Mozilla has released Firefox 91.9.0 today (May 3): https://www.mozilla.org/en-US/firefox/91.9.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2022-17/ There is also an nss update: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/hQUjX_jwbEk https://firefox-source-docs.mozilla.org/security/nss/releases/index.html https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html Package list should be as follows. Updated packages in core/updates_testing: ======================================== nss-3.78.0-1.mga8 nss-doc-3.78.0-1.mga8 libnss3-3.78.0-1.mga8 libnss-devel-3.78.0-1.mga8 libnss-static-devel-3.78.0-1.mga8 firefox-91.9.0-1.mga8 firefox-ru-91.9.0-1.mga8 firefox-uk-91.9.0-1.mga8 firefox-be-91.9.0-1.mga8 firefox-el-91.9.0-1.mga8 firefox-kk-91.9.0-1.mga8 firefox-th-91.9.0-1.mga8 firefox-pa_IN-91.9.0-1.mga8 firefox-ka-91.9.0-1.mga8 firefox-ja-91.9.0-1.mga8 firefox-bg-91.9.0-1.mga8 firefox-sr-91.9.0-1.mga8 firefox-hy_AM-91.9.0-1.mga8 firefox-ko-91.9.0-1.mga8 firefox-zh_TW-91.9.0-1.mga8 firefox-vi-91.9.0-1.mga8 firefox-zh_CN-91.9.0-1.mga8 firefox-hu-91.9.0-1.mga8 firefox-bn-91.9.0-1.mga8 firefox-hi_IN-91.9.0-1.mga8 firefox-ar-91.9.0-1.mga8 firefox-sk-91.9.0-1.mga8 firefox-cs-91.9.0-1.mga8 firefox-ur-91.9.0-1.mga8 firefox-hsb-91.9.0-1.mga8 firefox-lt-91.9.0-1.mga8 firefox-te-91.9.0-1.mga8 firefox-fr-91.9.0-1.mga8 firefox-he-91.9.0-1.mga8 firefox-pl-91.9.0-1.mga8 firefox-sq-91.9.0-1.mga8 firefox-fa-91.9.0-1.mga8 firefox-de-91.9.0-1.mga8 firefox-oc-91.9.0-1.mga8 firefox-tr-91.9.0-1.mga8 firefox-kab-91.9.0-1.mga8 firefox-es_MX-91.9.0-1.mga8 firefox-es_AR-91.9.0-1.mga8 firefox-es_CL-91.9.0-1.mga8 firefox-pt_PT-91.9.0-1.mga8 firefox-fy_NL-91.9.0-1.mga8 firefox-pt_BR-91.9.0-1.mga8 firefox-gl-91.9.0-1.mga8 firefox-cy-91.9.0-1.mga8 firefox-sv_SE-91.9.0-1.mga8 firefox-gd-91.9.0-1.mga8 firefox-km-91.9.0-1.mga8 firefox-ro-91.9.0-1.mga8 firefox-mr-91.9.0-1.mga8 firefox-gu_IN-91.9.0-1.mga8 firefox-hr-91.9.0-1.mga8 firefox-sl-91.9.0-1.mga8 firefox-nl-91.9.0-1.mga8 firefox-es_ES-91.9.0-1.mga8 firefox-eo-91.9.0-1.mga8 firefox-ca-91.9.0-1.mga8 firefox-da-91.9.0-1.mga8 firefox-fi-91.9.0-1.mga8 firefox-eu-91.9.0-1.mga8 firefox-ia-91.9.0-1.mga8 firefox-nn_NO-91.9.0-1.mga8 firefox-nb_NO-91.9.0-1.mga8 firefox-br-91.9.0-1.mga8 firefox-id-91.9.0-1.mga8 firefox-tl-91.9.0-1.mga8 firefox-my-91.9.0-1.mga8 firefox-ta-91.9.0-1.mga8 firefox-en_GB-91.9.0-1.mga8 firefox-szl-91.9.0-1.mga8 firefox-en_CA-91.9.0-1.mga8 firefox-an-91.9.0-1.mga8 firefox-ast-91.9.0-1.mga8 firefox-kn-91.9.0-1.mga8 firefox-az-91.9.0-1.mga8 firefox-si-91.9.0-1.mga8 firefox-en_US-91.9.0-1.mga8 firefox-et-91.9.0-1.mga8 firefox-ff-91.9.0-1.mga8 firefox-lij-91.9.0-1.mga8 firefox-uz-91.9.0-1.mga8 firefox-is-91.9.0-1.mga8 firefox-mk-91.9.0-1.mga8 firefox-lv-91.9.0-1.mga8 firefox-bs-91.9.0-1.mga8 firefox-ga_IE-91.9.0-1.mga8 firefox-it-91.9.0-1.mga8 firefox-ms-91.9.0-1.mga8 firefox-xh-91.9.0-1.mga8 firefox-af-91.9.0-1.mga8 from SRPMS: nss-3.78.0-1.mga8.src.rpm firefox-91.9.0-1.mga8.src.rpm firefox-l10n-91.9.0-1.mga8.src.rpm
Packages are in the process of being submitted to the build system and should be available later today. Advisory: ======================== Updated firefox packages fix security vulnerabilities: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions (CVE-2022-29909). Firefox did not properly protect against top-level navigations for an iframe sandbox with a policy relaxed through a keyword like allow-top-navigation-by-user-activation (CVE-2022-29911). Requests initiated through reader mode did not properly omit cookies with a SameSite attribute (CVE-2022-29912). When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks (CVE-2022-29914). Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history (CVE-2022-29916). Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2022-29917). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29909 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29911 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29912 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29914 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29916 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29917 https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_78.html https://www.mozilla.org/en-US/security/advisories/mfsa2022-17/
Packages have been submitted to the build system and will be available eventually.
Assignee: luigiwalser => qa-bugs
OK mga8-64, Plasma, nvidia-current, Swedish locale Some banking sites, webshops, video sites, printing.
CC: (none) => fri
mga8, x64 Updated and restarted firefox. Restored previous session. Working fine - local file browser, command-line invocation of Youtube video, interactive word puzzle, Google Maps....
CC: (none) => tarazed25
MGA8-64, Gnome, Asus Laptop AMD A6-9225 RADEON R4 RTL8723BE Bluetooth The following 5 packages are going to be installed: - firefox-91.9.0-1.mga8.x86_64 - firefox-en_CA-91.9.0-1.mga8.noarch - firefox-en_GB-91.9.0-1.mga8.noarch - firefox-en_US-91.9.0-1.mga8.noarch - lib64nss3-3.78.0-1.mga8.x86_64 945B of disk space will be freed. ---- restarted system I've used it on my favorite websites (video/audio/text) - no issues
CC: (none) => brtians1
RedHat has issued an advisory for this today (May 4): https://access.redhat.com/errata/RHSA-2022:1705
Blocks: (none) => 30374
Hi, Updated from 91.8 in Mageia 8 Plasma x86_64. Writing from new version now. No issues for the moment. Banks, sync, addons, spanish locale, youtube ok. Greetings!
CC: (none) => joselp
Updated the mga8-64 US English Firefox and Thunderbird in one operation. No issues to report with either.
CC: (none) => andrewsfarm
Validating the update. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0162.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED