Mozilla has released Firefox 91.7.0 today (March 7): https://www.mozilla.org/en-US/firefox/91.7.0/releasenotes/ The release notes for 91.7.0 are not available yet as of this posting. NSS and rootcerts updates already went out in Bug 30124. Package list should be as follows. Updated packages in core/updates_testing: ======================================== firefox-91.7.0-1.mga8 firefox-ru-91.7.0-1.mga8 firefox-uk-91.7.0-1.mga8 firefox-be-91.7.0-1.mga8 firefox-el-91.7.0-1.mga8 firefox-kk-91.7.0-1.mga8 firefox-th-91.7.0-1.mga8 firefox-pa_IN-91.7.0-1.mga8 firefox-ka-91.7.0-1.mga8 firefox-ja-91.7.0-1.mga8 firefox-bg-91.7.0-1.mga8 firefox-sr-91.7.0-1.mga8 firefox-hy_AM-91.7.0-1.mga8 firefox-ko-91.7.0-1.mga8 firefox-zh_TW-91.7.0-1.mga8 firefox-vi-91.7.0-1.mga8 firefox-zh_CN-91.7.0-1.mga8 firefox-hu-91.7.0-1.mga8 firefox-bn-91.7.0-1.mga8 firefox-hi_IN-91.7.0-1.mga8 firefox-ar-91.7.0-1.mga8 firefox-sk-91.7.0-1.mga8 firefox-cs-91.7.0-1.mga8 firefox-ur-91.7.0-1.mga8 firefox-hsb-91.7.0-1.mga8 firefox-lt-91.7.0-1.mga8 firefox-te-91.7.0-1.mga8 firefox-fr-91.7.0-1.mga8 firefox-he-91.7.0-1.mga8 firefox-pl-91.7.0-1.mga8 firefox-sq-91.7.0-1.mga8 firefox-fa-91.7.0-1.mga8 firefox-de-91.7.0-1.mga8 firefox-oc-91.7.0-1.mga8 firefox-tr-91.7.0-1.mga8 firefox-kab-91.7.0-1.mga8 firefox-es_MX-91.7.0-1.mga8 firefox-es_AR-91.7.0-1.mga8 firefox-es_CL-91.7.0-1.mga8 firefox-pt_PT-91.7.0-1.mga8 firefox-fy_NL-91.7.0-1.mga8 firefox-pt_BR-91.7.0-1.mga8 firefox-gl-91.7.0-1.mga8 firefox-cy-91.7.0-1.mga8 firefox-sv_SE-91.7.0-1.mga8 firefox-gd-91.7.0-1.mga8 firefox-km-91.7.0-1.mga8 firefox-ro-91.7.0-1.mga8 firefox-mr-91.7.0-1.mga8 firefox-gu_IN-91.7.0-1.mga8 firefox-hr-91.7.0-1.mga8 firefox-sl-91.7.0-1.mga8 firefox-nl-91.7.0-1.mga8 firefox-es_ES-91.7.0-1.mga8 firefox-eo-91.7.0-1.mga8 firefox-ca-91.7.0-1.mga8 firefox-da-91.7.0-1.mga8 firefox-fi-91.7.0-1.mga8 firefox-eu-91.7.0-1.mga8 firefox-ia-91.7.0-1.mga8 firefox-nn_NO-91.7.0-1.mga8 firefox-nb_NO-91.7.0-1.mga8 firefox-br-91.7.0-1.mga8 firefox-id-91.7.0-1.mga8 firefox-tl-91.7.0-1.mga8 firefox-my-91.7.0-1.mga8 firefox-ta-91.7.0-1.mga8 firefox-en_GB-91.7.0-1.mga8 firefox-szl-91.7.0-1.mga8 firefox-en_CA-91.7.0-1.mga8 firefox-an-91.7.0-1.mga8 firefox-ast-91.7.0-1.mga8 firefox-kn-91.7.0-1.mga8 firefox-az-91.7.0-1.mga8 firefox-si-91.7.0-1.mga8 firefox-en_US-91.7.0-1.mga8 firefox-et-91.7.0-1.mga8 firefox-ff-91.7.0-1.mga8 firefox-lij-91.7.0-1.mga8 firefox-uz-91.7.0-1.mga8 firefox-is-91.7.0-1.mga8 firefox-mk-91.7.0-1.mga8 firefox-lv-91.7.0-1.mga8 firefox-bs-91.7.0-1.mga8 firefox-ga_IE-91.7.0-1.mga8 firefox-it-91.7.0-1.mga8 firefox-ms-91.7.0-1.mga8 firefox-xh-91.7.0-1.mga8 firefox-af-91.7.0-1.mga8 from SRPMS: firefox-91.7.0-1.mga8.src.rpm firefox-l10n-91.7.0-1.mga8.src.rpm
Packages submitted to the build system and should be available in a few hours.
Assignee: luigiwalser => qa-bugs
Advisory committed to svn as ... $ cat 30134.adv type: security subject: Updated firefox packages fix security vulnerability src: 8: core: - firefox-91.7.0-1.mga8 - firefox-l10n-91.7.0-1.mga8 description: | Release notes are not available at this time. See the referenced link when they do become available. references: - https://bugs.mageia.org/show_bug.cgi?id=30134 - https://www.mozilla.org/en-US/firefox/91.7.0/releasenotes/
CC: (none) => davidwhodginsKeywords: (none) => advisory
That's not the real advisory. The release notes will be available tomorrow.
Keywords: advisory => (none)
Tested on x86-64 using Canadian English and Parisian French, i586 under vb, and aarch64 on rpi 4b. Validating the update. Ready to push as soon as the real advisory is available and updated in svn.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK MGA8-32-OK
Thanks. I don't think the updates pushing script actually checks for the advisory keyword in Bugzilla, it just checks for one in SVN, so let's hold off on validating while there's an incorrect one there.
Keywords: validated_update => (none)
Hi, I have tested in Vbox and in my personal computer. Works fine, video and audio, settings, banks, sync, updated from Firefox 91.6.
CC: (none) => joselp
Advisory: ======================== Updated firefox packages fix security vulnerabilities: An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash (CVE-2022-26381). When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification (CVE-2022-26383). If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox (CVE-2022-26384). Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory (CVE-2022-26386). When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed (CVE-2022-26387). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26381 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26383 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26384 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26386 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26387 https://www.mozilla.org/en-US/security/advisories/mfsa2022-11/
Keywords: (none) => advisory, validated_update
(In reply to David Walser from comment #5) > Thanks. I don't think the updates pushing script actually checks for the > advisory keyword in Bugzilla, it just checks for one in SVN, so let's hold > off on validating while there's an incorrect one there. Yes, if there is an advisory file added in svn, we only check for validated_update keyword (and potential blocker bugs) the "advisory" keywoard is for showing up as as a "*" in madb to inform that the advisory has been added to svn. Is the updated advisory from comment 7 committed to svn ?
Yes, David Walser updated it at 2022-03-08 16:14:17 +0100
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0093.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
OK mga8-64, swedish, i7, plasma, nvidia-current, 4kscreen various sites; banking, video...
CC: (none) => fri
RedHat has issued an advisory for this today (March 10): https://access.redhat.com/errata/RHSA-2022:0818