Mozilla has released Firefox 91.3.0 today (November 2):
Security issues fixed:
NSS 3.72 is also out:
Update in progress.
Package list should be as follows.
Updated packages in core/updates_testing:
RedHat has issued an advisory for this on November 3:
Packages are uploading now and should be available in the next few hours.
Updated firefox packages fix security vulnerabilities:
The iframe sandbox rules were not correctly applied to XSLT stylesheets,
allowing an iframe to bypass restrictions such as executing scripts or
navigating the top-level frame (CVE-2021-38503).
When interacting with an HTML input element's file picker dialog with
webkitdirectory set, a use-after-free could have resulted, leading to memory
corruption and a potentially exploitable crash (CVE-2021-38504).
Through a series of navigations, Firefox could have entered fullscreen mode
without notification or warning to the user. This could lead to spoofing
attacks on the browser UI including phishing (CVE-2021-38506).
The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection
to be transparently upgraded to TLS while retaining the visual properties of
an HTTP connection, including being same-origin with unencrypted connections
on port 80. However, if a second encrypted port on the same IP address (e.g.
port 8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser to port 443 to port 8443, causing
the browser to treat the content of port 8443 as same-origin with HTTP. This
was resolved by disabling the Opportunistic Encryption feature, which had low
A use-after-free could have occured when an HTTP2 session object was released
on a different thread, leading to memory corruption and a potentially
exploitable crash (MOZ-2021-0008).
By displaying a form validity message in the correct location at the same time
as a permission prompt (such as for geolocation), the validity message could
have obscured the prompt, resulting in the user potentially being tricked into
granting the permission (CVE-2021-38508).
dialog with arbitrary (although unstyled) contents could be displayed over top
an uncontrolled webpage of the attacker's choosing (CVE-2021-38509).
Mozilla developers and community members Christian Holler, Valentin Gosu, and
Andrew McCreight reported memory safety bugs present in Firefox ESR 91.2. Some
of these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
I have tried the new version. Works fine, banks, downloads, settings, language correct in spanish.
tested on Mageia Gnome X64.
I've tried several websites, legal streaming audio and videos websites, bank ... settings, installed extensions, french settings.
All is ok and work. fine
MGA8-64 Plasma on Lenovo B50
No installation issues.
Dutch settings, no issues seen on usual operations.
OK mga8-64, Plasma, nvidia-current, Swedish
Open tabs and settings retained.
Banking apps, a bunch of sites I normally visit, video, ...
MGA 64 XFCE with nvidia 520M driver 390.
No issues after update.
- Element client matrix
I can't test it with visio like Jitisi or BBB
MGA8-64 Plasma, tested US English version. Tried several websites, Facebook, newspaper, Youtube, Mageia Bugzilla. No issues noted.
MGA8-32 Xfce on real 32-bit hardware, updating US, CA, and GB English.
No installation issues. No problems using the existing profile. Tried some websites, including the GOES visible satellite loop for the Northeastern US. Lights of Toronto, Buffalo, Rochester, Syracuse, Albany, Pittsburgh, Cleveland, Washington DC, New York City, Boston, and others in the image. Pretty.
No issues noted.
Giving this an OK, and validating. Advisory in Comment 1.
Tested 64bits version.
No regression seen.
An update for this issue has been pushed to the Mageia Updates repository.
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated.
Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0505.html
MOZ-2021-0008 -> CVE-2021-43535
MOZ-2021-0007 -> CVE-2021-43534