crash (CVE-2013-0744). Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release (CVE-2013-0762, CVE-2013-0766, CVE-2013-0767). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-0769). Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site (CVE-2013-0759). Firefox has been updated to version 17.0.2, which fixes these issues, as well as provides several new features. Additionally, the DuckDuckGo search engine has been added as an option in the search bar. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 http://www.mozilla.org/security/announce/2013/mfsa2013-01.html http://www.mozilla.org/security/announce/2013/mfsa2013-02.html http://www.mozilla.org/security/announce/2013/mfsa2013-04.html http://www.mozilla.org/security/announce/2013/mfsa2013-05.html http://www.mozilla.org/security/announce/2013/mfsa2013-09.html http://www.mozilla.org/security/announce/2013/mfsa2013-11.html http://www.mozilla.org/security/announce/2013/mfsa2013-12.html http://www.mozilla.org/security/announce/2013/mfsa2013-15.html http://www.mozilla.org/security/announce/2013/mfsa2013-16.html http://www.mozilla.org/security/announce/2013/mfsa2013-17.html http://www.mozilla.org/security/announce/2013/mfsa2013-20.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002 ======================== Updated packages in core/updates_testing: ======================== libproxy-devel-0.4.11-1.mga2 libproxy-gnome-0.4.11-1.mga2 libproxy-gxsettings-0.4.11-1.mga2 libproxy-kde-0.4.11-1.mga2 libproxy-networkmanager-0.4.11-1.mga2 libproxy-perl-0.4.11-1.mga2 libproxy-utils-0.4.11-1.mga2 libproxy-webkit-0.4.11-1.mga2 libproxy1-0.4.11-1.mga2 python-libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 rootcerts-java-20121229.00-2.mga2 libnspr-devel-4.9.4-1.mga2 libnspr4-4.9.4-1.mga2 libnss-devel-3.14.1-2.mga2 libnss-static-devel-3.14.1-2.mga2 libnss3-3.14.1-2.mga2 nss-3.14.1-2.mga2 nss-doc-3.14.1-2.mga2 firefox-17.0.2-2.mga2 firefox-devel-17.0.2-2.mga2 firefox-af-17.0.2-1.mga2 firefox-ar-17.0.2-1.mga2 firefox-ast-17.0.2-1.mga2 firefox-be-17.0.2-1.mga2 firefox-bg-17.0.2-1.mga2 firefox-bn_BD-17.0.2-1.mga2 firefox-bn_IN-17.0.2-1.mga2 firefox-br-17.0.2-1.mga2 firefox-bs-17.0.2-1.mga2 firefox-ca-17.0.2-1.mga2 firefox-cs-17.0.2-1.mga2 firefox-cy-17.0.2-1.mga2 firefox-da-17.0.2-1.mga2 firefox-de-17.0.2-1.mga2 firefox-el-17.0.2-1.mga2 firefox-en_GB-17.0.2-1.mga2 firefox-en_ZA-17.0.2-1.mga2 firefox-eo-17.0.2-1.mga2 firefox-es_AR-17.0.2-1.mga2 firefox-es_CL-17.0.2-1.mga2 firefox-es_ES-17.0.2-1.mga2 firefox-es_MX-17.0.2-1.mga2 firefox-et-17.0.2-1.mga2 firefox-eu-17.0.2-1.mga2 firefox-fa-17.0.2-1.mga2 firefox-fi-17.0.2-1.mga2 firefox-fr-17.0.2-1.mga2 firefox-fy-17.0.2-1.mga2 firefox-ga_IE-17.0.2-1.mga2 firefox-gd-17.0.2-1.mga2 firefox-gl-17.0.2-1.mga2 firefox-gu_IN-17.0.2-1.mga2 firefox-he-17.0.2-1.mga2 firefox-hi-17.0.2-1.mga2 firefox-hr-17.0.2-1.mga2 firefox-hu-17.0.2-1.mga2 firefox-hy-17.0.2-1.mga2 firefox-id-17.0.2-1.mga2 firefox-is-17.0.2-1.mga2 firefox-it-17.0.2-1.mga2 firefox-ja-17.0.2-1.mga2 firefox-kk-17.0.2-1.mga2 firefox-kn-17.0.2-1.mga2 firefox-ko-17.0.2-1.mga2 firefox-ku-17.0.2-1.mga2 firefox-lg-17.0.2-1.mga2 firefox-lt-17.0.2-1.mga2 firefox-lv-17.0.2-1.mga2 firefox-mai-17.0.2-1.mga2 firefox-mk-17.0.2-1.mga2 firefox-ml-17.0.2-1.mga2 firefox-mr-17.0.2-1.mga2 firefox-nb_NO-17.0.2-1.mga2 firefox-nl-17.0.2-1.mga2 firefox-nn_NO-17.0.2-1.mga2 firefox-nso-17.0.2-1.mga2 firefox-or-17.0.2-1.mga2 firefox-pa_IN-17.0.2-1.mga2 firefox-pl-17.0.2-1.mga2 firefox-pt_BR-17.0.2-1.mga2 firefox-pt_PT-17.0.2-1.mga2 firefox-ro-17.0.2-1.mga2 firefox-ru-17.0.2-1.mga2 firefox-si-17.0.2-1.mga2 firefox-sk-17.0.2-1.mga2 firefox-sl-17.0.2-1.mga2 firefox-sq-17.0.2-1.mga2 firefox-sr-17.0.2-1.mga2 firefox-sv_SE-17.0.2-1.mga2 firefox-ta-17.0.2-1.mga2 firefox-ta_LK-17.0.2-1.mga2 firefox-te-17.0.2-1.mga2 firefox-th-17.0.2-1.mga2 firefox-tr-17.0.2-1.mga2 firefox-uk-17.0.2-1.mga2 firefox-vi-17.0.2-1.mga2 firefox-zh_CN-17.0.2-1.mga2 firefox-zh_TW-17.0.2-1.mga2 firefox-zu-17.0.2-1.mga2 from SRPMS: libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 nspr-4.9.4-1.mga2 nss-3.14.1-2.mga3 firefox-17.0.2-2.mga2 firefox-l10n-17.0.2-1.mga2
Testing general browsing x86_64 MGA2: Rootcerts update not required during firefox update. Opus audio codecs work YouTube flash video works Javascript tested with sunspider Java function working with Javatester.com Duckduckgo not added to search bar options
CC: (none) => wrw105Whiteboard: (none) => Testing mga2_64
Is a specific libproxy version required? It doesn't appear to have a versioned require.
Forcing firefox to depend on nss-3.14.1-2.mga3 would ensure CVE-2013-0743 is fixed, but it is assumed you don't cherry pick packages not to update.
>Additionally, the DuckDuckGo search engine has been added as an option >in the search bar. not working with a new or the current profile
(In reply to comment #51) > >Additionally, the DuckDuckGo search engine has been added as an option > >in the search bar. > > not working with a new or the current profile Also confirmed in Cauldron, adding the &t=mageia in duckduckgo.xml broke it. Pascal, any idea how to fix this?
CC: (none) => pterjan
Adding feedback marker for the ddg fix (qa meeting)
Whiteboard: Testing mga2_64 => feedback
DuckDuckGo should be fixed now in firefox-17.0.2-3.mga2. Advisory: ======================== Updated firefox packages fix security vulnerabilities: Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743). Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This results in a use-after-free which can lead to arbitrary code execution (CVE-2013-0754). Security researcher regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free in XMLSerializer by the exposing of serializeToStream to web content. This can lead to arbitrary code execution when exploited (CVE-2013-0753). Security researcher Mariusz Mlynski reported that it is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution (CVE-2013-0758). Security researcher pa_kt reported a flaw via TippingPoint's Zero Day Initiative that an integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption (CVE-2013-0750). Mozilla security researcher Jesse Ruderman discovered that using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections (CVE-2013-0748). Mozilla developer Boris Zbarsky reported reported a problem where jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash (CVE-2013-0746). Using the Address Sanitizer tool, security researcher Atte Kettunen from OUSPG discovered that the combination of large numbers of columns and column groups in a table could cause the array containing the columns during rendering to overwrite itself. This can lead to a user-after-free causing a potentially exploitable crash (CVE-2013-0744). Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team discovered a series critically rated of use-after-free, out of bounds read, and buffer overflow issues using the Address Sanitizer tool in shipped software. These issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting three additional user-after-free and out of bounds read flaws introduced during Firefox development that were fixed before general release (CVE-2013-0762, CVE-2013-0766, CVE-2013-0767). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-0769). Security researcher Masato Kinugawa found a flaw in which the displayed URL values within the addressbar can be spoofed by a page during loading. This allows for phishing attacks where a malicious page can spoof the identify of another site (CVE-2013-0759). Firefox has been updated to version 17.0.2, which fixes these issues, as well as provides several new features. Additionally, the DuckDuckGo search engine has been added as an option in the search bar. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 http://www.mozilla.org/security/announce/2013/mfsa2013-01.html http://www.mozilla.org/security/announce/2013/mfsa2013-02.html http://www.mozilla.org/security/announce/2013/mfsa2013-04.html http://www.mozilla.org/security/announce/2013/mfsa2013-05.html http://www.mozilla.org/security/announce/2013/mfsa2013-09.html http://www.mozilla.org/security/announce/2013/mfsa2013-11.html http://www.mozilla.org/security/announce/2013/mfsa2013-12.html http://www.mozilla.org/security/announce/2013/mfsa2013-15.html http://www.mozilla.org/security/announce/2013/mfsa2013-16.html http://www.mozilla.org/security/announce/2013/mfsa2013-17.html http://www.mozilla.org/security/announce/2013/mfsa2013-20.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002 ======================== Updated packages in core/updates_testing: ======================== libproxy-devel-0.4.11-1.mga2 libproxy-gnome-0.4.11-1.mga2 libproxy-gxsettings-0.4.11-1.mga2 libproxy-kde-0.4.11-1.mga2 libproxy-networkmanager-0.4.11-1.mga2 libproxy-perl-0.4.11-1.mga2 libproxy-utils-0.4.11-1.mga2 libproxy-webkit-0.4.11-1.mga2 libproxy1-0.4.11-1.mga2 python-libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 rootcerts-java-20121229.00-2.mga2 libnspr-devel-4.9.4-1.mga2 libnspr4-4.9.4-1.mga2 libnss-devel-3.14.1-2.mga2 libnss-static-devel-3.14.1-2.mga2 libnss3-3.14.1-2.mga2 nss-3.14.1-2.mga2 nss-doc-3.14.1-2.mga2 firefox-17.0.2-3.mga2 firefox-devel-17.0.2-3.mga2 firefox-af-17.0.2-1.mga2 firefox-ar-17.0.2-1.mga2 firefox-ast-17.0.2-1.mga2 firefox-be-17.0.2-1.mga2 firefox-bg-17.0.2-1.mga2 firefox-bn_BD-17.0.2-1.mga2 firefox-bn_IN-17.0.2-1.mga2 firefox-br-17.0.2-1.mga2 firefox-bs-17.0.2-1.mga2 firefox-ca-17.0.2-1.mga2 firefox-cs-17.0.2-1.mga2 firefox-cy-17.0.2-1.mga2 firefox-da-17.0.2-1.mga2 firefox-de-17.0.2-1.mga2 firefox-el-17.0.2-1.mga2 firefox-en_GB-17.0.2-1.mga2 firefox-en_ZA-17.0.2-1.mga2 firefox-eo-17.0.2-1.mga2 firefox-es_AR-17.0.2-1.mga2 firefox-es_CL-17.0.2-1.mga2 firefox-es_ES-17.0.2-1.mga2 firefox-es_MX-17.0.2-1.mga2 firefox-et-17.0.2-1.mga2 firefox-eu-17.0.2-1.mga2 firefox-fa-17.0.2-1.mga2 firefox-fi-17.0.2-1.mga2 firefox-fr-17.0.2-1.mga2 firefox-fy-17.0.2-1.mga2 firefox-ga_IE-17.0.2-1.mga2 firefox-gd-17.0.2-1.mga2 firefox-gl-17.0.2-1.mga2 firefox-gu_IN-17.0.2-1.mga2 firefox-he-17.0.2-1.mga2 firefox-hi-17.0.2-1.mga2 firefox-hr-17.0.2-1.mga2 firefox-hu-17.0.2-1.mga2 firefox-hy-17.0.2-1.mga2 firefox-id-17.0.2-1.mga2 firefox-is-17.0.2-1.mga2 firefox-it-17.0.2-1.mga2 firefox-ja-17.0.2-1.mga2 firefox-kk-17.0.2-1.mga2 firefox-kn-17.0.2-1.mga2 firefox-ko-17.0.2-1.mga2 firefox-ku-17.0.2-1.mga2 firefox-lg-17.0.2-1.mga2 firefox-lt-17.0.2-1.mga2 firefox-lv-17.0.2-1.mga2 firefox-mai-17.0.2-1.mga2 firefox-mk-17.0.2-1.mga2 firefox-ml-17.0.2-1.mga2 firefox-mr-17.0.2-1.mga2 firefox-nb_NO-17.0.2-1.mga2 firefox-nl-17.0.2-1.mga2 firefox-nn_NO-17.0.2-1.mga2 firefox-nso-17.0.2-1.mga2 firefox-or-17.0.2-1.mga2 firefox-pa_IN-17.0.2-1.mga2 firefox-pl-17.0.2-1.mga2 firefox-pt_BR-17.0.2-1.mga2 firefox-pt_PT-17.0.2-1.mga2 firefox-ro-17.0.2-1.mga2 firefox-ru-17.0.2-1.mga2 firefox-si-17.0.2-1.mga2 firefox-sk-17.0.2-1.mga2 firefox-sl-17.0.2-1.mga2 firefox-sq-17.0.2-1.mga2 firefox-sr-17.0.2-1.mga2 firefox-sv_SE-17.0.2-1.mga2 firefox-ta-17.0.2-1.mga2 firefox-ta_LK-17.0.2-1.mga2 firefox-te-17.0.2-1.mga2 firefox-th-17.0.2-1.mga2 firefox-tr-17.0.2-1.mga2 firefox-uk-17.0.2-1.mga2 firefox-vi-17.0.2-1.mga2 firefox-zh_CN-17.0.2-1.mga2 firefox-zh_TW-17.0.2-1.mga2 firefox-zu-17.0.2-1.mga2 from SRPMS: libproxy-0.4.11-1.mga2 rootcerts-20121229.00-2.mga2 nspr-4.9.4-1.mga2 nss-3.14.1-2.mga3 firefox-17.0.2-3.mga2 firefox-l10n-17.0.2-1.mga2
Whiteboard: feedback => (none)
Tested MGA2-32 Web pages load normally DDG added to search bar with appended &t=mageia sunspider javascript test OK Javatester shows icedtea working. Opus codec works via https://people.xiph.org/~giles/2012/opus/
Whiteboard: (none) => MGA2-32OK
Testing complete for firefox-17.0.2-3.mga2 on Mageia release 2 (Official) for x86_64, for me it's Ok and nothing to report, works fine. -Opus codec works via https://people.xiph.org/~giles/2012/opus/ -Flash player works -DDG works with appended &t=mageia -Java works -Addons works :Adblock Plus, Firebug, DownThemAll, Foxtab, Xmarks, Personas, ... Info : -If one Addons was to be incompatible with firefox 17, there is an Addon to circumvent this problem and to make them compatible : https://addons.mozilla.org/fr/firefox/addon/checkcompatibility/
CC: (none) => geiger.david68210
Adding 64 OK from Davids tests and Validating Thanks guys Advisory & SRPMs in comment 54 Could sysadmin please push from core/updates_testing to core/updates Please push this before thunderbird. Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-32OK => MGA2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0020
Status: NEW => RESOLVEDResolution: (none) => FIXED
Looks like linking is needed, I get the following error: The following package can not be selected: - libproxy1-0.4.11-1.mga2.i586 (due to conflicts with libwebkitgtk3.0_0-1.8.3-1.mga2.i586)
CC: (none) => wassi
cf above
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
I don't get your comment, Manuel. I did not cherry pick if that is what you refer to.
He just reopened the bug and directed the sysadmins' attention to your comment.
should have commented more "cf above for the reopening" (as it needs a comment)
I dont see any linking issues here... it reports a _conflict_, not a missing dep...
While the message is misleading, the user who reported it (st3ve on IRC), said the error went away when *installed* libwebkit3.0_0 manually, so that appears to be what needs to be linked.
So this firefox & co build is broken... we already have libwebkit3.0_0 in updates, but this update (atleast libproxy1) is built against the one in release, so it pulls in a security vuln... https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0324 so there is no way I will link the older 1.8.1 into updates... not to mention people would start reporting that a libwebkitgtk3.0_0 update will try to remove the libproxy1... Then there is also this: [thomas@zeus i586]$ rpm -qpl ./media/core/release/libwebkitgtk3.0_0-1.8.1-1.mga2.i586.rpm /usr/lib/libwebkitgtk-3.0.so.0 /usr/lib/libwebkitgtk-3.0.so.0.13.2 [thomas@zeus i586]$ rpm -qpl ./media/core/updates/libwebkitgtk3.0_0-1.8.3-1.mga2.i586.rpm /usr/lib/libwebkitgtk-3.0.so.0 /usr/lib/libwebkitgtk-3.0.so.0.13.4 so bottom line... libproxy build must be fixed...
Well how the heck did libproxy get that tight a requires to the libwebkit package version? It didn't change library majors. So what needs to be done, just rebuild libproxy?
I guess there is some pkgconfig file somewhere with a hardcoded version, or a wrong buildrequires somewhere, so I doubt a simple rebuild will fix it. maybe add versioned BR on 1.8.3 can help flush out the error. or rollback to firefox 10, install libwebkitgtk3.0_0-1.8.3-1.mga2 and use urpmi --debug to try and reprocuce
This makes no sense. I looked at the libproxy packages, and they don't require libwebkitgtk3.0_0 directly. libproxy1 requires libproxy-pac, which is provided by libproxy-webkit, which requires libjavascriptcoregtk-3.0.so.0, which is provided by libjavascriptcoregtk3.0_0 (both 1.8.1 and 1.8.3 provide it, so either should suffice), and that requires libwebkitgtk3.0_0 (whose version needs to match). Since libjavascriptcoregtk3.0_0 and libwebkitgtk3.0_0 are built from the same SRPM, they are both in updates, and this problem shouldn't be happening.
Manuel: Sorry for the noise and thanks for explaining. David: I still did not do the update, as I want to be able to confirm the fix once it's actually fixed. So if you want me to carry out any testing just let me know - I can reproduce the problem to this day. :)
Maybe you can try as root: urpmi --auto-update --test to see it shows that it would have an error, although I think urpmi wouldn't. Perhaps if you add a --searchmedia option to it, telling it only to look in the core/updates repository, you could reproduce the error with urpmi. If you can reproduce it, adding the --debug option might give some useful output.
Ok, this is what I get: # urpmi --auto-update --test Medium »Core Release (distrib1)« ist auf dem aktuellen Stand (=is up to date) Medium »Core Updates (distrib3)« ist auf dem aktuellen Stand Medium »Nonfree Release (distrib11)« ist auf dem aktuellen Stand Medium »Nonfree Updates (distrib13)« ist auf dem aktuellen Stand Medium »Tainted Release (distrib21)« ist auf dem aktuellen Stand Medium »Tainted Updates (distrib23)« ist auf dem aktuellen Stand Um die Abhängigkeiten zu erfüllen, werden die folgenden Pakete installiert: (=to fulfill dependencies, the following packages will be installed) (nur ein Test, es wird keine wirkliche Installation durchgeführt) Paket Version Release Arch (Medium »Core Release (distrib1)«) libgail3_0 3.4.1 2.mga2 i586 (Medium »Core Updates (distrib3)«) firefox 17.0.2 3.mga2 i586 firefox-de 17.0.2 1.mga2 noarch libjavascriptcoregtk3.0_0 1.8.3 1.mga2 i586 libnspr4 4.9.4 1.mga2 i586 libnss3 3.14.1 2.mga2 i586 libopus0 1.0.2 1.mga2 i586 libproxy-webkit 0.4.11 1.mga2 i586 libproxy1 0.4.11 1.mga2 i586 libwebkitgtk3.0_0 1.8.3 1.mga2 i586 nss 3.14.1 2.mga2 i586 rootcerts 20121229.00 2.mga2 i586 rootcerts-java 20121229.00 2.mga2 i586 webkit3 1.8.3 1.mga2 i586 webkit3.0 1.8.3 1.mga2 i586 webkit3.0-webinspector 1.8.3 1.mga2 i586 (Vorschlag) 36MB zusätzlicher Speicher wird benötigt 26MB an Paketen wird geholt Fortfahren mit der Installation der 16 Pakete? (J/n) j ftp://ftp.sunet.se/pub/Linux/distributions/mageia/distrib/2/i586/media/core/release/libgail3_0-3.4.1-2.mga2.i586.rpm (...) Vorbereiten ⦠(=Preparing) ###################################### Die Installation ist möglich (= Installating is possible)
As for the --searchmedia option, could you tell me the exact command I am supposed to use? I'm struggling a bit with that, I keep getting an error message...
(In reply to comment #73) > As for the --searchmedia option, could you tell me the exact command I am > supposed to use? I'm struggling a bit with that, I keep getting an error > message... No I can't, because it depends on your media configuration. The thing after --searchmedia is the name of the core/updates medium. You'll have to check your /etc/urpmi/urpmi.cfg to see what exactly it's called on your machine. The name most likely has spaces, so you'll have to put quotes around it. In my urpmi.cfg, I have: Core\ Updates /home/linux/mageia/distrib/2/i586/media/core/updates { key-ids: 80420f66 update } so it would be --searchmedia "Core Updates"
Hmm, well you did say on IRC that it said libgail3_0 needs linking, and according to your output in Comment 72, that appears to be correct. I wonder if linking that would actually fix this. So, the deal is that the updated libproxy requires libwebkitgtk3.0_0, which is in updates, but recursive requires can cause Bug 2317 also, and since libwebkitgtk3.0_0 requires libgail3_0, if you didn't already have those installed, you can't install this update through the applet.
Ok, it looks like I can not reproduce it by using --searchmedia. # urpmi --auto-update --test --searchmedia "Core lease (distrib1)" (...) Packages are up to date. # urpmi --auto-update --test --searchmedia "Core Updates (distrib3)" (...) Paket Version Release Arch (Medium »Core Release (distrib1)«) libgail3_0 3.4.1 2.mga2 i586 (Medium »Core Updates (distrib3)«) firefox 17.0.2 3.mga2 i586 firefox-de 17.0.2 1.mga2 noarch libjavascriptcoregtk3.0_0 1.8.3 1.mga2 i586 libnspr4 4.9.4 1.mga2 i586 libnss3 3.14.1 2.mga2 i586 libopus0 1.0.2 1.mga2 i586 libproxy-webkit 0.4.11 1.mga2 i586 libproxy1 0.4.11 1.mga2 i586 libwebkitgtk3.0_0 1.8.3 1.mga2 i586 nss 3.14.1 2.mga2 i586 rootcerts 20121229.00 2.mga2 i586 rootcerts-java 20121229.00 2.mga2 i586 webkit3 1.8.3 1.mga2 i586 webkit3.0 1.8.3 1.mga2 i586 webkit3.0-webinspector 1.8.3 1.mga2 i586 (Vorschlag) Vorbereiten ⦠(=Preparing) ###################################### Die Installation ist möglich (= Installing is possible) As for libgail, depcheck (as linked on Bug 2317) said libgail would require linking - that's why I said it on IRC.
(In reply to comment #76) > As for libgail, depcheck (as linked on Bug 2317) said libgail would require > linking - that's why I said it on IRC. Sigh, then _why_ didnt you add that in comment 59 ? It would have saved ~20 comments on this bug... And I guess the reason for no-one in QA noticing it when pushing webkit is that there is a libgail3_0 in updates_testing (as part of the "ignored" big gnome update), so depcheck was probably happy too... interestingly no webkit users has complained so far... I'll go link libgail to updates...
lib(64)gail3_0 linked.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
(In reply to comment #77) > And I guess the reason for no-one in QA noticing it when pushing webkit is that > there is a libgail3_0 in updates_testing (as part of the "ignored" big gnome > update), so depcheck was probably happy too... interestingly no webkit users > has complained so far... No, libgail3_0 wasn't a *new* requires vs. the webkit from release, so it wouldn't have been needed to link it at that time.
Yes, having recursive dependencies in updates testing is a case where depcheck fails. It isn't worth rewriting depcheck though now we are looking towards a fix for the infamous bug 2317
Depends on: (none) => 2317
Looks like libgail3_0 was to blame after all (i.e. depcheck was right). I did not change the configuration of my system or intalled any new packages, but the problem is solved now, the update worked without problems.