Mozilla has released Firefox 91.3.0 today (November 2): https://www.mozilla.org/en-US/firefox/91.3.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/ NSS 3.72 is also out: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7O6a4NlaI2A https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_72.html Update in progress. Package list should be as follows. Updated packages in core/updates_testing: ======================================== nss-3.72.0-1.mga8 nss-doc-3.72.0-1.mga8 libnss3-3.72.0-1.mga8 libnss-devel-3.72.0-1.mga8 libnss-static-devel-3.72.0-1.mga8 firefox-91.3.0-1.mga8 firefox-ru-91.3.0-1.mga8 firefox-uk-91.3.0-1.mga8 firefox-be-91.3.0-1.mga8 firefox-el-91.3.0-1.mga8 firefox-kk-91.3.0-1.mga8 firefox-th-91.3.0-1.mga8 firefox-pa_IN-91.3.0-1.mga8 firefox-ka-91.3.0-1.mga8 firefox-ja-91.3.0-1.mga8 firefox-bg-91.3.0-1.mga8 firefox-sr-91.3.0-1.mga8 firefox-hy_AM-91.3.0-1.mga8 firefox-ko-91.3.0-1.mga8 firefox-zh_TW-91.3.0-1.mga8 firefox-vi-91.3.0-1.mga8 firefox-zh_CN-91.3.0-1.mga8 firefox-hu-91.3.0-1.mga8 firefox-bn-91.3.0-1.mga8 firefox-hi_IN-91.3.0-1.mga8 firefox-ar-91.3.0-1.mga8 firefox-sk-91.3.0-1.mga8 firefox-cs-91.3.0-1.mga8 firefox-ur-91.3.0-1.mga8 firefox-hsb-91.3.0-1.mga8 firefox-lt-91.3.0-1.mga8 firefox-te-91.3.0-1.mga8 firefox-fr-91.3.0-1.mga8 firefox-he-91.3.0-1.mga8 firefox-pl-91.3.0-1.mga8 firefox-sq-91.3.0-1.mga8 firefox-fa-91.3.0-1.mga8 firefox-de-91.3.0-1.mga8 firefox-oc-91.3.0-1.mga8 firefox-tr-91.3.0-1.mga8 firefox-kab-91.3.0-1.mga8 firefox-es_MX-91.3.0-1.mga8 firefox-es_AR-91.3.0-1.mga8 firefox-es_CL-91.3.0-1.mga8 firefox-pt_PT-91.3.0-1.mga8 firefox-fy_NL-91.3.0-1.mga8 firefox-pt_BR-91.3.0-1.mga8 firefox-gl-91.3.0-1.mga8 firefox-cy-91.3.0-1.mga8 firefox-sv_SE-91.3.0-1.mga8 firefox-gd-91.3.0-1.mga8 firefox-km-91.3.0-1.mga8 firefox-ro-91.3.0-1.mga8 firefox-mr-91.3.0-1.mga8 firefox-gu_IN-91.3.0-1.mga8 firefox-hr-91.3.0-1.mga8 firefox-sl-91.3.0-1.mga8 firefox-nl-91.3.0-1.mga8 firefox-es_ES-91.3.0-1.mga8 firefox-eo-91.3.0-1.mga8 firefox-ca-91.3.0-1.mga8 firefox-da-91.3.0-1.mga8 firefox-fi-91.3.0-1.mga8 firefox-eu-91.3.0-1.mga8 firefox-ia-91.3.0-1.mga8 firefox-nn_NO-91.3.0-1.mga8 firefox-nb_NO-91.3.0-1.mga8 firefox-br-91.3.0-1.mga8 firefox-id-91.3.0-1.mga8 firefox-tl-91.3.0-1.mga8 firefox-my-91.3.0-1.mga8 firefox-ta-91.3.0-1.mga8 firefox-en_GB-91.3.0-1.mga8 firefox-szl-91.3.0-1.mga8 firefox-en_CA-91.3.0-1.mga8 firefox-an-91.3.0-1.mga8 firefox-ast-91.3.0-1.mga8 firefox-kn-91.3.0-1.mga8 firefox-az-91.3.0-1.mga8 firefox-si-91.3.0-1.mga8 firefox-en_US-91.3.0-1.mga8 firefox-et-91.3.0-1.mga8 firefox-ff-91.3.0-1.mga8 firefox-lij-91.3.0-1.mga8 firefox-uz-91.3.0-1.mga8 firefox-is-91.3.0-1.mga8 firefox-mk-91.3.0-1.mga8 firefox-lv-91.3.0-1.mga8 firefox-bs-91.3.0-1.mga8 firefox-ga_IE-91.3.0-1.mga8 firefox-it-91.3.0-1.mga8 firefox-ms-91.3.0-1.mga8 firefox-xh-91.3.0-1.mga8 firefox-af-91.3.0-1.mga8 from SRPMS: nss-3.72.0-1.mga8.src.rpm firefox-91.3.0-1.mga8.src.rpm firefox-l10n-91.3.0-1.mga8.src.rpm
RedHat has issued an advisory for this on November 3: https://access.redhat.com/errata/RHSA-2021:4123 Packages are uploading now and should be available in the next few hours. Advisory: ======================== Updated firefox packages fix security vulnerabilities: The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame (CVE-2021-38503). When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash (CVE-2021-38504). Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing (CVE-2021-38506). The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage (CVE-2021-38507). A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash (MOZ-2021-0008). By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission (CVE-2021-38508). Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing (CVE-2021-38509). Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (MOZ-2021-0007). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38503 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38504 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38506 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38507 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38509 https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_72.html
Assignee: luigiwalser => qa-bugs
Hi! I have tried the new version. Works fine, banks, downloads, settings, language correct in spanish. Greetings!
CC: (none) => joselpddj
Hi, tested on Mageia Gnome X64. I've tried several websites, legal streaming audio and videos websites, bank ... settings, installed extensions, french settings. All is ok and work. fine
CC: (none) => hdetavernier
Blocks: (none) => 29625
MGA8-64 Plasma on Lenovo B50 No installation issues. Dutch settings, no issues seen on usual operations.
CC: (none) => herman.viaene
OK mga8-64, Plasma, nvidia-current, Swedish Open tabs and settings retained. Banking apps, a bunch of sites I normally visit, video, ...
CC: (none) => fri
MGA 64 XFCE with nvidia 520M driver 390. French version. No issues after update. Try with: - Bank - Element client matrix - Netflix I can't test it with visio like Jitisi or BBB
CC: (none) => guillaume.royer
MGA8-64 Plasma, tested US English version. Tried several websites, Facebook, newspaper, Youtube, Mageia Bugzilla. No issues noted.
CC: (none) => andrewsfarm
MGA8-32 Xfce on real 32-bit hardware, updating US, CA, and GB English. No installation issues. No problems using the existing profile. Tried some websites, including the GOES visible satellite loop for the Northeastern US. Lights of Toronto, Buffalo, Rochester, Syracuse, Albany, Pittsburgh, Cleveland, Washington DC, New York City, Boston, and others in the image. Pretty. No issues noted. Giving this an OK, and validating. Advisory in Comment 1.
Whiteboard: (none) => MGA8-64-OK MGA8-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Tested 64bits version. No regression seen.
CC: (none) => yves.brungard_mageia
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0505.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated. Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0505.html Mozilla Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/ Suggested change(s): MOZ-2021-0008 -> CVE-2021-43535 MOZ-2021-0007 -> CVE-2021-43534