Mozilla has released Firefox 91.4.0 today (December 6):
The release notes for 91.4.0 are not available yet as of this posting.
No rootcerts, nspr, or nss updates this time.
Package list should be as follows.
Updated packages in core/updates_testing:
Updates pushed to the build system and should be available on mirrors in a few hours.
Installed and tested on Mageia Virtualbox X64 XFCE
works fine with streaming and audio, bank ... sites.
Extensions (adblock, Bitwarden) work too.
Installed in Mageia Vbox X64 Plasma Kde, works fine for the moment, banks, youtube, and other webs, ok, addons ok, right now I am writing from this version without issues.
MGA8-64 Plasma on Lenovo B50
No istallation issues.
Running it now, youtube mahna-mahnam, newspapersite OK, extension for Belgian eid works OK.
MGA8 XFCE 64 Core I3 4Go RAM
No installation issues
Running with Netflix and MLO Forum :)
Bank site OK
All is ok
OK here 64 bit Plasma, Nvidia-current, Swedish localisation;
Various sites including bank, video, shopping... keep using it.
Security issues fixed:
Updated firefox packages fix security vulnerabilities:
Under certain circumstances, asynchronous functions could have caused a
navigation to fail but expose the target URL (CVE-2021-43536).
An incorrect type conversion of sizes from 64bit to 32bit integers allowed an
attacker to corrupt memory leading to a potentially exploitable crash due to a
heap buffer overflow when using structured clone (CVE-2021-43537).
By misusing a race in our notification code, an attacker could have forcefully
hidden the notification for pages that had received both full screen and
pointer lock access, which could have been used for spoofing attacks
Failure to correctly record the location of live pointers across wasm instance
calls resulted in a GC occurring within the call not tracing those live
pointers. This could have led to a use-after-free causing a potentially
exploitable crash (CVE-2021-43539).
When invoking protocol handlers for external protocols, a supplied parameter
URL containing spaces was not properly escaped (CVE-2021-43541).
Using XMLHttpRequest, an attacker could have identified installed applications
by probing error messages for loading external protocols (CVE-2021-43542).
Documents loaded with the CSP sandbox directive could have escaped the
sandbox's script restriction by embedding additional content (CVE-2021-43543).
Using the Location API in a loop could have caused severe application hangs
and crashes (CVE-2021-43545).
It was possible to recreate previous cursor spoofing attacks against users
with a zoomed native cursor (CVE-2021-43546).
Mozilla developers and community members Julian Hector, Randell Jesup,
Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported
memory safety bugs present in Firefox ESR 91.3. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code (MOZ-2021-0009).
RedHat has issued an advisory for this today (December 8):
MGA8-64, GNOME, Laptop
No issues so far using youtube, email, typical high advertisement website.
MGA8-64, Xfce, old laptop
Same - no issues
Installed US English versions of this and Thunderbird at the same time, on two separate machines. No installation issues, and no regressions noted as I used it for a few hours.
Lots of tests, no problems, calling this one OK, and validating. Advisory in Comment 7.
An update for this issue has been pushed to the Mageia Updates repository.
I was notified by Christian Fischer that the MOZ vulnerabilities have CVEs. SVN advisory updated.
Mageia Advisory: https://advisories.mageia.org/MGASA-2021-0551.html
MOZ-2021-0009 -> CVE-2021-4129