Summary: | <www-client/firefox{,-bin}-{52.1.0-r1,53.0}: multiple vulnerabilities (MFSA-2017-11) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ago, limanski, mozilla, skrattaren |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/ | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
=www-client/firefox-52.1.0-r1
=www-client/firefox-bin-52.1.0-r2
|
Runtime testing required: | Yes |
Description
Thomas Deutschmann (RETIRED)
2017-04-19 18:11:24 UTC
Freeing CVE-2017-5461 to file a dedicated bug against dev-libs/nss. Freeing CVE-2017-5436 to file a dedicated bug against media-gfx/graphite2. Freeing CVE-2017-5462 to file a dedicated bug against dev-libs/nss. www-client/firefox-bin bas been bumped with 45.9.0 going direct to stable. 52.1.0 will follow a standard stabilization procedure. source builds will take another day or three as my devel box needs to fully upgrade to gcc-5.4.0-r3 first. *** Bug 616488 has been marked as a duplicate of this bug. *** Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. I think it's as ready as it'll ever be... Please note that firefox-52.1.0[system-harfbuzz] requires media-gfx/graphite2-1.8-r1 or 1.9-r1 in order to fully resolve CVE-2017-5436 (covered in this MFSA). Arches, please stabilize www-client/firefox-52.1.0 for amd64 ppc ppc64 x86 An automated check of this bug failed - the following atom is unknown: www-client/firefox-52.1.0 Please verify the atom list. (In reply to Stabilization helper bot from comment #8) > An automated check of this bug failed - the following atom is unknown: > > www-client/firefox-52.1.0 > > Please verify the atom list. so that's confusing -- it hit VCS quite a few hours ago... An automated check of this bug failed - the following atom is unknown: www-client/firefox-52.1.0-r1 Please verify the atom list. Firefox 52.1.1 and 53.0.2 are released, with critical security fix https://www.mozilla.org/en-US/security/advisories/mfsa2017-14/ Thanks for posting. MFSA-2017-14 is about CVE-2017-5031 which is only high and not critical. Also, and most important:
> Note: This issue is in libGLES, which is only in use on Windows.
> Other operating systems are not affected.
@ Maintainer(s): You have added =www-client/firefox-bin-45.9.0 but =www-client/firefox-45.9.0 is missing. You are now trying to stabilize =www-client/firefox-52.1.0-r1. Does that mean we will skip 45.9 ESR for non-bin package? If so, could we please stabilize =www-client/firefox-bin-52.1.0 as well? Otherwise security would have to track multiple ESR branches... Apologies, I thought I posted a comment on this two days ago but must have not submitted it. (hopefully i didn't post it on another bug) I am not planning to bump the source package to firefox-45.9. I bumped firefox-bin-45.9 simply because it was low hanging fruit, and firefox-bin-52.x wasn't ready for stabilization yet. That is no longer true, I believe both firefox and firefox-bin 52.1 are ready to be stabilized now, and the 45.x series can be removed once that occurrs. Ian question: For firfox we have the following: =www-client/firefox-52.1.0-r1 For Bin the version is different: =www-client/firefox-bin-52.1.0-r2 Is that what you would like to stabilize, or do you want to bring both up to r2? (In reply to Yury German from comment #15) > Ian question: > > For firfox we have the following: > =www-client/firefox-52.1.0-r1 > For Bin the version is different: > =www-client/firefox-bin-52.1.0-r2 > > Is that what you would like to stabilize, or do you want to bring both up to > r2? Revisions don't need to match, revbumps were only due to changes to the ebuild that i needed to force end-users to reinstall. So yes, those atoms please. An automated check of this bug succeeded - the previous repoman errors are now resolved. amd64 stable x86 stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. ping: no update since 05/17, any news? Security Team Padawan ChrisADR GLSA Request filed. Tree is clean. Gentoo Security Padawan ChrisADR This issue was resolved and addressed in GLSA 201802-03 at https://security.gentoo.org/glsa/201802-03 by GLSA coordinator Thomas Deutschmann (whissi). |