Description of problem: CVE-2018-5146: Out of bounds memory write in libvorbis Version-Release number of selected component (if applicable): 59.0.1 How reproducible: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ Additional info: https://bugzilla.mozilla.org/show_bug.cgi?id=1446062
Proposing as a FE for Fedora 28 Beta, to avoid shipping beta with known security vulnerabilities in our default browser. Note that this may need matching NSS update pulled in through the freeze as well if accepted, not entirely sure.
The update is here - https://bodhi.fedoraproject.org/updates/FEDORA-2018-3de9cb411f
Discussed during the 2018-03-26 blocker review meeting: [1] The decision to classify this bug as an AcceptedFreezeException was made as it's obviously desirable to fix significant security issues in the default browser for most desktops for Beta. Note we have verified no nss/nspr update is required here. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
firefox-59.0.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3de9cb411f
firefox-59.0.1-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.