Bug 9141 - Firefox 17.0.3
: Firefox 17.0.3
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/539198/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
: 9142
  Show dependency treegraph
 
Reported: 2013-02-21 01:05 CET by David Walser
Modified: 2013-02-21 22:21 CET (History)
6 users (show)

See Also:
Source RPM: firefox-17.0.2-3.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-02-21 01:05:58 CET
RedHat has issued an advisory on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0271.html

nspr and nss also need to be updated.  They are in SVN but not built yet.

nss 3.14.3 also fixes a security issue, CVE-2013-1620:
https://bugzilla.mozilla.org/show_bug.cgi?id=822365

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-02-21 01:36:59 CET
*** Bug 9136 has been marked as a duplicate of this bug. ***
Comment 2 David Walser 2013-02-21 02:19:05 CET
Everything is now built and this is ready for QA.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations
in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird
before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16
do not prevent modifications to a prototype, which allows remote attackers to
obtain sensitive information from chrome objects or possibly execute arbitrary
JavaScript code with chrome privileges via a crafted web site (CVE-2013-0773).

Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird
before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16
do not prevent JavaScript workers from reading the browser-profile directory
name, which has unspecified impact and remote attack vectors (CVE-2013-0774).

Several flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox (CVE-2013-0775, CVE-2013-0780, CVE-2013-0782,
CVE-2013-0783).

It was found that, after canceling a proxy server's authentication
prompt, the address bar continued to show the requested site's address. An
attacker could use this flaw to conduct phishing attacks by tricking a
user into believing they are viewing a trusted site (CVE-2013-0776).

The TLS implementation in Mozilla Network Security Services (NSS) does not
properly consider timing side-channel attacks on a noncompliant MAC check
operation during the processing of malformed CBC padding, which allows remote
attackers to conduct distinguishing attacks and plaintext-recovery attacks
via statistical analysis of timing data for crafted packets (CVE-2013-1620).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
http://www.mozilla.org/security/announce/2013/mfsa2013-21.html
http://www.mozilla.org/security/announce/2013/mfsa2013-24.html
http://www.mozilla.org/security/announce/2013/mfsa2013-25.html
http://www.mozilla.org/security/announce/2013/mfsa2013-26.html
http://www.mozilla.org/security/announce/2013/mfsa2013-27.html
http://www.mozilla.org/security/announce/2013/mfsa2013-28.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://bugzilla.mozilla.org/show_bug.cgi?id=822365
https://rhn.redhat.com/errata/RHSA-2013-0271.html
========================

Source RPMs:
nspr-4.9.5-1.mga2.src.rpm
nss-3.14.3-1.mga2.src.rpm
firefox-17.0.3-1.mga2.src.rpm
firefox-l10n-17.0.3-1.mga2.src.rpm
Comment 3 Bill Wilkinson 2013-02-21 03:03:31 CET
testing x86_64
Repeated testing from earlier today with nss and nspr installed in addition to firefox 17.0.3.
No PoC found for bugs

Tested javascript with Sunspider-OK
https://www.webkit.org/perf/sunspider/sunspider.html
Tested Java through javatester.com -OK

Tested flash with lemmings game and several YouTube videos--OK

general browsing-including ACID 3 test --OK
http://www.acidtests.org
Comment 4 Dave Hodgins 2013-02-21 05:05:49 CET
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpms
nspr-4.9.5-1.mga2.src.rpm
nss-3.14.3-1.mga2.src.rpm
firefox-17.0.3-1.mga2.src.rpm
firefox-l10n-17.0.3-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

See comment 2 for the advisory and references.
Comment 5 David GEIGER 2013-02-21 18:25:09 CET
Testing complete for firefox-17.0.3 on Mageia release 2 (Official) for x86_64,
for me it's Ok nothing to report and works fine.

-Flash-player : Ok
-Java-plugin : Ok
-Some .xpi Addons , Adblock,flagfox, Firebug, Xmarks, Downthemall, Foxtab, etc... works fine.
Comment 6 Thomas Backlund 2013-02-21 22:21:32 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0063

Note You need to log in before you can comment on or make changes to this bug.