Bug 887746 - VUL-0: MozillaFirefox 31 security release
VUL-0: MozillaFirefox 31 security release
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All All
: P3 - Medium : Major
: ---
Assigned To: Petr Cerny
Security Team bot
maint:released:sle11-sp3:58418 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-17 12:35 UTC by Petr Cerny
Modified: 2020-04-05 18:18 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Cerny 2014-07-17 12:35:45 UTC
Planned release date is 2014-07-22

Firefox/Thunderbird/XULRunner 31
Firefox/Thunderbird/XULRunner 31.0.0 ESR
Seamonkey 2.28
Comment 1 Swamp Workflow Management 2014-07-17 22:01:00 UTC
bugbot adjusting priority
Comment 2 Wolfgang Rosenauer 2014-07-20 08:23:55 UTC
Gecko 31 requires NSPR 4.10.6 and NSS 3.16.2.
Meanwhile NSS 3.16.3 is released as well.
AFAICS NSPR 4.10.6 is already in th update channels but we need to update NSS to at least 3.16.2 while I'd recommend to do 3.16.3 already (which is a requirement for 32 anyway).
Comment 3 Wolfgang Rosenauer 2014-07-20 16:49:10 UTC
enigmail was part of of the Thunderbird builds previously. The current release of Enigmail does not need to be part of it and I've separated it out into an external standalone package. Packagenames and everything stays the same but it's an additional source package now. Can it just be added to the update repos?
Comment 4 Marcus Meissner 2014-07-20 21:28:33 UTC
we can include it new in the update repos, yes. mpozillathunderbrd should require it, then we would be safe
Comment 5 Wolfgang Rosenauer 2014-07-21 08:56:22 UTC
The enigmail subpackage is currently fully optional. So I think a hard requirement is not needed?
On update it still would work if it was installed before since for RPM it doesn't matter what the source rpm was, right?
Comment 6 Marcus Meissner 2014-07-21 09:17:19 UTC
Then we do not need a specific requirement. 

A recommends might be good perhaps, but also not required
Comment 7 Wolfgang Rosenauer 2014-07-23 05:42:31 UTC
openSUSE packages submitted for NSS, Firefox and Thunderbird (with extra enigmail).
Seamonkey is not available from upstream yet.
Comment 8 Bernhard Wiedemann 2014-07-23 06:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (887746) was mentioned in
https://build.opensuse.org/request/show/241955 Factory / MozillaFirefox
https://build.opensuse.org/request/show/241956 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/241957 13.1 / MozillaFirefox
https://build.opensuse.org/request/show/241958 12.3 / MozillaFirefox
https://build.opensuse.org/request/show/241961 13.1 / MozillaThunderbird
https://build.opensuse.org/request/show/241962 12.3 / MozillaThunderbird
https://build.opensuse.org/request/show/241963 13.1 / enigmail
https://build.opensuse.org/request/show/241964 12.3 / enigmail
https://build.opensuse.org/request/show/241965 Evergreen:11.4 / MozillaFirefox
https://build.opensuse.org/request/show/241967 Evergreen:11.4 / MozillaThunderbird
Comment 10 Marcus Meissner 2014-07-23 15:10:01 UTC
petrs part of work starts for SLE now.


Wolfgang, Petr, I try to make sense of the root certificate changes.

http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt

and the log:
http://hg.mozilla.org/projects/nss/log/8f026c806587/lib/ckfw/builtins/certdata.txt


Issue I am wondering about is: 
Brian Smith - Bug 936304: Revert removal of Entrust.net, GTE CyberTrust, and ValiCert 1024-bit root certificates from NSS by backing out cset 1cef53398ecf, a=nss-teleconference

But according to changes they are in 3.16.3, and the revert is not?

Do you have more information on that? I would hate to break things.
Comment 11 Wolfgang Rosenauer 2014-07-23 18:17:59 UTC
Hmm, Firefox 31 upstream ships with NSS 3.16.2 which apparently still has those root certificates. In Factory (and my recent submissions) we are already on 3.16.3 and really might break a few sites according to https://bugzilla.mozilla.org/show_bug.cgi?id=936304

I could provide a 3.16.2 version if wanted for 13.1 and 12.3.
Comment 12 Petr Cerny 2014-07-23 19:48:13 UTC
Judging by comment https://bugzilla.mozilla.org/show_bug.cgi?id=936304#c19 I would personally go for 3.16.3, but I can't really tell whether it has more advantages in our specific case. In any case I don't think we are going to keep NSS 3.16.3 (even if it was just the certdata) until EOL of FF 31 esr. Marcus?
Comment 15 SMASH SMASH 2014-07-24 16:30:15 UTC
Affected packages:

SLE-10-SP3-TERADATA: mozilla-nss, MozillaFirefox
SLE-11-SP3: MozillaFirefox, mozilla-nss
Comment 16 Swamp Workflow Management 2014-07-25 07:40:36 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-08-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58412
Comment 17 Marcus Meissner 2014-07-25 12:17:21 UTC
Let us just go with their releases for now.

We will be updating to the next NSS versions as they come.
Comment 18 Swamp Workflow Management 2014-07-30 18:43:34 UTC
openSUSE-SU-2014:0939-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 887746
CVE References: CVE-2014-1544,CVE-2014-1547,CVE-2014-1548,CVE-2014-1549,CVE-2014-1550,CVE-2014-1552,CVE-2014-1555,CVE-2014-1556,CVE-2014-1557,CVE-2014-1558,CVE-2014-1559,CVE-2014-1560,CVE-2014-1561
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-31.0-33.1, mozilla-nss-3.16.3-27.1
openSUSE 12.3 (src):    MozillaFirefox-31.0-1.72.1, mozilla-nss-3.16.3-1.43.1
Comment 19 Swamp Workflow Management 2014-07-30 18:47:43 UTC
openSUSE-SU-2014:0950-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 887746
CVE References: CVE-2014-1492,CVE-2014-1544,CVE-2014-1547,CVE-2014-1548,CVE-2014-1555,CVE-2014-1556,CVE-2014-1557
Sources used:
openSUSE 11.4 (src):    MozillaFirefox-24.7.0-119.1, MozillaThunderbird-24.7.0-101.1, enigmail-1.7-2.1, mozilla-nss-3.16.3-86.1
Comment 20 Swamp Workflow Management 2014-08-01 23:04:32 UTC
SUSE-SU-2014:0960-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 887746
CVE References: CVE-2014-1544,CVE-2014-1547,CVE-2014-1548,CVE-2014-1555,CVE-2014-1556,CVE-2014-1557
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    MozillaFirefox-24.7.0esr-0.8.2, mozilla-nss-3.16.2-0.8.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    MozillaFirefox-24.7.0esr-0.8.2, mozilla-nss-3.16.2-0.8.1
SUSE Linux Enterprise Server 11 SP3 (src):    MozillaFirefox-24.7.0esr-0.8.2, mozilla-nss-3.16.2-0.8.1
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    MozillaFirefox-24.7.0esr-0.3.1, mozilla-nss-3.16.2-0.3.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    MozillaFirefox-24.7.0esr-0.3.1, mozilla-nss-3.16.2-0.3.1
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    MozillaFirefox-24.7.0esr-0.5.1, mozilla-nss-3.16.2-0.5.1
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    MozillaFirefox-24.7.0esr-0.5.1, mozilla-nss-3.16.2-0.5.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    MozillaFirefox-24.7.0esr-0.8.2, mozilla-nss-3.16.2-0.8.1
Comment 21 Swamp Workflow Management 2014-08-11 08:05:44 UTC
openSUSE-SU-2014:0976-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 887746
CVE References: CVE-2014-1544,CVE-2014-1547,CVE-2014-1548,CVE-2014-1555,CVE-2014-1556,CVE-2014-1557
Sources used:
openSUSE 13.1 (src):    MozillaThunderbird-24.7.0-70.27.1, enigmail-1.7-2.1
openSUSE 12.3 (src):    MozillaThunderbird-24.7.0-61.55.1, enigmail-1.7-2.1
Comment 22 Marcus Meissner 2014-09-02 12:22:22 UTC
was released already. esr31 for sle11 is not needed to track here
Comment 23 Bernhard Wiedemann 2014-09-02 19:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (887746) was mentioned in
https://build.opensuse.org/request/show/247299 Evergreen:11.4 / MozillaFirefox
Comment 24 Swamp Workflow Management 2014-09-09 16:23:23 UTC
openSUSE-SU-2014:1100-1: An update that fixes 475 vulnerabilities is now available.

Category: security (important)
Bug References: 104586,354469,385739,390992,417869,41903,429179,439841,441084,455804,484321,503151,518603,527418,528406,529180,542809,559819,576969,582276,586567,593807,603356,622506,637303,642502,645315,649492,657016,664211,667155,689281,701296,712224,714931,720264,726758,728520,732898,733002,737533,744275,746616,747328,749440,750044,755060,758408,765204,771583,777588,783533,786522,790140,796895,804248,808243,813026,819204,825935,833389,840485,847708,854370,861847,868603,875378,876833,881874,887746,894201,894370
CVE References: CVE-2007-3089,CVE-2007-3285,CVE-2007-3656,CVE-2007-3670,CVE-2007-3734,CVE-2007-3735,CVE-2007-3736,CVE-2007-3737,CVE-2007-3738,CVE-2008-0016,CVE-2008-1233,CVE-2008-1234,CVE-2008-1235,CVE-2008-1236,CVE-2008-1237,CVE-2008-3835,CVE-2008-4058,CVE-2008-4059,CVE-2008-4060,CVE-2008-4061,CVE-2008-4062,CVE-2008-4063,CVE-2008-4064,CVE-2008-4065,CVE-2008-4066,CVE-2008-4067,CVE-2008-4068,CVE-2008-4070,CVE-2008-5012,CVE-2008-5014,CVE-2008-5016,CVE-2008-5017,CVE-2008-5018,CVE-2008-5021,CVE-2008-5022,CVE-2008-5024,CVE-2008-5500,CVE-2008-5501,CVE-2008-5502,CVE-2008-5503,CVE-2008-5506,CVE-2008-5507,CVE-2008-5508,CVE-2008-5510,CVE-2008-5511,CVE-2008-5512,CVE-2009-0040,CVE-2009-0771,CVE-2009-0772,CVE-2009-0773,CVE-2009-0774,CVE-2009-0776,CVE-2009-1571,CVE-2009-3555,CVE-2010-0159,CVE-2010-0173,CVE-2010-0174,CVE-2010-0175,CVE-2010-0176,CVE-2010-0182,CVE-2010-0654,CVE-2010-1121,CVE-2010-1196,CVE-2010-1199,CVE-2010-1200,CVE-2010-1201,CVE-2010-1202,CVE-2010-1203,CVE-2010-1205,CVE-2010-1211,CVE-2010-1212,CVE-2010-1213,CVE-2010-1585,CVE-2010-2752,CVE-2010-2753,CVE-2010-2754,CVE-2010-2760,CVE-2010-2762,CVE-2010-2764,CVE-2010-2765,CVE-2010-2766,CVE-2010-2767,CVE-2010-2768,CVE-2010-2769,CVE-2010-3166,CVE-2010-3167,CVE-2010-3168,CVE-2010-3169,CVE-2010-3170,CVE-2010-3173,CVE-2010-3174,CVE-2010-3175,CVE-2010-3176,CVE-2010-3178,CVE-2010-3179,CVE-2010-3180,CVE-2010-3182,CVE-2010-3183,CVE-2010-3765,CVE-2010-3768,CVE-2010-3769,CVE-2010-3776,CVE-2010-3777,CVE-2010-3778,CVE-2011-0053,CVE-2011-0061,CVE-2011-0062,CVE-2011-0069,CVE-2011-0070,CVE-2011-0072,CVE-2011-0074,CVE-2011-0075,CVE-2011-0077,CVE-2011-0078,CVE-2011-0080,CVE-2011-0081,CVE-2011-0083,CVE-2011-0084,CVE-2011-0085,CVE-2011-1187,CVE-2011-2362,CVE-2011-2363,CVE-2011-2364,CVE-2011-2365,CVE-2011-2371,CVE-2011-2372,CVE-2011-2373,CVE-2011-2374,CVE-2011-2376,CVE-2011-2377,CVE-2011-2985,CVE-2011-2986,CVE-2011-2987,CVE-2011-2988,CVE-2011-2989,CVE-2011-2991,CVE-2011-2992,CVE-2011-3000,CVE-2011-3001,CVE-2011-3005,CVE-2011-3026,CVE-2011-3062,CVE-2011-3101,CVE-2011-3232,CVE-2011-3648,CVE-2011-3650,CVE-2011-3651,CVE-2011-3652,CVE-2011-3654,CVE-2011-3655,CVE-2011-3658,CVE-2011-3659,CVE-2011-3660,CVE-2011-3661,CVE-2011-3663,CVE-2012-0441,CVE-2012-0442,CVE-2012-0443,CVE-2012-0444,CVE-2012-0445,CVE-2012-0446,CVE-2012-0447,CVE-2012-0449,CVE-2012-0451,CVE-2012-0452,CVE-2012-0455,CVE-2012-0456,CVE-2012-0457,CVE-2012-0458,CVE-2012-0459,CVE-2012-0460,CVE-2012-0461,CVE-2012-0462,CVE-2012-0463,CVE-2012-0464,CVE-2012-0467,CVE-2012-0468,CVE-2012-0469,CVE-2012-0470,CVE-2012-0471,CVE-2012-0472,CVE-2012-0473,CVE-2012-0474,CVE-2012-0475,CVE-2012-0477,CVE-2012-0478,CVE-2012-0479,CVE-2012-0759,CVE-2012-1937,CVE-2012-1938,CVE-2012-1940,CVE-2012-1941,CVE-2012-1944,CVE-2012-1945,CVE-2012-1946,CVE-2012-1947,CVE-2012-1948,CVE-2012-1949,CVE-2012-1951,CVE-2012-1952,CVE-2012-1953,CVE-2012-1954,CVE-2012-1955,CVE-2012-1956,CVE-2012-1957,CVE-2012-1958,CVE-2012-1959,CVE-2012-1960,CVE-2012-1961,CVE-2012-1962,CVE-2012-1963,CVE-2012-1967,CVE-2012-1970,CVE-2012-1972,CVE-2012-1973,CVE-2012-1974,CVE-2012-1975,CVE-2012-1976,CVE-2012-3956,CVE-2012-3957,CVE-2012-3958,CVE-2012-3959,CVE-2012-3960,CVE-2012-3961,CVE-2012-3962,CVE-2012-3963,CVE-2012-3964,CVE-2012-3966,CVE-2012-3967,CVE-2012-3968,CVE-2012-3969,CVE-2012-3970,CVE-2012-3971,CVE-2012-3972,CVE-2012-3975,CVE-2012-3978,CVE-2012-3980,CVE-2012-3982,CVE-2012-3983,CVE-2012-3984,CVE-2012-3985,CVE-2012-3986,CVE-2012-3988,CVE-2012-3989,CVE-2012-3990,CVE-2012-3991,CVE-2012-3992,CVE-2012-3993,CVE-2012-3994,CVE-2012-3995,CVE-2012-4179,CVE-2012-4180,CVE-2012-4181,CVE-2012-4182,CVE-2012-4183,CVE-2012-4184,CVE-2012-4185,CVE-2012-4186,CVE-2012-4187,CVE-2012-4188,CVE-2012-4191,CVE-2012-4192,CVE-2012-4193,CVE-2012-4194,CVE-2012-4195,CVE-2012-4196,CVE-2012-4201,CVE-2012-4202,CVE-2012-4204,CVE-2012-4205,CVE-2012-4207,CVE-2012-4208,CVE-2012-4209,CVE-2012-4212,CVE-2012-4213,CVE-2012-4214,CVE-2012-4215,CVE-2012-4216,CVE-2012-4217,CVE-2012-4218,CVE-2012-5829,CVE-2012-5830,CVE-2012-5833,CVE-2012-5835,CVE-2012-5836,CVE-2012-5837,CVE-2012-5838,CVE-2012-5839,CVE-2012-5840,CVE-2012-5841,CVE-2012-5842,CVE-2012-5843,CVE-2013-0743,CVE-2013-0744,CVE-2013-0745,CVE-2013-0746,CVE-2013-0747,CVE-2013-0748,CVE-2013-0749,CVE-2013-0750,CVE-2013-0752,CVE-2013-0753,CVE-2013-0754,CVE-2013-0755,CVE-2013-0756,CVE-2013-0757,CVE-2013-0758,CVE-2013-0760,CVE-2013-0761,CVE-2013-0762,CVE-2013-0763,CVE-2013-0764,CVE-2013-0766,CVE-2013-0767,CVE-2013-0768,CVE-2013-0769,CVE-2013-0770,CVE-2013-0771,CVE-2013-0773,CVE-2013-0774,CVE-2013-0775,CVE-2013-0776,CVE-2013-0780,CVE-2013-0782,CVE-2013-0783,CVE-2013-0787,CVE-2013-0788,CVE-2013-0789,CVE-2013-0793,CVE-2013-0795,CVE-2013-0796,CVE-2013-0800,CVE-2013-0801,CVE-2013-1669,CVE-2013-1670,CVE-2013-1674,CVE-2013-1675,CVE-2013-1676,CVE-2013-1677,CVE-2013-1678,CVE-2013-1679,CVE-2013-1680,CVE-2013-1681,CVE-2013-1682,CVE-2013-1684,CVE-2013-1685,CVE-2013-1686,CVE-2013-1687,CVE-2013-1690,CVE-2013-1692,CVE-2013-1693,CVE-2013-1694,CVE-2013-1697,CVE-2013-1701,CVE-2013-1709,CVE-2013-1710,CVE-2013-1713,CVE-2013-1714,CVE-2013-1717,CVE-2013-1718,CVE-2013-1719,CVE-2013-1720,CVE-2013-1722,CVE-2013-1723,CVE-2013-1724,CVE-2013-1725,CVE-2013-1728,CVE-2013-1730,CVE-2013-1732,CVE-2013-1735,CVE-2013-1736,CVE-2013-1737,CVE-2013-1738,CVE-2013-5590,CVE-2013-5591,CVE-2013-5592,CVE-2013-5593,CVE-2013-5595,CVE-2013-5596,CVE-2013-5597,CVE-2013-5599,CVE-2013-5600,CVE-2013-5601,CVE-2013-5602,CVE-2013-5603,CVE-2013-5604,CVE-2013-5609,CVE-2013-5610,CVE-2013-5611,CVE-2013-5612,CVE-2013-5613,CVE-2013-5614,CVE-2013-5615,CVE-2013-5616,CVE-2013-5618,CVE-2013-5619,CVE-2013-6629,CVE-2013-6630,CVE-2013-6671,CVE-2013-6672,CVE-2013-6673,CVE-2014-1477,CVE-2014-1478,CVE-2014-1479,CVE-2014-1480,CVE-2014-1481,CVE-2014-1482,CVE-2014-1483,CVE-2014-1484,CVE-2014-1485,CVE-2014-1486,CVE-2014-1487,CVE-2014-1488,CVE-2014-1489,CVE-2014-1490,CVE-2014-1491,CVE-2014-1492,CVE-2014-1493,CVE-2014-1494,CVE-2014-1497,CVE-2014-1498,CVE-2014-1499,CVE-2014-1500,CVE-2014-1502,CVE-2014-1504,CVE-2014-1505,CVE-2014-1508,CVE-2014-1509,CVE-2014-1510,CVE-2014-1511,CVE-2014-1512,CVE-2014-1513,CVE-2014-1514,CVE-2014-1518,CVE-2014-1519,CVE-2014-1522,CVE-2014-1523,CVE-2014-1524,CVE-2014-1525,CVE-2014-1526,CVE-2014-1528,CVE-2014-1529,CVE-2014-1530,CVE-2014-1531,CVE-2014-1532,CVE-2014-1533,CVE-2014-1534,CVE-2014-1536,CVE-2014-1537,CVE-2014-1538,CVE-2014-1539,CVE-2014-1540,CVE-2014-1541,CVE-2014-1542,CVE-2014-1543,CVE-2014-1544,CVE-2014-1545,CVE-2014-1547,CVE-2014-1548,CVE-2014-1549,CVE-2014-1550,CVE-2014-1552,CVE-2014-1553,CVE-2014-1555,CVE-2014-1556,CVE-2014-1557,CVE-2014-1558,CVE-2014-1559,CVE-2014-1560,CVE-2014-1561,CVE-2014-1562,CVE-2014-1563,CVE-2014-1564,CVE-2014-1565,CVE-2014-1567
Sources used:
openSUSE 11.4 (src):    MozillaFirefox-24.8.0-127.1, mozilla-nss-3.16.4-94.1