Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 657976 (CVE-2018-5150, CVE-2018-5154, CVE-2018-5155, CVE-2018-5157, CVE-2018-5158, CVE-2018-5159, CVE-2018-5168, CVE-2018-5178, CVE-2018-5183, MFSA-2018-12, MFSA-2018-14)

Summary: <www-client/firefox{,-bin}-{52.8.1,60.0.2}: multiple vulnerabilities (MFSA-2018-{12,14})
Product: Gentoo Security Reporter: Wolfi Jack <jackwolf2454>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gentoo, iskatu, mozilla
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/
Whiteboard: B2 [glsa+ cve]
Package list:
www-client/firefox-52.8.1 www-client/firefox-60.0.2 dev-libs/nspr-4.19 dev-libs/nss-3.37.3
Runtime testing required: ---

Description Wolfi Jack 2018-06-12 14:04:46 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/

Reproducible: Always
Comment 1 Jory A. Pratt gentoo-dev 2018-06-15 17:01:40 UTC
52.8.1 and 60.0.2 are in the tree, please mark both ebuilds stable. We will keep 52.x branch around until the full EOL happens.
Comment 2 Stabilization helper bot gentoo-dev 2018-06-17 21:01:39 UTC
An automated check of this bug failed - repoman reported dependency errors (126 lines truncated): 

> dependency.bad www-client/firefox/firefox-60.0.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nss-3.36.4', '>=dev-libs/nspr-4.19']
> dependency.bad www-client/firefox/firefox-60.0.2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nss-3.36.4', '>=dev-libs/nspr-4.19']
> dependency.bad www-client/firefox/firefox-60.0.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/nss-3.36.4', '>=dev-libs/nspr-4.19']
> dependency.bad www-client/firefox/firefox-60.0.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nss-3.36.4', '>=dev-libs/nspr-4.19']
> dependency.bad www-client/firefox/firefox-60.0.2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nss-3.36.4', '>=dev-libs/nspr-4.19']
> dependency.bad www-client/firefox/firefox-60.0.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/nss-3.36.4', '>=dev-libs/nspr-4.19']
Comment 3 Jory A. Pratt gentoo-dev 2018-06-17 22:10:27 UTC
You all will need to take the proper nss and nspr versions at same time.
Comment 4 Thomas Deutschmann gentoo-dev 2018-06-18 00:57:39 UTC
x86 stopped stabilization due to bug 658362.
Comment 5 Thomas Deutschmann gentoo-dev 2018-06-28 16:12:58 UTC
Superseded by bug 659432.
Comment 6 Thomas Deutschmann gentoo-dev 2018-10-02 09:04:18 UTC
Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-10-02 22:25:23 UTC
This issue was resolved and addressed in
 GLSA 201810-01 at https://security.gentoo.org/glsa/201810-01
by GLSA coordinator Thomas Deutschmann (whissi).