RedHat has issued an advisory on February 19: https://rhn.redhat.com/errata/RHSA-2013-0271.html nspr and nss also need to be updated. They are in SVN but not built yet. nss 3.14.3 also fixes a security issue, CVE-2013-1620: https://bugzilla.mozilla.org/show_bug.cgi?id=822365 Reproducible: Steps to Reproduce:
Blocks: (none) => 9142
*** Bug 9136 has been marked as a duplicate of this bug. ***
CC: (none) => fundawang
Everything is now built and this is ready for QA. Advisory: ======================== Updated firefox packages fix security vulnerabilities: The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site (CVE-2013-0773). Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent JavaScript workers from reading the browser-profile directory name, which has unspecified impact and remote attack vectors (CVE-2013-0774). Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2013-0775, CVE-2013-0780, CVE-2013-0782, CVE-2013-0783). It was found that, after canceling a proxy server's authentication prompt, the address bar continued to show the requested site's address. An attacker could use this flaw to conduct phishing attacks by tricking a user into believing they are viewing a trusted site (CVE-2013-0776). The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets (CVE-2013-1620). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620 http://www.mozilla.org/security/announce/2013/mfsa2013-21.html http://www.mozilla.org/security/announce/2013/mfsa2013-24.html http://www.mozilla.org/security/announce/2013/mfsa2013-25.html http://www.mozilla.org/security/announce/2013/mfsa2013-26.html http://www.mozilla.org/security/announce/2013/mfsa2013-27.html http://www.mozilla.org/security/announce/2013/mfsa2013-28.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html https://bugzilla.mozilla.org/show_bug.cgi?id=822365 https://rhn.redhat.com/errata/RHSA-2013-0271.html ======================== Source RPMs: nspr-4.9.5-1.mga2.src.rpm nss-3.14.3-1.mga2.src.rpm firefox-17.0.3-1.mga2.src.rpm firefox-l10n-17.0.3-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
testing x86_64 Repeated testing from earlier today with nss and nspr installed in addition to firefox 17.0.3. No PoC found for bugs Tested javascript with Sunspider-OK https://www.webkit.org/perf/sunspider/sunspider.html Tested Java through javatester.com -OK Tested flash with lemmings game and several YouTube videos--OK general browsing-including ACID 3 test --OK http://www.acidtests.org
CC: (none) => wrw105Whiteboard: (none) => MGA2_64_OK
Whiteboard: MGA2_64_OK => MGA2-64-OK
Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpms nspr-4.9.5-1.mga2.src.rpm nss-3.14.3-1.mga2.src.rpm firefox-17.0.3-1.mga2.src.rpm firefox-l10n-17.0.3-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. See comment 2 for the advisory and references.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK
Testing complete for firefox-17.0.3 on Mageia release 2 (Official) for x86_64, for me it's Ok nothing to report and works fine. -Flash-player : Ok -Java-plugin : Ok -Some .xpi Addons , Adblock,flagfox, Firebug, Xmarks, Downthemall, Foxtab, etc... works fine.
CC: (none) => geiger.david68210
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0063
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED