Mozilla has released Firefox 91.5.0 today (January 10): https://www.mozilla.org/en-US/firefox/91.5.0/releasenotes/ The release notes for 91.5.0 are not available yet as of this posting. There are also rootcerts, nspr, and nss updates (last link current unavailable): https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/RDHVnt1nlWw https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/5cpT9SNXYSM https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_74.html Package list should be as follows. Updated packages in core/updates_testing: ======================================== libnspr4-4.33-1.mga8 libnspr-devel-4.33-1.mga8 rootcerts-20211213.00-1.mga8 rootcerts-java-20211213.00-1.mga8 nss-3.74.0-1.mga8 nss-doc-3.74.0-1.mga8 libnss3-3.74.0-1.mga8 libnss-devel-3.74.0-1.mga8 libnss-static-devel-3.74.0-1.mga8 firefox-91.5.0-1.mga8 firefox-ru-91.5.0-1.mga8 firefox-uk-91.5.0-1.mga8 firefox-be-91.5.0-1.mga8 firefox-el-91.5.0-1.mga8 firefox-kk-91.5.0-1.mga8 firefox-th-91.5.0-1.mga8 firefox-pa_IN-91.5.0-1.mga8 firefox-ka-91.5.0-1.mga8 firefox-ja-91.5.0-1.mga8 firefox-bg-91.5.0-1.mga8 firefox-sr-91.5.0-1.mga8 firefox-hy_AM-91.5.0-1.mga8 firefox-ko-91.5.0-1.mga8 firefox-zh_TW-91.5.0-1.mga8 firefox-vi-91.5.0-1.mga8 firefox-zh_CN-91.5.0-1.mga8 firefox-hu-91.5.0-1.mga8 firefox-bn-91.5.0-1.mga8 firefox-hi_IN-91.5.0-1.mga8 firefox-ar-91.5.0-1.mga8 firefox-sk-91.5.0-1.mga8 firefox-cs-91.5.0-1.mga8 firefox-ur-91.5.0-1.mga8 firefox-hsb-91.5.0-1.mga8 firefox-lt-91.5.0-1.mga8 firefox-te-91.5.0-1.mga8 firefox-fr-91.5.0-1.mga8 firefox-he-91.5.0-1.mga8 firefox-pl-91.5.0-1.mga8 firefox-sq-91.5.0-1.mga8 firefox-fa-91.5.0-1.mga8 firefox-de-91.5.0-1.mga8 firefox-oc-91.5.0-1.mga8 firefox-tr-91.5.0-1.mga8 firefox-kab-91.5.0-1.mga8 firefox-es_MX-91.5.0-1.mga8 firefox-es_AR-91.5.0-1.mga8 firefox-es_CL-91.5.0-1.mga8 firefox-pt_PT-91.5.0-1.mga8 firefox-fy_NL-91.5.0-1.mga8 firefox-pt_BR-91.5.0-1.mga8 firefox-gl-91.5.0-1.mga8 firefox-cy-91.5.0-1.mga8 firefox-sv_SE-91.5.0-1.mga8 firefox-gd-91.5.0-1.mga8 firefox-km-91.5.0-1.mga8 firefox-ro-91.5.0-1.mga8 firefox-mr-91.5.0-1.mga8 firefox-gu_IN-91.5.0-1.mga8 firefox-hr-91.5.0-1.mga8 firefox-sl-91.5.0-1.mga8 firefox-nl-91.5.0-1.mga8 firefox-es_ES-91.5.0-1.mga8 firefox-eo-91.5.0-1.mga8 firefox-ca-91.5.0-1.mga8 firefox-da-91.5.0-1.mga8 firefox-fi-91.5.0-1.mga8 firefox-eu-91.5.0-1.mga8 firefox-ia-91.5.0-1.mga8 firefox-nn_NO-91.5.0-1.mga8 firefox-nb_NO-91.5.0-1.mga8 firefox-br-91.5.0-1.mga8 firefox-id-91.5.0-1.mga8 firefox-tl-91.5.0-1.mga8 firefox-my-91.5.0-1.mga8 firefox-ta-91.5.0-1.mga8 firefox-en_GB-91.5.0-1.mga8 firefox-szl-91.5.0-1.mga8 firefox-en_CA-91.5.0-1.mga8 firefox-an-91.5.0-1.mga8 firefox-ast-91.5.0-1.mga8 firefox-kn-91.5.0-1.mga8 firefox-az-91.5.0-1.mga8 firefox-si-91.5.0-1.mga8 firefox-en_US-91.5.0-1.mga8 firefox-et-91.5.0-1.mga8 firefox-ff-91.5.0-1.mga8 firefox-lij-91.5.0-1.mga8 firefox-uz-91.5.0-1.mga8 firefox-is-91.5.0-1.mga8 firefox-mk-91.5.0-1.mga8 firefox-lv-91.5.0-1.mga8 firefox-bs-91.5.0-1.mga8 firefox-ga_IE-91.5.0-1.mga8 firefox-it-91.5.0-1.mga8 firefox-ms-91.5.0-1.mga8 firefox-xh-91.5.0-1.mga8 firefox-af-91.5.0-1.mga8 from SRPMS: nspr-4.33-1.mga8.src.rpm rootcerts-20211213.00-1.mga8.src.rpm nss-3.74.0-1.mga8.src.rpm firefox-91.5.0-1.mga8.src.rpm firefox-l10n-91.5.0-1.mga8.src.rpm
Build error in Cauldron: 35:42.88 Compiling wast v36.0.0 35:43.03 ld.lld: error: undefined symbol: wl_proxy_marshal_flags 35:43.03 >>> referenced by wayland-client-protocol.h:3672 (/usr/include/wayland-client-protocol.h:3672) 35:43.03 >>> /home/iurt/rpmbuild/BUILD/firefox-91.5.0/objdir/toolkit/library/build/../../../gfx/gl/Unified_cpp_gfx_gl0.o:(mozilla::gl::DeleteWaylandGLSurface(void*)) 35:43.03 >>> referenced by wayland-client-protocol.h:1291 (/usr/include/wayland-client-protocol.h:1291) 35:43.03 >>> /home/iurt/rpmbuild/BUILD/firefox-91.5.0/objdir/toolkit/library/build/../../../gfx/gl/Unified_cpp_gfx_gl0.o:(mozilla::gl::GLContextEGL::CreateWaylandBufferSurface(mozilla::gl::EglDisplay&, void*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&)) 35:43.03 >>> referenced by wayland-client-protocol.h:3914 (/usr/include/wayland-client-protocol.h:3914) 35:43.03 >>> /home/iurt/rpmbuild/BUILD/firefox-91.5.0/objdir/toolkit/library/build/../../../gfx/layers/Unified_cpp_gfx_layers1.o:(mozilla::layers::NativeLayerRootWayland::EnsureHideLayer(RefPtr<mozilla::layers::NativeLayerWayland> const&)) 35:43.03 >>> referenced 85 more times 35:43.14 clang-13: error: linker command failed with exit code 1 (use -v to see invocation) 35:43.14 gmake[4]: *** [/home/iurt/rpmbuild/BUILD/firefox-91.5.0/config/rules.mk:545: libxul.so] Error 1 35:43.14 gmake[3]: *** [/home/iurt/rpmbuild/BUILD/firefox-91.5.0/config/recurse.mk:72: toolkit/library/build/target] Error 2 35:43.14 gmake[3]: *** Waiting for unfinished jobs.... http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20220111005043.luigiwalser.duvel.2060387/log/firefox-91.5.0-1.mga9/build.aarch64.0.20220111005620.log
Packages built for Mageia 8. Need help with Cauldron.
Assignee: luigiwalser => pkg-bugsVersion: 8 => CauldronWhiteboard: (none) => MGA8TOO
See if https://www.linuxquestions.org/questions/slackware-14/regression-on-current-with-mozilla-firefox-and-mozilla-thunderbird-4175704869/ helps.
CC: (none) => davidwhodgins
Hi, Installed in Mageia 8 Vbox x64, works fine, banks, youtube, addons, all ok for the momento. Updated from Firefox 91.4, all settings saved ok. Greetings!!
CC: (none) => joselpddj
(In reply to David Walser from comment #1) > 35:43.03 ld.lld: error: undefined symbol: wl_proxy_marshal_flags > 35:43.03 >>> referenced by wayland-client-protocol.h:3672 > (/usr/include/wayland-client-protocol.h:3672) I had the same problem with thunderbird and found: https://bugs.gentoo.org/811840#c7. The issue seems to come from version 1.20 of wayland.
CC: (none) => nicolas.salguero
blino also found this upstream fix which I assume will be in 91.6: https://hg.mozilla.org/releases/mozilla-beta/rev/9868f275bf47 Updated packages uploaded for Mageia 8 and Cauldron. Security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/
Version: Cauldron => 8Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)
OK for me mga8-64 Plasma, x11, nvidia-current, 4K screen, swedish - firefox-91.5.0-1.mga8.x86_64 - firefox-sv_SE-91.5.0-1.mga8.noarch - lib64nspr4-4.33-1.mga8.x86_64 - lib64nss3-3.74.0-1.mga8.x86_64 - nss-3.74.0-1.mga8.x86_64 - rootcerts-20211213.00-1.mga8.noarch Clean upgrade, preserved open tabs, settings, plugins Tested banking sites, tax, some video sites, other sites, all OK
CC: (none) => fri
mga8, x64 Updated the packages includin en_GB, en_US and en_CA. Firefox restarted with all bookmarks listed. Restored previous session OK. Running fine just now on a range of sites.
CC: (none) => tarazed25
MGA8 X64 update with QA repo and packages Fr. Firefox running fine. Element client web Matrix ok
CC: (none) => guillaume.royer
Validating the update
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
Blocks: (none) => 29873
SVN advisory corrected to match the following. Advisory: ======================== Updated firefox packages fix security vulnerabilities: It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox (CVE-2021-4140). Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash (CVE-2022-22737). Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow in blendGaussianBlur causing a potentially exploitable crash (CVE-2022-22738). Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol due to missing throttling on external protocol launch dialog (CVE-2022-22739). Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free of ChannelEventQueue::mOwner causing a potentially exploitable crash (CVE-2022-22740). When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode (CVE-2022-22741). When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash (CVE-2022-22742). When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode (CVE-2022-22743). Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations (CVE-2022-22745). After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable (CVE-2022-22747). Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol (CVE-2022-22748). Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2022-22751). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4140 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22737 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22738 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22741 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22742 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22743 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22745 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22747 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22748 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22751 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/RDHVnt1nlWw https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/5cpT9SNXYSM https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_74.html https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0013.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Pushed with the incorrect advisory :o( Oh well.
RedHat has issued an advisory for this today (January 12): https://access.redhat.com/errata/RHSA-2022:0130
(In reply to David Walser from comment #11) > After accepting an untrusted certificate, handling an empty pkcs7 sequence as > part of the certificate data could have lead to a crash. This crash is > believed to be unexploitable (CVE-2022-22747). > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22747 > https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_74.html > https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/ This particular fix was actually in nss, it's this one from the nss release notes: "Bug 1735028 - Check for missing signedData field." https://www.debian.org/security/2022/dsa-5062