Mozilla has released Firefox 91.7.0 today (March 7):
The release notes for 91.7.0 are not available yet as of this posting.
NSS and rootcerts updates already went out in Bug 30124.
Package list should be as follows.
Updated packages in core/updates_testing:
Packages submitted to the build system and should be available in a few hours.
Advisory committed to svn as ...
$ cat 30134.adv
subject: Updated firefox packages fix security vulnerability
Release notes are not available at this time. See the referenced
link when they do become available.
That's not the real advisory. The release notes will be available tomorrow.
Tested on x86-64 using Canadian English and Parisian French, i586 under vb, and
aarch64 on rpi 4b.
Validating the update. Ready to push as soon as the real advisory is available
and updated in svn.
Thanks. I don't think the updates pushing script actually checks for the advisory keyword in Bugzilla, it just checks for one in SVN, so let's hold off on validating while there's an incorrect one there.
Hi, I have tested in Vbox and in my personal computer. Works fine, video and audio, settings, banks, sync, updated from Firefox 91.6.
Updated firefox packages fix security vulnerabilities:
An attacker could have caused a use-after-free by forcing a text reflow in an
SVG object leading to a potentially exploitable crash (CVE-2022-26381).
When resizing a popup after requesting fullscreen access, the popup would not
display the fullscreen notification (CVE-2022-26383).
If an attacker could control the contents of an iframe sandboxed with
allow-popups but not allow-scripts, they were able to craft a link that, when
Previously Firefox for macOS and Linux would download temporary files to a
user-specific directory in /tmp, but this behavior was changed to download
them to /tmp where they could be affected by other local users. This behavior
was reverted to the original, user-specific directory (CVE-2022-26386).
When installing an add-on, Firefox verified the signature before prompting the
user; but while the user was confirming the prompt, the underlying add-on file
could have been modified and Firefox would not have noticed (CVE-2022-26387).
(In reply to David Walser from comment #5)
> Thanks. I don't think the updates pushing script actually checks for the
> advisory keyword in Bugzilla, it just checks for one in SVN, so let's hold
> off on validating while there's an incorrect one there.
Yes, if there is an advisory file added in svn, we only check for validated_update keyword (and potential blocker bugs)
the "advisory" keywoard is for showing up as as a "*" in madb to inform that the advisory has been added to svn.
Is the updated advisory from comment 7 committed to svn ?
Yes, David Walser updated it at 2022-03-08 16:14:17 +0100
An update for this issue has been pushed to the Mageia Updates repository.
OK mga8-64, swedish, i7, plasma, nvidia-current, 4kscreen
various sites; banking, video...
RedHat has issued an advisory for this today (March 10):