Mageia 2021-0236: firefox security update | LinuxSecurity.com
MGASA-2021-0236 - Updated firefox packages fix a security vulnerability

Publication date: 08 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0236.html
Type: security
Affected Mageia releases: 7, 8
CVE: CVE-2021-29967

Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
(CVE-2021-29967).

This update also fixes:
- Unable to connect to Element with the firefox ESR packaged by Mageia (Bug 28755).
- Crashes on certain webpages with our packaged version (Bug 28652).
- Some connections to websites like Santander Bank (Bug 28359).
- Neither audio nor video with BigBlueButton and other WebRTC services with our packaged version of Firefox ESR (Bug 27374).
It seems a previous patch was still applied and prevents such functionalities to work. Thanks Martin Whitaker for 28755, 28359, 27374 and Neal Gompa for 28652.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29064
- https://bugs.mageia.org/show_bug.cgi?id=28755
- https://bugs.mageia.org/show_bug.cgi?id=28652
- https://bugs.mageia.org/show_bug.cgi?id=28359
- https://bugs.mageia.org/show_bug.cgi?id=27374
- https://www.mozilla.org/en-US/firefox/78.10.1/releasenotes/
- https://www.mozilla.org/en-US/firefox/78.11.0/releasenotes/
- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/4eyMP8SrUGk
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.65_release_notes
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes
- https://access.redhat.com/errata/RHSA-2021:2206
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29967

SRPMS:
- 8/core/nspr-4.31-1.mga8
- 8/core/rootcerts-20210525.00-1.mga8
- 8/core/nss-3.66.0-1.mga8
- 8/core/firefox-78.11.0-1.mga8
- 8/core/firefox-l10n-78.11.0-1.mga8
- 7/core/nspr-4.31-1.mga7
- 7/core/rootcerts-20210525.00-1.mga7
- 7/core/nss-3.66.0-1.mga7
- 7/core/firefox-78.11.0-1.mga7
- 7/core/firefox-l10n-78.11.0-1.mga7

Mageia 2021-0236: firefox security update

Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs pre...

Summary

Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2021-29967).
This update also fixes: - Unable to connect to Element with the firefox ESR packaged by Mageia (Bug 28755). - Crashes on certain webpages with our packaged version (Bug 28652). - Some connections to websites like Santander Bank (Bug 28359). - Neither audio nor video with BigBlueButton and other WebRTC services with our packaged version of Firefox ESR (Bug 27374). It seems a previous patch was still applied and prevents such functionalities to work. Thanks Martin Whitaker for 28755, 28359, 27374 and Neal Gompa for 28652.

References

- https://bugs.mageia.org/show_bug.cgi?id=29064

- https://bugs.mageia.org/show_bug.cgi?id=28755

- https://bugs.mageia.org/show_bug.cgi?id=28652

- https://bugs.mageia.org/show_bug.cgi?id=28359

- https://bugs.mageia.org/show_bug.cgi?id=27374

- https://www.mozilla.org/en-US/firefox/78.10.1/releasenotes/

- https://www.mozilla.org/en-US/firefox/78.11.0/releasenotes/

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/4eyMP8SrUGk

- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.65_release_notes

- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes

- https://access.redhat.com/errata/RHSA-2021:2206

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29967

Resolution

MGASA-2021-0236 - Updated firefox packages fix a security vulnerability

SRPMS

- 8/core/nspr-4.31-1.mga8

- 8/core/rootcerts-20210525.00-1.mga8

- 8/core/nss-3.66.0-1.mga8

- 8/core/firefox-78.11.0-1.mga8

- 8/core/firefox-l10n-78.11.0-1.mga8

- 7/core/nspr-4.31-1.mga7

- 7/core/rootcerts-20210525.00-1.mga7

- 7/core/nss-3.66.0-1.mga7

- 7/core/firefox-78.11.0-1.mga7

- 7/core/firefox-l10n-78.11.0-1.mga7

Severity
Publication date: 08 Jun 2021
URL: https://advisories.mageia.org/MGASA-2021-0236.html
Type: security
CVE: CVE-2021-29967

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.