Bug 8184 - Firefox 17 new ESR
: Firefox 17 new ESR
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/532086/
: MGA2-32-OK mga2-64-OK
: validated_update
: 2317
: 8767
  Show dependency treegraph
 
Reported: 2012-11-22 20:23 CET by Alejandro Cobo
Modified: 2013-01-29 13:44 CET (History)
15 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:


Attachments

Description Alejandro Cobo 2012-11-22 20:23:06 CET
Description of problem:
20th November, Firefox 17 ESR was released. FF 10 will have no support from 20 th February 2013.

Maybe Firefox 17 should be tested from now due the large list of changes introduces since Firefox 10 and add it to updates repositories before 20 th February.
Comment 1 Manuel Hiebel 2012-11-22 21:13:49 CET
well firefox 17 is in cauldron and will stay in the ESR channel for mageia3
so this is also a place.

firefox 10 is waiting to be moved in updates https://bugs.mageia.org/show_bug.cgi?id=8180

so no need to rush maintainer (they are awake of the near eol

I don't know the plan but yes they can push it to testing if they have time
Comment 2 Sander Lepik 2012-11-22 21:39:01 CET
I don't think we can have multiple versions of firefox in testing. We can submit it if there are no more 10.0.X releases coming.

But i don't think we need a bug for that. :)
Comment 3 Manuel Hiebel 2012-11-23 12:49:31 CET
firefox 17 esr is in updates_testing if you want test
Comment 4 D Morgan 2012-11-23 17:52:23 CET
please test FF 17 which is the new esr version
Comment 5 D Morgan 2012-11-23 18:24:04 CET
please wait we just reverted to FF to allow the last update to be pushed. FF 17 will come right after . ( please keep this BR open )
Comment 6 David Walser 2012-11-23 22:11:48 CET
I didn't realize 10.0.x was supposed to still be supported until February.  If that's the case, we shouldn't be pushing 17 yet.
Comment 7 D Morgan 2012-11-23 22:19:06 CET
why shouldn't we ? 

this would allow to have the same version in mga2/3 ( easiest maintaince ), this add back kde integration, allow to use more plugins, add gstreamer/opus support, ...
Comment 8 David Walser 2012-11-23 22:21:26 CET
Well, the why wouldn't we is if they still support 10 to fix the security issues, sticking with that branch is the least disruptive update we can do, which is what we always try to do.

That being said, you raise some good reasons to switch, so it's OK with me.
Comment 9 Manuel Hiebel 2012-11-23 22:21:52 CET
can't we not pushed this last firefox 10 updates and the works slowly but surely on ff17 ?

and please see what's happen in bug 8180
Comment 10 David Walser 2012-11-23 22:23:30 CET
As far as how this screwed the update we're currently trying to push, we just need better communication and to be more careful.
Comment 11 D Morgan 2012-11-23 22:34:18 CET
as FF update is pushed, can i update again FF 17 in testing ? so we will have some time to test, test the addons, etc
Comment 12 David Walser 2012-11-23 22:36:14 CET
Thomas had to go back and remove the update from updates even though it had been pushed, so no it's not done yet.  We'll let you know when it's done.
Comment 13 David Walser 2012-11-23 23:08:13 CET
OK now it's pushed.  You may proceed.
Comment 14 Thomas Backlund 2012-11-23 23:15:32 CET

Btw, when you push this... 

you should update sqlite3 to 3.7.14.1 as it fixes a segfault:
http://www.sqlite.org/changes.html
Comment 15 D Morgan 2012-11-23 23:49:23 CET
thank you for the advice, i updated sqlite3 to 3.7.14.1
Comment 16 D Morgan 2012-11-24 01:00:00 CET
you can start to test FF 17esr
Comment 17 David Walser 2012-11-24 01:01:55 CET
firefox-17.0-2.mga2 is the current version that was just pushed to the build system.  It's not quite done building as of this post, but should be on the mirrors within the next couple hours.  It will also pull in the updated sqlite and opus packages from updates_testing when you install it.
Comment 18 Simon Putt 2012-11-24 03:19:35 CET
Been testing this a little, and most of the features work fine, 

h.264 now works (did not in 10), been testing WebGL, html5 canvas and media playback, 

opus is not working (no playback of enbeded or .opus files) , nor was it a requires for the install (i am using the latest build, it has --enable-opus in the build string, previous 17 builds did not)

also Java, Flash, http/s etc works fine

My testing is on x86_64 mga2

Simon/Lemonzest
Comment 19 Simon Putt 2012-11-24 03:20:37 CET
Oh i am using 17.0-3.mga2(In reply to comment #18)
> Been testing this a little, and most of the features work fine, 
> 
> h.264 now works (did not in 10), been testing WebGL, html5 canvas and media
> playback, 
> 
> opus is not working (no playback of enbeded or .opus files) , nor was it a
> requires for the install (i am using the latest build, it has --enable-opus in
> the build string, previous 17 builds did not)
> 
> also Java, Flash, http/s etc works fine
> 
> My testing is on x86_64 mga2
> 
> Simon/Lemonzest

Oh i am using 17.0-3.mga2
Comment 20 Simon Putt 2012-11-24 11:10:42 CET
(In reply to comment #19)
> Oh i am using 17.0-3.mga2(In reply to comment #18)
> > Been testing this a little, and most of the features work fine, 
> > 
> > h.264 now works (did not in 10), been testing WebGL, html5 canvas and media
> > playback, 
> > 
> > opus is not working (no playback of enbeded or .opus files) , nor was it a
> > requires for the install (i am using the latest build, it has --enable-opus in
> > the build string, previous 17 builds did not)
> > 
> > also Java, Flash, http/s etc works fine
> > 
> > My testing is on x86_64 mga2
> > 
> > Simon/Lemonzest
> 
> Oh i am using 17.0-3.mga2

h264 <video> tag needs tainted gstreamer.
Comment 21 Simon Putt 2012-11-24 11:36:42 CET
Looking at the spec opus is only in buildrequires, and no requires section, manually installing lib64opus0 still does not enable the support
Comment 22 Simon Putt 2012-11-24 13:01:01 CET
BTW I am testing Opus support with this follow site (its the official mozilla site)

Neither the embedded or link work (the latter comes up with an error screen)

http://people.xiph.org/~giles/2012/opus/
Comment 23 David Walser 2012-12-12 05:07:19 CET
Anyone who's testing the Mageia 2 updates_testing package here, can you reproduce the following issue reported for the Cauldron package (HTML5 video not working)?
https://bugs.mageia.org/show_bug.cgi?id=8193
Comment 24 Dave Hodgins 2012-12-12 05:50:59 CET
As I reported in bug 8193, it's working fine for me on Mageia 2 with
firefox-17.0.1-3.mga2
Comment 25 David Walser 2013-01-08 21:00:24 CET
Firefox 17.0.2 is out now and is a security release.  These are the Mozilla security advisories and CVEs that affect us and will be used in the advisory (broken down by Mozilla security advisory).  We will also need to update Thunderbird.

Source:
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

http://www.mozilla.org/security/announce/2012/mfsa2012-98.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4206

http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769

http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767

http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759

http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744

http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746

http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748

http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750

http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758

http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753

http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754

http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
Comment 26 David Walser 2013-01-09 01:50:39 CET
A FF 17.0.2 build is in updates_testing.  I don't know if D Morgan plans to try to fix the Opus issue before official testing, so awaiting word on that.  I e-mailed him some notes from cjw/spturtle today on a possible fix upstream.
Comment 27 David Walser 2013-01-09 01:55:25 CET
The rootcerts update is the one that actually fixes the last Mozilla security advisory MFSA 2013-20 (CVE-2013-0743).  That one will not need to be listed in the advisory for Thunderbird.

Source RPMs:
rootcerts-20121229.00-2.mga2
nspr-4.9.4-1.mga2
nss-3.14.1-2.mga3
firefox-17.0.2-1.mga2
firefox-l10n-17.0.2-1.mga2
Comment 28 David Walser 2013-01-09 02:00:15 CET
So it doesn't get lost in the ether, these are the links Christiaan provided regarding a possible fix for the Opus issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=799344
https://bugs.launchpad.net/bugs/1051559
Comment 29 David Walser 2013-01-09 18:46:24 CET
Mandriva has issued an advisory today (January 9):
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002
Comment 30 David Walser 2013-01-10 01:39:38 CET
Christiaan has fixed the Opus issue in iceape-2.15-2.mga3
Comment 31 Manuel Hiebel 2013-01-11 22:40:40 CET
and what about https://bugs.mageia.org/show_bug.cgi?id=8193 or any other bugs I don't have in the mind ?
Comment 32 David Walser 2013-01-12 03:37:52 CET
(In reply to comment #31)
> and what about https://bugs.mageia.org/show_bug.cgi?id=8193 or any other bugs I
> don't have in the mind ?

Comment 24 says that didn't affect Mageia 2 builds, or do you know different?
Comment 33 Manuel Hiebel 2013-01-13 17:48:27 CET
oups sorry forget that then.
Comment 34 Dave Hodgins 2013-01-17 23:27:28 CET
When using the search field with duckduckgo, putting value in the field, and
pressing enter, the url being sent is
https://duckduckgo.com/?q=value
it should be
https://duckduckgo.com/?q=value,t=mageia
so that Mageia will get credit for the searches, as I understand it.
Comment 35 Sander Lepik 2013-01-17 23:44:31 CET
(In reply to comment #34)
> When using the search field with duckduckgo, putting value in the field, and
> pressing enter, the url being sent is
> https://duckduckgo.com/?q=value
> it should be
> https://duckduckgo.com/?q=value,t=mageia
> so that Mageia will get credit for the searches, as I understand it.

Shouldn't it be https://duckduckgo.com/?q=value&t=mageia ?
Comment 37 Oden Eriksson 2013-01-18 00:07:34 CET
Please try to avoid holding back a crucial security release for petty bugs (imho).
Comment 38 David Walser 2013-01-18 00:18:40 CET
It was destined to get held up as soon as it was decided to move to 17ESR instead of sticking with 10ESR, unfortunately.

I'll try to take a look at it this weekend if nobody beats me to it, but the duckduckgo thing is an easy fix, and hopefully the opus fixes apply easily too.  Feel free to have a look.  That's all this is waiting on.
Comment 39 Dave Hodgins 2013-01-18 02:00:36 CET
(In reply to comment #37)
> Please try to avoid holding back a crucial security release for petty bugs
> (imho).

The minor bug would not have blocked the update, which has not yet been
assigned to qa.  I was asked on irc to add the note, to the bug report,
once I noticed the problem.
Comment 40 David Walser 2013-01-18 02:22:03 CET
Adding this as well as pterjan's duckduckgo fix should be sufficient for this to proceed:
http://svnweb.mageia.org/packages/cauldron/iceape/current/SOURCES/iceape-2.15-moz-ogg.patch?revision=344499&view=markup
Comment 41 Luc Menut 2013-01-19 12:06:49 CET
Firefox 17 seems to need new libproxy which obsoletes the mozjs plugin.
https://bugs.mageia.org/show_bug.cgi?id=6299
https://bugzilla.novell.com/show_bug.cgi?id=759123
https://bugzilla.mozilla.org/show_bug.cgi?id=763185
http://svnweb.mageia.org/packages?view=revision&revision=321544

Please, be careful to validate and push new libproxy (libproxy-0.4.11-1.mga2 is in updates_testing) before or at the same time than Firefox 17.

regards,
Luc
Comment 42 Sander Lepik 2013-01-19 12:21:23 CET
There seems to be no bug about libproxy in updates testing.
Comment 43 David Walser 2013-01-19 16:25:00 CET
(In reply to comment #42)
> There seems to be no bug about libproxy in updates testing.

It doesn't need a separate bug as it's part of the same update, it'll be with this bug.  Thanks Luc for the reminder on that.
Comment 44 David Walser 2013-01-22 00:42:24 CET
This is ready to go now, assigning to QA.

DuckDuckGo is fixed.  Using it in the search bar should add &t=mageia to the end of the URLs when searching.

Christiaan's Opus fixes are included, so Opus should work.  It will use Ogg libs directly for Ogg files and not use gstreamer, but otherwise the gstreamer support new with Firefox 17 should work.  For Ogg stuff, it uses system ogg libs.

When testing, make sure you have the updated packages from all of the associated SRPMS installed.  Advisory to come later.

Source RPMS:
------------
libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
nspr-4.9.4-1.mga2
nss-3.14.1-2.mga3
firefox-17.0.2-2.mga2
firefox-l10n-17.0.2-1.mga2
Comment 45 David Walser 2013-01-22 01:03:28 CET
Update to Firefox 10.0.12 checked into Mageia 1 SVN.

It includes these packages, which must be built in this order:
rootcerts, nspr, nss, firefox, firefox-l10n.
Comment 46 David Walser 2013-01-22 01:19:43 CET
Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Google reported to Mozilla that TURKTRUST, a certificate authority in
Mozillas root program, had mis-issued two intermediate certificates
to customers. The issue was not specific to Firefox but there was
evidence that one of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the customer did not
legitimately own or control. This issue was resolved by revoking the
trust for these specific mis-issued certificates (CVE-2013-0743).

Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free within the ListenerManager when garbage
collection is forced after data in listener objects have been allocated
in some circumstances. This results in a use-after-free which can
lead to arbitrary code execution (CVE-2013-0754).

Security researcher regenrecht reported, via TippingPoint's Zero
Day Initiative, a use-after-free in XMLSerializer by the exposing
of serializeToStream to web content. This can lead to arbitrary code
execution when exploited (CVE-2013-0753).

Security researcher Mariusz Mlynski reported that it is possible
to open a chrome privileged web page through plugin objects through
interaction with SVG elements. This could allow for arbitrary code
execution (CVE-2013-0758).

Security researcher pa_kt reported a flaw via TippingPoint's Zero Day
Initiative that an integer overflow is possible when calculating the
length for a Javascript string concatenation, which is then used for
memory allocation. This results in a buffer overflow, leading to a
potentially exploitable memory corruption (CVE-2013-0750).

Mozilla security researcher Jesse Ruderman discovered that using the
toString function of XBL objects can lead to inappropriate information
leakage by revealing the address space layout instead of just the ID
of the object. This layout information could potentially be used to
bypass ASLR and other security protections (CVE-2013-0748).

Mozilla developer Boris Zbarsky reported reported a problem where
jsval-returning quickstubs fail to wrap their return values, causing
a compartment mismatch. This mismatch can cause garbage collection
to occur incorrectly and lead to a potentially exploitable crash
(CVE-2013-0746).

Using the Address Sanitizer tool, security researcher Atte Kettunen
from OUSPG discovered that the combination of large numbers
of columns and column groups in a table could cause the array
containing the columns during rendering to overwrite itself. This
can lead to a user-after-free causing a potentially exploitable crash
(CVE-2013-0744).

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team discovered a series critically rated of use-after-free,
out of bounds read, and buffer overflow issues using the Address
Sanitizer tool in shipped software. These issues are potentially
exploitable, allowing for remote code execution. We would also like
to thank Abhishek for reporting three additional user-after-free and
out of bounds read flaws introduced during Firefox development that
were fixed before general release (CVE-2013-0762, CVE-2013-0766,
CVE-2013-0767).

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2013-0769).

Security researcher Masato Kinugawa found a flaw in which the
displayed URL values within the addressbar can be spoofed by a page
during loading. This allows for phishing attacks where a malicious
page can spoof the identify of another site (CVE-2013-0759).

Firefox has been updated to version 17.0.2, which fixes these issues,
as well as provides several new features.

Additionally, the DuckDuckGo search engine has been added as an option
in the search bar.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769
http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002
========================

Updated packages in core/updates_testing:
========================
libproxy-devel-0.4.11-1.mga2
libproxy-gnome-0.4.11-1.mga2
libproxy-gxsettings-0.4.11-1.mga2
libproxy-kde-0.4.11-1.mga2
libproxy-networkmanager-0.4.11-1.mga2
libproxy-perl-0.4.11-1.mga2
libproxy-utils-0.4.11-1.mga2
libproxy-webkit-0.4.11-1.mga2
libproxy1-0.4.11-1.mga2
python-libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
rootcerts-java-20121229.00-2.mga2
libnspr-devel-4.9.4-1.mga2
libnspr4-4.9.4-1.mga2
libnss-devel-3.14.1-2.mga2
libnss-static-devel-3.14.1-2.mga2
libnss3-3.14.1-2.mga2
nss-3.14.1-2.mga2
nss-doc-3.14.1-2.mga2
firefox-17.0.2-1.mga2
firefox-af-17.0.2-1.mga2
firefox-ar-17.0.2-1.mga2
firefox-ast-17.0.2-1.mga2
firefox-be-17.0.2-1.mga2
firefox-bg-17.0.2-1.mga2
firefox-bn_BD-17.0.2-1.mga2
firefox-bn_IN-17.0.2-1.mga2
firefox-br-17.0.2-1.mga2
firefox-bs-17.0.2-1.mga2
firefox-ca-17.0.2-1.mga2
firefox-cs-17.0.2-1.mga2
firefox-cy-17.0.2-1.mga2
firefox-da-17.0.2-1.mga2
firefox-de-17.0.2-1.mga2
firefox-devel-17.0.2-1.mga2
firefox-el-17.0.2-1.mga2
firefox-en_GB-17.0.2-1.mga2
firefox-en_ZA-17.0.2-1.mga2
firefox-eo-17.0.2-1.mga2
firefox-es_AR-17.0.2-1.mga2
firefox-es_CL-17.0.2-1.mga2
firefox-es_ES-17.0.2-1.mga2
firefox-es_MX-17.0.2-1.mga2
firefox-et-17.0.2-1.mga2
firefox-eu-17.0.2-1.mga2
firefox-fa-17.0.2-1.mga2
firefox-fi-17.0.2-1.mga2
firefox-fr-17.0.2-1.mga2
firefox-fy-17.0.2-1.mga2
firefox-ga_IE-17.0.2-1.mga2
firefox-gd-17.0.2-1.mga2
firefox-gl-17.0.2-1.mga2
firefox-gu_IN-17.0.2-1.mga2
firefox-he-17.0.2-1.mga2
firefox-hi-17.0.2-1.mga2
firefox-hr-17.0.2-1.mga2
firefox-hu-17.0.2-1.mga2
firefox-hy-17.0.2-1.mga2
firefox-id-17.0.2-1.mga2
firefox-is-17.0.2-1.mga2
firefox-it-17.0.2-1.mga2
firefox-ja-17.0.2-1.mga2
firefox-kk-17.0.2-1.mga2
firefox-kn-17.0.2-1.mga2
firefox-ko-17.0.2-1.mga2
firefox-ku-17.0.2-1.mga2
firefox-lg-17.0.2-1.mga2
firefox-lt-17.0.2-1.mga2
firefox-lv-17.0.2-1.mga2
firefox-mai-17.0.2-1.mga2
firefox-mk-17.0.2-1.mga2
firefox-ml-17.0.2-1.mga2
firefox-mr-17.0.2-1.mga2
firefox-nb_NO-17.0.2-1.mga2
firefox-nl-17.0.2-1.mga2
firefox-nn_NO-17.0.2-1.mga2
firefox-nso-17.0.2-1.mga2
firefox-or-17.0.2-1.mga2
firefox-pa_IN-17.0.2-1.mga2
firefox-pl-17.0.2-1.mga2
firefox-pt_BR-17.0.2-1.mga2
firefox-pt_PT-17.0.2-1.mga2
firefox-ro-17.0.2-1.mga2
firefox-ru-17.0.2-1.mga2
firefox-si-17.0.2-1.mga2
firefox-sk-17.0.2-1.mga2
firefox-sl-17.0.2-1.mga2
firefox-sq-17.0.2-1.mga2
firefox-sr-17.0.2-1.mga2
firefox-sv_SE-17.0.2-1.mga2
firefox-ta-17.0.2-1.mga2
firefox-ta_LK-17.0.2-1.mga2
firefox-te-17.0.2-1.mga2
firefox-th-17.0.2-1.mga2
firefox-tr-17.0.2-1.mga2
firefox-uk-17.0.2-1.mga2
firefox-vi-17.0.2-1.mga2
firefox-zh_CN-17.0.2-1.mga2
firefox-zh_TW-17.0.2-1.mga2
firefox-zu-17.0.2-1.mga2

from SRPMS:
libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
nspr-4.9.4-1.mga2
nss-3.14.1-2.mga3
firefox-17.0.2-2.mga2
firefox-l10n-17.0.2-1.mga2
Comment 47 David Walser 2013-01-22 01:25:48 CET
Oops, fixing a couple package versions in the advisory.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Google reported to Mozilla that TURKTRUST, a certificate authority in
Mozillas root program, had mis-issued two intermediate certificates
to customers. The issue was not specific to Firefox but there was
evidence that one of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the customer did not
legitimately own or control. This issue was resolved by revoking the
trust for these specific mis-issued certificates (CVE-2013-0743).

Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free within the ListenerManager when garbage
collection is forced after data in listener objects have been allocated
in some circumstances. This results in a use-after-free which can
lead to arbitrary code execution (CVE-2013-0754).

Security researcher regenrecht reported, via TippingPoint's Zero
Day Initiative, a use-after-free in XMLSerializer by the exposing
of serializeToStream to web content. This can lead to arbitrary code
execution when exploited (CVE-2013-0753).

Security researcher Mariusz Mlynski reported that it is possible
to open a chrome privileged web page through plugin objects through
interaction with SVG elements. This could allow for arbitrary code
execution (CVE-2013-0758).

Security researcher pa_kt reported a flaw via TippingPoint's Zero Day
Initiative that an integer overflow is possible when calculating the
length for a Javascript string concatenation, which is then used for
memory allocation. This results in a buffer overflow, leading to a
potentially exploitable memory corruption (CVE-2013-0750).

Mozilla security researcher Jesse Ruderman discovered that using the
toString function of XBL objects can lead to inappropriate information
leakage by revealing the address space layout instead of just the ID
of the object. This layout information could potentially be used to
bypass ASLR and other security protections (CVE-2013-0748).

Mozilla developer Boris Zbarsky reported reported a problem where
jsval-returning quickstubs fail to wrap their return values, causing
a compartment mismatch. This mismatch can cause garbage collection
to occur incorrectly and lead to a potentially exploitable crash
(CVE-2013-0746).

Using the Address Sanitizer tool, security researcher Atte Kettunen
from OUSPG discovered that the combination of large numbers
of columns and column groups in a table could cause the array
containing the columns during rendering to overwrite itself. This
can lead to a user-after-free causing a potentially exploitable crash
(CVE-2013-0744).

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team discovered a series critically rated of use-after-free,
out of bounds read, and buffer overflow issues using the Address
Sanitizer tool in shipped software. These issues are potentially
exploitable, allowing for remote code execution. We would also like
to thank Abhishek for reporting three additional user-after-free and
out of bounds read flaws introduced during Firefox development that
were fixed before general release (CVE-2013-0762, CVE-2013-0766,
CVE-2013-0767).

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2013-0769).

Security researcher Masato Kinugawa found a flaw in which the
displayed URL values within the addressbar can be spoofed by a page
during loading. This allows for phishing attacks where a malicious
page can spoof the identify of another site (CVE-2013-0759).

Firefox has been updated to version 17.0.2, which fixes these issues,
as well as provides several new features.

Additionally, the DuckDuckGo search engine has been added as an option
in the search bar.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769
http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002
========================

Updated packages in core/updates_testing:
========================
libproxy-devel-0.4.11-1.mga2
libproxy-gnome-0.4.11-1.mga2
libproxy-gxsettings-0.4.11-1.mga2
libproxy-kde-0.4.11-1.mga2
libproxy-networkmanager-0.4.11-1.mga2
libproxy-perl-0.4.11-1.mga2
libproxy-utils-0.4.11-1.mga2
libproxy-webkit-0.4.11-1.mga2
libproxy1-0.4.11-1.mga2
python-libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
rootcerts-java-20121229.00-2.mga2
libnspr-devel-4.9.4-1.mga2
libnspr4-4.9.4-1.mga2
libnss-devel-3.14.1-2.mga2
libnss-static-devel-3.14.1-2.mga2
libnss3-3.14.1-2.mga2
nss-3.14.1-2.mga2
nss-doc-3.14.1-2.mga2
firefox-17.0.2-2.mga2
firefox-devel-17.0.2-2.mga2
firefox-af-17.0.2-1.mga2
firefox-ar-17.0.2-1.mga2
firefox-ast-17.0.2-1.mga2
firefox-be-17.0.2-1.mga2
firefox-bg-17.0.2-1.mga2
firefox-bn_BD-17.0.2-1.mga2
firefox-bn_IN-17.0.2-1.mga2
firefox-br-17.0.2-1.mga2
firefox-bs-17.0.2-1.mga2
firefox-ca-17.0.2-1.mga2
firefox-cs-17.0.2-1.mga2
firefox-cy-17.0.2-1.mga2
firefox-da-17.0.2-1.mga2
firefox-de-17.0.2-1.mga2
firefox-el-17.0.2-1.mga2
firefox-en_GB-17.0.2-1.mga2
firefox-en_ZA-17.0.2-1.mga2
firefox-eo-17.0.2-1.mga2
firefox-es_AR-17.0.2-1.mga2
firefox-es_CL-17.0.2-1.mga2
firefox-es_ES-17.0.2-1.mga2
firefox-es_MX-17.0.2-1.mga2
firefox-et-17.0.2-1.mga2
firefox-eu-17.0.2-1.mga2
firefox-fa-17.0.2-1.mga2
firefox-fi-17.0.2-1.mga2
firefox-fr-17.0.2-1.mga2
firefox-fy-17.0.2-1.mga2
firefox-ga_IE-17.0.2-1.mga2
firefox-gd-17.0.2-1.mga2
firefox-gl-17.0.2-1.mga2
firefox-gu_IN-17.0.2-1.mga2
firefox-he-17.0.2-1.mga2
firefox-hi-17.0.2-1.mga2
firefox-hr-17.0.2-1.mga2
firefox-hu-17.0.2-1.mga2
firefox-hy-17.0.2-1.mga2
firefox-id-17.0.2-1.mga2
firefox-is-17.0.2-1.mga2
firefox-it-17.0.2-1.mga2
firefox-ja-17.0.2-1.mga2
firefox-kk-17.0.2-1.mga2
firefox-kn-17.0.2-1.mga2
firefox-ko-17.0.2-1.mga2
firefox-ku-17.0.2-1.mga2
firefox-lg-17.0.2-1.mga2
firefox-lt-17.0.2-1.mga2
firefox-lv-17.0.2-1.mga2
firefox-mai-17.0.2-1.mga2
firefox-mk-17.0.2-1.mga2
firefox-ml-17.0.2-1.mga2
firefox-mr-17.0.2-1.mga2
firefox-nb_NO-17.0.2-1.mga2
firefox-nl-17.0.2-1.mga2
firefox-nn_NO-17.0.2-1.mga2
firefox-nso-17.0.2-1.mga2
firefox-or-17.0.2-1.mga2
firefox-pa_IN-17.0.2-1.mga2
firefox-pl-17.0.2-1.mga2
firefox-pt_BR-17.0.2-1.mga2
firefox-pt_PT-17.0.2-1.mga2
firefox-ro-17.0.2-1.mga2
firefox-ru-17.0.2-1.mga2
firefox-si-17.0.2-1.mga2
firefox-sk-17.0.2-1.mga2
firefox-sl-17.0.2-1.mga2
firefox-sq-17.0.2-1.mga2
firefox-sr-17.0.2-1.mga2
firefox-sv_SE-17.0.2-1.mga2
firefox-ta-17.0.2-1.mga2
firefox-ta_LK-17.0.2-1.mga2
firefox-te-17.0.2-1.mga2
firefox-th-17.0.2-1.mga2
firefox-tr-17.0.2-1.mga2
firefox-uk-17.0.2-1.mga2
firefox-vi-17.0.2-1.mga2
firefox-zh_CN-17.0.2-1.mga2
firefox-zh_TW-17.0.2-1.mga2
firefox-zu-17.0.2-1.mga2

from SRPMS:
libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
nspr-4.9.4-1.mga2
nss-3.14.1-2.mga3
firefox-17.0.2-2.mga2
firefox-l10n-17.0.2-1.mga2
Comment 48 Bill Wilkinson 2013-01-22 06:02:20 CET
Testing general browsing x86_64 MGA2:
Rootcerts update not required  during firefox update.
Opus audio codecs work
YouTube flash video works
Javascript tested with sunspider
Java function working with Javatester.com

Duckduckgo not added to search bar options
Comment 49 claire robinson 2013-01-22 11:55:41 CET
Is a specific libproxy version required? 

It doesn't appear to have a versioned require.
Comment 50 Oden Eriksson 2013-01-22 12:13:11 CET
Forcing firefox to depend on nss-3.14.1-2.mga3 would ensure CVE-2013-0743 is fixed, but it is assumed you don't cherry pick packages not to update.
Comment 51 Manuel Hiebel 2013-01-22 12:34:48 CET
>Additionally, the DuckDuckGo search engine has been added as an option
>in the search bar.

not working with a new or the current profile
Comment 52 David Walser 2013-01-22 21:30:01 CET
(In reply to comment #51)
> >Additionally, the DuckDuckGo search engine has been added as an option
> >in the search bar.
> 
> not working with a new or the current profile

Also confirmed in Cauldron, adding the &t=mageia in duckduckgo.xml broke it.

Pascal, any idea how to fix this?
Comment 53 claire robinson 2013-01-24 22:16:39 CET
Adding feedback marker for the ddg fix (qa meeting)
Comment 54 David Walser 2013-01-26 02:58:33 CET
DuckDuckGo should be fixed now in firefox-17.0.2-3.mga2.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Google reported to Mozilla that TURKTRUST, a certificate authority in
Mozillas root program, had mis-issued two intermediate certificates
to customers. The issue was not specific to Firefox but there was
evidence that one of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the customer did not
legitimately own or control. This issue was resolved by revoking the
trust for these specific mis-issued certificates (CVE-2013-0743).

Security researcher regenrecht reported, via TippingPoint's Zero Day
Initiative, a use-after-free within the ListenerManager when garbage
collection is forced after data in listener objects have been allocated
in some circumstances. This results in a use-after-free which can
lead to arbitrary code execution (CVE-2013-0754).

Security researcher regenrecht reported, via TippingPoint's Zero
Day Initiative, a use-after-free in XMLSerializer by the exposing
of serializeToStream to web content. This can lead to arbitrary code
execution when exploited (CVE-2013-0753).

Security researcher Mariusz Mlynski reported that it is possible
to open a chrome privileged web page through plugin objects through
interaction with SVG elements. This could allow for arbitrary code
execution (CVE-2013-0758).

Security researcher pa_kt reported a flaw via TippingPoint's Zero Day
Initiative that an integer overflow is possible when calculating the
length for a Javascript string concatenation, which is then used for
memory allocation. This results in a buffer overflow, leading to a
potentially exploitable memory corruption (CVE-2013-0750).

Mozilla security researcher Jesse Ruderman discovered that using the
toString function of XBL objects can lead to inappropriate information
leakage by revealing the address space layout instead of just the ID
of the object. This layout information could potentially be used to
bypass ASLR and other security protections (CVE-2013-0748).

Mozilla developer Boris Zbarsky reported reported a problem where
jsval-returning quickstubs fail to wrap their return values, causing
a compartment mismatch. This mismatch can cause garbage collection
to occur incorrectly and lead to a potentially exploitable crash
(CVE-2013-0746).

Using the Address Sanitizer tool, security researcher Atte Kettunen
from OUSPG discovered that the combination of large numbers
of columns and column groups in a table could cause the array
containing the columns during rendering to overwrite itself. This
can lead to a user-after-free causing a potentially exploitable crash
(CVE-2013-0744).

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team discovered a series critically rated of use-after-free,
out of bounds read, and buffer overflow issues using the Address
Sanitizer tool in shipped software. These issues are potentially
exploitable, allowing for remote code execution. We would also like
to thank Abhishek for reporting three additional user-after-free and
out of bounds read flaws introduced during Firefox development that
were fixed before general release (CVE-2013-0762, CVE-2013-0766,
CVE-2013-0767).

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2013-0769).

Security researcher Masato Kinugawa found a flaw in which the
displayed URL values within the addressbar can be spoofed by a page
during loading. This allows for phishing attacks where a malicious
page can spoof the identify of another site (CVE-2013-0759).

Firefox has been updated to version 17.0.2, which fixes these issues,
as well as provides several new features.

Additionally, the DuckDuckGo search engine has been added as an option
in the search bar.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769
http://www.mozilla.org/security/announce/2013/mfsa2013-01.html
http://www.mozilla.org/security/announce/2013/mfsa2013-02.html
http://www.mozilla.org/security/announce/2013/mfsa2013-04.html
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html
http://www.mozilla.org/security/announce/2013/mfsa2013-09.html
http://www.mozilla.org/security/announce/2013/mfsa2013-11.html
http://www.mozilla.org/security/announce/2013/mfsa2013-12.html
http://www.mozilla.org/security/announce/2013/mfsa2013-15.html
http://www.mozilla.org/security/announce/2013/mfsa2013-16.html
http://www.mozilla.org/security/announce/2013/mfsa2013-17.html
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2013:002
========================

Updated packages in core/updates_testing:
========================
libproxy-devel-0.4.11-1.mga2
libproxy-gnome-0.4.11-1.mga2
libproxy-gxsettings-0.4.11-1.mga2
libproxy-kde-0.4.11-1.mga2
libproxy-networkmanager-0.4.11-1.mga2
libproxy-perl-0.4.11-1.mga2
libproxy-utils-0.4.11-1.mga2
libproxy-webkit-0.4.11-1.mga2
libproxy1-0.4.11-1.mga2
python-libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
rootcerts-java-20121229.00-2.mga2
libnspr-devel-4.9.4-1.mga2
libnspr4-4.9.4-1.mga2
libnss-devel-3.14.1-2.mga2
libnss-static-devel-3.14.1-2.mga2
libnss3-3.14.1-2.mga2
nss-3.14.1-2.mga2
nss-doc-3.14.1-2.mga2
firefox-17.0.2-3.mga2
firefox-devel-17.0.2-3.mga2
firefox-af-17.0.2-1.mga2
firefox-ar-17.0.2-1.mga2
firefox-ast-17.0.2-1.mga2
firefox-be-17.0.2-1.mga2
firefox-bg-17.0.2-1.mga2
firefox-bn_BD-17.0.2-1.mga2
firefox-bn_IN-17.0.2-1.mga2
firefox-br-17.0.2-1.mga2
firefox-bs-17.0.2-1.mga2
firefox-ca-17.0.2-1.mga2
firefox-cs-17.0.2-1.mga2
firefox-cy-17.0.2-1.mga2
firefox-da-17.0.2-1.mga2
firefox-de-17.0.2-1.mga2
firefox-el-17.0.2-1.mga2
firefox-en_GB-17.0.2-1.mga2
firefox-en_ZA-17.0.2-1.mga2
firefox-eo-17.0.2-1.mga2
firefox-es_AR-17.0.2-1.mga2
firefox-es_CL-17.0.2-1.mga2
firefox-es_ES-17.0.2-1.mga2
firefox-es_MX-17.0.2-1.mga2
firefox-et-17.0.2-1.mga2
firefox-eu-17.0.2-1.mga2
firefox-fa-17.0.2-1.mga2
firefox-fi-17.0.2-1.mga2
firefox-fr-17.0.2-1.mga2
firefox-fy-17.0.2-1.mga2
firefox-ga_IE-17.0.2-1.mga2
firefox-gd-17.0.2-1.mga2
firefox-gl-17.0.2-1.mga2
firefox-gu_IN-17.0.2-1.mga2
firefox-he-17.0.2-1.mga2
firefox-hi-17.0.2-1.mga2
firefox-hr-17.0.2-1.mga2
firefox-hu-17.0.2-1.mga2
firefox-hy-17.0.2-1.mga2
firefox-id-17.0.2-1.mga2
firefox-is-17.0.2-1.mga2
firefox-it-17.0.2-1.mga2
firefox-ja-17.0.2-1.mga2
firefox-kk-17.0.2-1.mga2
firefox-kn-17.0.2-1.mga2
firefox-ko-17.0.2-1.mga2
firefox-ku-17.0.2-1.mga2
firefox-lg-17.0.2-1.mga2
firefox-lt-17.0.2-1.mga2
firefox-lv-17.0.2-1.mga2
firefox-mai-17.0.2-1.mga2
firefox-mk-17.0.2-1.mga2
firefox-ml-17.0.2-1.mga2
firefox-mr-17.0.2-1.mga2
firefox-nb_NO-17.0.2-1.mga2
firefox-nl-17.0.2-1.mga2
firefox-nn_NO-17.0.2-1.mga2
firefox-nso-17.0.2-1.mga2
firefox-or-17.0.2-1.mga2
firefox-pa_IN-17.0.2-1.mga2
firefox-pl-17.0.2-1.mga2
firefox-pt_BR-17.0.2-1.mga2
firefox-pt_PT-17.0.2-1.mga2
firefox-ro-17.0.2-1.mga2
firefox-ru-17.0.2-1.mga2
firefox-si-17.0.2-1.mga2
firefox-sk-17.0.2-1.mga2
firefox-sl-17.0.2-1.mga2
firefox-sq-17.0.2-1.mga2
firefox-sr-17.0.2-1.mga2
firefox-sv_SE-17.0.2-1.mga2
firefox-ta-17.0.2-1.mga2
firefox-ta_LK-17.0.2-1.mga2
firefox-te-17.0.2-1.mga2
firefox-th-17.0.2-1.mga2
firefox-tr-17.0.2-1.mga2
firefox-uk-17.0.2-1.mga2
firefox-vi-17.0.2-1.mga2
firefox-zh_CN-17.0.2-1.mga2
firefox-zh_TW-17.0.2-1.mga2
firefox-zu-17.0.2-1.mga2

from SRPMS:
libproxy-0.4.11-1.mga2
rootcerts-20121229.00-2.mga2
nspr-4.9.4-1.mga2
nss-3.14.1-2.mga3
firefox-17.0.2-3.mga2
firefox-l10n-17.0.2-1.mga2
Comment 55 Bill Wilkinson 2013-01-26 05:04:01 CET
Tested MGA2-32
Web pages load normally
DDG added to search bar with appended &t=mageia
sunspider javascript test OK
Javatester shows icedtea working.
Opus codec works via https://people.xiph.org/~giles/2012/opus/
Comment 56 David GEIGER 2013-01-26 09:34:18 CET
Testing complete for firefox-17.0.2-3.mga2 on Mageia release 2 (Official) for x86_64, for me it's Ok and nothing to report, works fine.


-Opus codec works via https://people.xiph.org/~giles/2012/opus/
-Flash player works
-DDG works with appended &t=mageia
-Java works
-Addons works :Adblock Plus, Firebug, DownThemAll, Foxtab, Xmarks, Personas, ...


Info :
-If one Addons was to be incompatible with firefox 17, there is an Addon to circumvent this problem and to make them compatible :

https://addons.mozilla.org/fr/firefox/addon/checkcompatibility/
Comment 57 claire robinson 2013-01-26 12:26:06 CET
Adding 64 OK from Davids tests and Validating

Thanks guys

Advisory & SRPMs in comment 54

Could sysadmin please push from core/updates_testing to core/updates

Please push this before thunderbird.

Thankyou!
Comment 58 Thomas Backlund 2013-01-26 18:59:53 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0020
Comment 59 user7 2013-01-27 17:55:53 CET
Looks like linking is needed, I get the following error:

The following package can not be selected:
- libproxy1-0.4.11-1.mga2.i586 (due to conflicts with libwebkitgtk3.0_0-1.8.3-1.mga2.i586)
Comment 60 Manuel Hiebel 2013-01-27 19:40:32 CET
cf above
Comment 61 user7 2013-01-27 21:47:43 CET
I don't get your comment, Manuel. I did not cherry pick if that is what you refer to.
Comment 62 David Walser 2013-01-27 21:49:03 CET
He just reopened the bug and directed the sysadmins' attention to your comment.
Comment 63 Manuel Hiebel 2013-01-27 21:50:48 CET
should have commented more "cf above for the reopening" (as it needs a comment)
Comment 64 Thomas Backlund 2013-01-27 22:01:05 CET
I dont see any linking issues here...

it reports a _conflict_, not a missing dep...
Comment 65 David Walser 2013-01-27 22:02:34 CET
While the message is misleading, the user who reported it (st3ve on IRC), said the error went away when *installed* libwebkit3.0_0 manually, so that appears to be what needs to be linked.
Comment 66 Thomas Backlund 2013-01-27 23:05:15 CET
So this firefox & co build is broken...

we already have libwebkit3.0_0 in updates, 
but this update (atleast libproxy1) is built against the one in release, so it pulls in a security vuln...

https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0324

so there is no way I will link the older 1.8.1 into updates... 

not to mention people would start reporting that a libwebkitgtk3.0_0 update will try to remove the libproxy1... 

Then there is also this:
[thomas@zeus i586]$ rpm -qpl ./media/core/release/libwebkitgtk3.0_0-1.8.1-1.mga2.i586.rpm
/usr/lib/libwebkitgtk-3.0.so.0
/usr/lib/libwebkitgtk-3.0.so.0.13.2
[thomas@zeus i586]$ rpm -qpl ./media/core/updates/libwebkitgtk3.0_0-1.8.3-1.mga2.i586.rpm
/usr/lib/libwebkitgtk-3.0.so.0
/usr/lib/libwebkitgtk-3.0.so.0.13.4

so bottom line...

libproxy build must be fixed...
Comment 67 David Walser 2013-01-28 00:46:54 CET
Well how the heck did libproxy get that tight a requires to the libwebkit package version?  It didn't change library majors.

So what needs to be done, just rebuild libproxy?
Comment 68 Thomas Backlund 2013-01-28 10:22:04 CET
I guess there is some pkgconfig file somewhere with a hardcoded version, or a wrong buildrequires somewhere, so I doubt a simple rebuild will fix it.

maybe add versioned BR on 1.8.3 can help flush out the error.

or rollback to firefox 10, install libwebkitgtk3.0_0-1.8.3-1.mga2 and use urpmi --debug to try and reprocuce
Comment 69 David Walser 2013-01-29 00:48:24 CET
This makes no sense.  I looked at the libproxy packages, and they don't require libwebkitgtk3.0_0 directly.  libproxy1 requires libproxy-pac, which is provided by libproxy-webkit, which requires libjavascriptcoregtk-3.0.so.0, which is provided by libjavascriptcoregtk3.0_0 (both 1.8.1 and 1.8.3 provide it, so either should suffice), and that requires libwebkitgtk3.0_0 (whose version needs to match).  Since libjavascriptcoregtk3.0_0 and libwebkitgtk3.0_0 are built from the same SRPM, they are both in updates, and this problem shouldn't be happening.
Comment 70 user7 2013-01-29 01:50:11 CET
Manuel: Sorry for the noise and thanks for explaining.

David: I still did not do the update, as I want to be able to confirm the fix once it's actually fixed. So if you want me to carry out any testing just let me know - I can reproduce the problem to this day. :)
Comment 71 David Walser 2013-01-29 02:07:50 CET
Maybe you can try as root:
urpmi --auto-update --test

to see it shows that it would have an error, although I think urpmi wouldn't.  Perhaps if you add a --searchmedia option to it, telling it only to look in the core/updates repository, you could reproduce the error with urpmi.  If you can reproduce it, adding the --debug option might give some useful output.
Comment 72 user7 2013-01-29 02:13:45 CET
Ok, this is what I get:

# urpmi --auto-update --test
Medium »Core Release (distrib1)« ist auf dem aktuellen Stand (=is up to date)
Medium »Core Updates (distrib3)« ist auf dem aktuellen Stand
Medium »Nonfree Release (distrib11)« ist auf dem aktuellen Stand
Medium »Nonfree Updates (distrib13)« ist auf dem aktuellen Stand
Medium »Tainted Release (distrib21)« ist auf dem aktuellen Stand
Medium »Tainted Updates (distrib23)« ist auf dem aktuellen Stand
Um die Abhängigkeiten zu erfüllen, werden die folgenden Pakete installiert:
(=to fulfill dependencies, the following packages will be installed)
(nur ein Test, es wird keine wirkliche Installation durchgeführt)
  Paket                          Version      Release       Arch    
(Medium »Core Release (distrib1)«)
  libgail3_0                     3.4.1        2.mga2        i586    
(Medium »Core Updates (distrib3)«)
  firefox                        17.0.2       3.mga2        i586    
  firefox-de                     17.0.2       1.mga2        noarch  
  libjavascriptcoregtk3.0_0      1.8.3        1.mga2        i586    
  libnspr4                       4.9.4        1.mga2        i586    
  libnss3                        3.14.1       2.mga2        i586    
  libopus0                       1.0.2        1.mga2        i586    
  libproxy-webkit                0.4.11       1.mga2        i586    
  libproxy1                      0.4.11       1.mga2        i586    
  libwebkitgtk3.0_0              1.8.3        1.mga2        i586    
  nss                            3.14.1       2.mga2        i586    
  rootcerts                      20121229.00  2.mga2        i586    
  rootcerts-java                 20121229.00  2.mga2        i586    
  webkit3                        1.8.3        1.mga2        i586    
  webkit3.0                      1.8.3        1.mga2        i586    
  webkit3.0-webinspector         1.8.3        1.mga2        i586    (Vorschlag)
36MB zusätzlicher Speicher wird benötigt
26MB an Paketen wird geholt
Fortfahren mit der Installation der 16 Pakete? (J/n) j
    ftp://ftp.sunet.se/pub/Linux/distributions/mageia/distrib/2/i586/media/core/release/libgail3_0-3.4.1-2.mga2.i586.rpm
(...)
Vorbereiten …  (=Preparing)                  ######################################
Die Installation ist möglich (= Installating is possible)
Comment 73 user7 2013-01-29 02:18:01 CET
As for the --searchmedia option, could you tell me the exact command I am supposed to use? I'm struggling a bit with that, I keep getting an error message...
Comment 74 David Walser 2013-01-29 02:30:53 CET
(In reply to comment #73)
> As for the --searchmedia option, could you tell me the exact command I am
> supposed to use? I'm struggling a bit with that, I keep getting an error
> message...

No I can't, because it depends on your media configuration.  The thing after --searchmedia is the name of the core/updates medium.  You'll have to check your /etc/urpmi/urpmi.cfg to see what exactly it's called on your machine.  The name most likely has spaces, so you'll have to put quotes around it.

In my urpmi.cfg, I have:
Core\ Updates /home/linux/mageia/distrib/2/i586/media/core/updates {
  key-ids: 80420f66
  update
}

so it would be --searchmedia "Core Updates"
Comment 75 David Walser 2013-01-29 02:32:45 CET
Hmm, well you did say on IRC that it said libgail3_0 needs linking, and according to your output in Comment 72, that appears to be correct.  I wonder if linking that would actually fix this.  So, the deal is that the updated libproxy requires libwebkitgtk3.0_0, which is in updates, but recursive requires can cause Bug 2317 also, and since libwebkitgtk3.0_0 requires libgail3_0, if you didn't already have those installed, you can't install this update through the applet.
Comment 76 user7 2013-01-29 02:59:11 CET
Ok, it looks like I can not reproduce it by using --searchmedia.

# urpmi --auto-update --test --searchmedia "Core lease (distrib1)"
(...)
Packages are up to date.

# urpmi --auto-update --test --searchmedia "Core Updates (distrib3)"
(...)
  Paket                          Version      Release       Arch    
(Medium »Core Release (distrib1)«)
  libgail3_0                     3.4.1        2.mga2        i586
(Medium »Core Updates (distrib3)«)
  firefox                        17.0.2       3.mga2        i586
  firefox-de                     17.0.2       1.mga2        noarch
  libjavascriptcoregtk3.0_0      1.8.3        1.mga2        i586
  libnspr4                       4.9.4        1.mga2        i586
  libnss3                        3.14.1       2.mga2        i586
  libopus0                       1.0.2        1.mga2        i586
  libproxy-webkit                0.4.11       1.mga2        i586
  libproxy1                      0.4.11       1.mga2        i586
  libwebkitgtk3.0_0              1.8.3        1.mga2        i586
  nss                            3.14.1       2.mga2        i586
  rootcerts                      20121229.00  2.mga2        i586
  rootcerts-java                 20121229.00  2.mga2        i586
  webkit3                        1.8.3        1.mga2        i586
  webkit3.0                      1.8.3        1.mga2        i586
  webkit3.0-webinspector         1.8.3        1.mga2        i586    (Vorschlag)

Vorbereiten …  (=Preparing)                 
######################################
Die Installation ist möglich (= Installing is possible)


As for libgail, depcheck (as linked on Bug 2317) said libgail would require linking - that's why I said it on IRC.
Comment 77 Thomas Backlund 2013-01-29 03:05:14 CET
(In reply to comment #76)

> As for libgail, depcheck (as linked on Bug 2317) said libgail would require
> linking - that's why I said it on IRC.


Sigh, then _why_ didnt you add that in comment 59 ?
It would have saved ~20 comments on this bug...


And I guess the reason for no-one in QA noticing it when pushing webkit is that there is a libgail3_0 in updates_testing (as part of the "ignored" big gnome update), so depcheck was probably happy too... interestingly no webkit users has complained so far...

I'll go link libgail to updates...
Comment 78 Thomas Backlund 2013-01-29 03:10:47 CET
lib(64)gail3_0 linked.
Comment 79 David Walser 2013-01-29 03:23:21 CET
(In reply to comment #77)
> And I guess the reason for no-one in QA noticing it when pushing webkit is that
> there is a libgail3_0 in updates_testing (as part of the "ignored" big gnome
> update), so depcheck was probably happy too... interestingly no webkit users
> has complained so far...

No, libgail3_0 wasn't a *new* requires vs. the webkit from release, so it wouldn't have been needed to link it at that time.
Comment 80 claire robinson 2013-01-29 10:24:51 CET
Yes, having recursive dependencies in updates testing is a case where depcheck fails. It isn't worth rewriting depcheck though now we are looking towards a fix for the infamous bug 2317
Comment 81 user7 2013-01-29 13:44:24 CET
Looks like libgail3_0 was to blame after all (i.e. depcheck was right). I did not change the configuration of my system or intalled any new packages, but the problem is solved now, the update worked without problems.

Note You need to log in before you can comment on or make changes to this bug.