Mozilla has released Firefox 102.3.0 today (September 19): https://www.mozilla.org/en-US/firefox/102.3.0/releasenotes/ The release notes have not been posted yet. There are also rootcerts, nspr, and nss updates: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/K4hptojx5CQ https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/AZdgucrnRTQ https://firefox-source-docs.mozilla.org/security/nss/releases/index.html https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html Package list will be posted after they're built.
Updates have been submitted to the build system and should be available by the end of the day. Package list should be as follows. Updated packages in core/updates_testing: ======================================== rootcerts-20220907.00-1.mga8 rootcerts-java-20220907.00-1.mga8 libnspr4-4.35-1.mga8 libnspr-devel-4.35-1.mga8 libnss3-3.83.0-1.mga8 libnss-devel-3.83.0-1.mga8 libnss-static-devel-3.83.0-1.mga8 nss-3.83.0-1.mga8 nss-doc-3.83.0-1.mga8 firefox-102.3.0-1.mga8 firefox-af-102.3.0-1.mga8 firefox-an-102.3.0-1.mga8 firefox-ar-102.3.0-1.mga8 firefox-ast-102.3.0-1.mga8 firefox-az-102.3.0-1.mga8 firefox-be-102.3.0-1.mga8 firefox-bg-102.3.0-1.mga8 firefox-bn-102.3.0-1.mga8 firefox-br-102.3.0-1.mga8 firefox-bs-102.3.0-1.mga8 firefox-ca-102.3.0-1.mga8 firefox-cs-102.3.0-1.mga8 firefox-cy-102.3.0-1.mga8 firefox-da-102.3.0-1.mga8 firefox-de-102.3.0-1.mga8 firefox-el-102.3.0-1.mga8 firefox-en_CA-102.3.0-1.mga8 firefox-en_GB-102.3.0-1.mga8 firefox-en_US-102.3.0-1.mga8 firefox-eo-102.3.0-1.mga8 firefox-es_AR-102.3.0-1.mga8 firefox-es_CL-102.3.0-1.mga8 firefox-es_ES-102.3.0-1.mga8 firefox-es_MX-102.3.0-1.mga8 firefox-et-102.3.0-1.mga8 firefox-eu-102.3.0-1.mga8 firefox-fa-102.3.0-1.mga8 firefox-ff-102.3.0-1.mga8 firefox-fi-102.3.0-1.mga8 firefox-fr-102.3.0-1.mga8 firefox-fy_NL-102.3.0-1.mga8 firefox-ga_IE-102.3.0-1.mga8 firefox-gd-102.3.0-1.mga8 firefox-gl-102.3.0-1.mga8 firefox-gu_IN-102.3.0-1.mga8 firefox-he-102.3.0-1.mga8 firefox-hi_IN-102.3.0-1.mga8 firefox-hr-102.3.0-1.mga8 firefox-hsb-102.3.0-1.mga8 firefox-hu-102.3.0-1.mga8 firefox-hy_AM-102.3.0-1.mga8 firefox-ia-102.3.0-1.mga8 firefox-id-102.3.0-1.mga8 firefox-is-102.3.0-1.mga8 firefox-it-102.3.0-1.mga8 firefox-ja-102.3.0-1.mga8 firefox-ka-102.3.0-1.mga8 firefox-kab-102.3.0-1.mga8 firefox-kk-102.3.0-1.mga8 firefox-km-102.3.0-1.mga8 firefox-kn-102.3.0-1.mga8 firefox-ko-102.3.0-1.mga8 firefox-lij-102.3.0-1.mga8 firefox-lt-102.3.0-1.mga8 firefox-lv-102.3.0-1.mga8 firefox-mk-102.3.0-1.mga8 firefox-mr-102.3.0-1.mga8 firefox-ms-102.3.0-1.mga8 firefox-my-102.3.0-1.mga8 firefox-nb_NO-102.3.0-1.mga8 firefox-nl-102.3.0-1.mga8 firefox-nn_NO-102.3.0-1.mga8 firefox-oc-102.3.0-1.mga8 firefox-pa_IN-102.3.0-1.mga8 firefox-pl-102.3.0-1.mga8 firefox-pt_BR-102.3.0-1.mga8 firefox-pt_PT-102.3.0-1.mga8 firefox-ro-102.3.0-1.mga8 firefox-ru-102.3.0-1.mga8 firefox-si-102.3.0-1.mga8 firefox-sk-102.3.0-1.mga8 firefox-sl-102.3.0-1.mga8 firefox-sq-102.3.0-1.mga8 firefox-sr-102.3.0-1.mga8 firefox-sv_SE-102.3.0-1.mga8 firefox-szl-102.3.0-1.mga8 firefox-ta-102.3.0-1.mga8 firefox-te-102.3.0-1.mga8 firefox-th-102.3.0-1.mga8 firefox-tl-102.3.0-1.mga8 firefox-tr-102.3.0-1.mga8 firefox-uk-102.3.0-1.mga8 firefox-ur-102.3.0-1.mga8 firefox-uz-102.3.0-1.mga8 firefox-vi-102.3.0-1.mga8 firefox-xh-102.3.0-1.mga8 firefox-zh_CN-102.3.0-1.mga8 firefox-zh_TW-102.3.0-1.mga8 from SRPMS: rootcerts-20220907.00-1.mga8.src.rpm nspr-4.35-1.mga8.src.rpm nss-3.83.0-1.mga8.src.rpm firefox-102.3.0-1.mga8.src.rpm firefox-l10n-102.3.0-1.mga8.src.rpm
Assignee: luigiwalser => qa-bugs
Blocks: (none) => 30870
Installed the following packages - firefox-102.3.0-1.mga8.i586 - firefox-es_AR-102.3.0-1.mga8.noarch - firefox-es_CL-102.3.0-1.mga8.noarch - firefox-es_ES-102.3.0-1.mga8.noarch - firefox-es_MX-102.3.0-1.mga8.noarch - libatomic1-10.4.0-3.mga8.i586 - libnspr4-4.35-1.mga8.i586 - libnss3-3.83.0-1.mga8.i586 - nss-3.83.0-1.mga8.i586 - rootcerts-20220907.00-1.mga8.noarch Installed without issue, rebooted the MGA8 X86 VM All menus are in the correct language The websites displays in my preferred language My personal proxy der certificate works, so I can browse internet The in private browsing works The developer tools are correctly translated The about firefox has the usual mageia - 1 message, but that is not release blocker for me MGA8 86 OK Not oking waiting another testers
CC: (none) => neoser10
Installed today, and updated from Firefox 102.2 version. Mageia 8 x86_64 with kernel 5.15.65, Plasma Desktop. No issues for the moment. Addons ok, bookmarks ok, language ok. Websites: Banks ok, youtube video and audio ok. Digital certificates ok. Greetings!
CC: (none) => joselp
mag8-64, plasma, nvidia-current, 4Kscreen, Intel i7 Updated cleanly to - firefox-102.3.0-1.mga8.x86_64 - firefox-sv_SE-102.3.0-1.mga8.noarch - lib64nspr4-4.35-1.mga8.x86_64 - lib64nss3-3.83.0-1.mga8.x86_64 - nss-3.83.0-1.mga8.x86_64 - rootcerts-20220907.00-1.mga8.noarch - rootcerts-java-20220907.00-1.mga8.noarch __Tests OK: Localisation (Swedish) Settings kept, open tabs restored. Bookmarks, Addons. Logged in on some banks and stores by different methods Played video on some sites Looks good, but more testers are always good. (In reply to Mauricio Andrés Bustamante Viveros from comment #2) > The about firefox has the usual mageia - 1 message Yes, it say Mozilla Firefox for Mageia mageia - 1.0 No need to spin a new now, but maybe that last line could simply be omitted in future releases?
CC: (none) => friWhiteboard: (none) => MGA8-64-OK, MGA8-32-OK
Hi, I noticed the same problem as with version 102.2, i.e. sound output, input (microphone) and sharing webcam are not working with BigBlueButton. That issue exists with a new profile as well as with an old one. That problem does not occur with the same version from MoFo so I think the problem comes from the way we build Firefox. That issue also occurred with ESR 78 but was solved by http://svnweb.mageia.org/packages/updates/8/firefox/current/SPECS/firefox.spec?r1=1721733&r2=1728822, which removed patch450, to solve bug 28359. Best regards, Nico.
CC: (none) => nicolas.salguero
It is normal that Firefox (and Thunderbird) outputs what for me seems to be strange errors in the terminal where I start it. The errors are not the same now as for the pre 100 versions. I find it strange that our packaged Firfox seem to try to open something from the flatpak system. I think it is correctly denied that. Swedish "Åtkomst nekas" = "Access denied" -------- (/usr/lib64/firefox/firefox:234528): dconf-WARNING **: 08:48:08.775: Unable to open /var/lib/flatpak/exports/share/dconf/profile/user: Åtkomst nekas [Parent 162170, Main Thread] WARNING: g_object_ref: assertion 'G_IS_OBJECT (object)' failed: 'glib warning', file /home/iurt/rpmbuild/BUILD/firefox-102.3.0/toolkit/xre/nsSigHandlers.cpp:167 (firefox:162170): GLib-GObject-CRITICAL **: 08:48:12.155: g_object_ref: assertion 'G_IS_OBJECT (object)' failed [2022-09-20T06:51:01Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}"
No installation issues on my Probook 6550b Plasma system. Only did a quick test so far, but I see that the color scheme of the drop-down menus has been changed for me to a dark background. Not sure at this time whether I like it or not...
CC: (none) => andrewsfarm
Ok for my normal x86_64 usage. Also tested on aarch64, and in an i586 vb guest. Also confirmed thunderbird works ok with the rest of the updates included here. Validating the update. Advisory committed to svn as ... $ cat 30867.adv type: security subject: Updated firefox packages fix security vulnerability CVE: - CVE-2022-40956 - CVE-2022-40957 - CVE-2022-40958 - CVE-2022-40959 - CVE-2022-40960 - CVE-2022-40962 src: 8: core: - rootcerts-20220907.00-1.mga8 - nspr-4.35-1.mga8 - nss-3.83.0-1.mga8 - firefox-102.3.0-1.mga8 - firefox-l10n-102.3.0-1.mga8 description: | Bypassing FeaturePolicy restrictions on transient pages (CVE-2022-40959) Data-race when parsing non-UTF-8 URLs in threads (CVE-2022-40960) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix (CVE-2022-40958) Content-Security-Policy base-uri bypass (CVE-2022-40956) Incoherent instruction cache when building WASM on ARM64 (CVE-2022-40957) Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3 (CVE-2022-40962) references: - https://bugs.mageia.org/show_bug.cgi?id=30867 - https://www.mozilla.org/en-US/firefox/102.3.0/releasenotes/ - https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/K4hptojx5CQ - https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/AZdgucrnRTQ - https://firefox-source-docs.mozilla.org/security/nss/releases/index.html - https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
OK for my normal usage, too. Looks like I'll have to find a new theme, though, or learn how to edit one. The one I've been using for years suddenly has the drop-down menus with white letters on a black background - the reverse of what it has been. Makes them MUCH more difficult to read for me.
I normally use plasma. In firefox I have the them set to use the system theme. In systemsettings5 I have the Colours set to use Breeze Dark. The drop down menus in firefox are white on black.
I have the same settings, except that systemsettings5 is set to Breeze. And all drop-down menus on the system, except Firefox, obey that setting. But with Firefox, the choice of Firefox theme overrides that setting. It apparently did not do so in the past, but it does now. I tried it, and installing a new custom Firefox theme from the thousands available will change the menu color scheme. You can create your own theme, but if it's possible to edit an existing Firefox theme, I haven't found out how yet. I'm thinking the downloaded ones may have copyright protection.
Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/ SVN advisory fixed to match the following. Advisory: ======================== Updated firefox packages fix security vulnerabilities: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead (CVE-2022-40956). By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks (CVE-2022-40958). During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments (CVE-2022-40959). Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash (CVE-2022-40960). Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2022-40962). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40956 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40959 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40962 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/K4hptojx5CQ https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/AZdgucrnRTQ https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0344.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
RedHat has issued an advisory for this today (September 26): https://access.redhat.com/errata/RHSA-2022:6700