Mozilla has released Firefox 102.6.0 today (December 13): https://www.mozilla.org/en-US/firefox/102.6.0/releasenotes/ The release notes have not been posted yet. There is also an nss update (the rootcerts update is in Bug 31232): https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/NqCkaX216zY https://firefox-source-docs.mozilla.org/security/nss/releases/index.html https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_86.html Package list should be as follows. Updated packages in core/updates_testing: ======================================== libnss3-3.86.0-1.mga8 libnss-devel-3.86.0-1.mga8 libnss-static-devel-3.86.0-1.mga8 nss-3.86.0-1.mga8 nss-doc-3.86.0-1.mga8 firefox-102.6.0-1.mga8 firefox-af-102.6.0-1.mga8 firefox-an-102.6.0-1.mga8 firefox-ar-102.6.0-1.mga8 firefox-ast-102.6.0-1.mga8 firefox-az-102.6.0-1.mga8 firefox-be-102.6.0-1.mga8 firefox-bg-102.6.0-1.mga8 firefox-bn-102.6.0-1.mga8 firefox-br-102.6.0-1.mga8 firefox-bs-102.6.0-1.mga8 firefox-ca-102.6.0-1.mga8 firefox-cs-102.6.0-1.mga8 firefox-cy-102.6.0-1.mga8 firefox-da-102.6.0-1.mga8 firefox-de-102.6.0-1.mga8 firefox-el-102.6.0-1.mga8 firefox-en_CA-102.6.0-1.mga8 firefox-en_GB-102.6.0-1.mga8 firefox-en_US-102.6.0-1.mga8 firefox-eo-102.6.0-1.mga8 firefox-es_AR-102.6.0-1.mga8 firefox-es_CL-102.6.0-1.mga8 firefox-es_ES-102.6.0-1.mga8 firefox-es_MX-102.6.0-1.mga8 firefox-et-102.6.0-1.mga8 firefox-eu-102.6.0-1.mga8 firefox-fa-102.6.0-1.mga8 firefox-ff-102.6.0-1.mga8 firefox-fi-102.6.0-1.mga8 firefox-fr-102.6.0-1.mga8 firefox-fy_NL-102.6.0-1.mga8 firefox-ga_IE-102.6.0-1.mga8 firefox-gd-102.6.0-1.mga8 firefox-gl-102.6.0-1.mga8 firefox-gu_IN-102.6.0-1.mga8 firefox-he-102.6.0-1.mga8 firefox-hi_IN-102.6.0-1.mga8 firefox-hr-102.6.0-1.mga8 firefox-hsb-102.6.0-1.mga8 firefox-hu-102.6.0-1.mga8 firefox-hy_AM-102.6.0-1.mga8 firefox-ia-102.6.0-1.mga8 firefox-id-102.6.0-1.mga8 firefox-is-102.6.0-1.mga8 firefox-it-102.6.0-1.mga8 firefox-ja-102.6.0-1.mga8 firefox-ka-102.6.0-1.mga8 firefox-kab-102.6.0-1.mga8 firefox-kk-102.6.0-1.mga8 firefox-km-102.6.0-1.mga8 firefox-kn-102.6.0-1.mga8 firefox-ko-102.6.0-1.mga8 firefox-lij-102.6.0-1.mga8 firefox-lt-102.6.0-1.mga8 firefox-lv-102.6.0-1.mga8 firefox-mk-102.6.0-1.mga8 firefox-mr-102.6.0-1.mga8 firefox-ms-102.6.0-1.mga8 firefox-my-102.6.0-1.mga8 firefox-nb_NO-102.6.0-1.mga8 firefox-nl-102.6.0-1.mga8 firefox-nn_NO-102.6.0-1.mga8 firefox-oc-102.6.0-1.mga8 firefox-pa_IN-102.6.0-1.mga8 firefox-pl-102.6.0-1.mga8 firefox-pt_BR-102.6.0-1.mga8 firefox-pt_PT-102.6.0-1.mga8 firefox-ro-102.6.0-1.mga8 firefox-ru-102.6.0-1.mga8 firefox-si-102.6.0-1.mga8 firefox-sk-102.6.0-1.mga8 firefox-sl-102.6.0-1.mga8 firefox-sq-102.6.0-1.mga8 firefox-sr-102.6.0-1.mga8 firefox-sv_SE-102.6.0-1.mga8 firefox-szl-102.6.0-1.mga8 firefox-ta-102.6.0-1.mga8 firefox-te-102.6.0-1.mga8 firefox-th-102.6.0-1.mga8 firefox-tl-102.6.0-1.mga8 firefox-tr-102.6.0-1.mga8 firefox-uk-102.6.0-1.mga8 firefox-ur-102.6.0-1.mga8 firefox-uz-102.6.0-1.mga8 firefox-vi-102.6.0-1.mga8 firefox-xh-102.6.0-1.mga8 firefox-zh_CN-102.6.0-1.mga8 firefox-zh_TW-102.6.0-1.mga8 from SRPMS: nss-3.86.0-1.mga8.src.rpm firefox-102.6.0-1.mga8.src.rpm firefox-l10n-102.6.0-1.mga8.src.rpm
Depends on: (none) => 31232
Updates have been submitted to the build system and should be available by the end of the day. Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/ Advisory: ======================== Updated firefox packages fix security vulnerabilities: An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages (CVE-2022-46872). A drag-and-dropped file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code (CVE-2022-46874). Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2022-46878). A missing check related to tex units could have led to a use-after-free in WebGL and potentially exploitable crash (CVE-2022-46880). An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash (CVE-2022-46881). A use-after-free in WebGL extensions could have led to a potentially exploitable crash (CVE-2022-46882). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46872 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46874 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46878 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46881 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46882 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/NqCkaX216zY https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_86.html https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
Assignee: luigiwalser => qa-bugs
Blocks: (none) => 31274
mga8-64 OK for me Plasma, i7-3770, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display. Updated to: - firefox-102.6.0-1.mga8.x86_64 - firefox-sv_SE-102.6.0-1.mga8.noarch - lib64nss3-3.86.0-1.mga8.x86_64 - nss-3.86.0-1.mga8.x86_64 Tested various banking, authority, shops, different login methods, video sites. Swedish locale. __Still not fixed__ The about box still say "mageia - 1.0"
CC: (none) => fri
Hi all, Installed in Mga 8 Plasma in two computers, no issues for the moment. Banks ok. Settings ok. Audio and video ok. Spanish translation ok. Addons ok. Right now, writing for this new version. Only as comment 2. The about box still say "mageia - 1.0"
CC: (none) => joselp
MGA8 XFCE 64 with nvidia graphic card updated with QA repo and RPMs: firefox 102.6.0 1.mga8 x86_64 firefox-fr 102.6.0 1.mga8 noarch lib64nss3 3.86.0 1.mga8 x86_64 nss 3.86.0 1.mga8 x86_64 No issues after installation: Audio and Vidéo OK (Spotify and Netflix) Bank sites OK Matrix web client OK
CC: (none) => guillaume.royer
RedHat has issued an advisory for this today (December 15): https://access.redhat.com/errata/RHSA-2022:9067
MGA8-64 Plasma system, i5-2500, Intel graphics, wired Internet. Updated the US English versions of Firefox and Thunderbird at the same time, and have been using them off and on for nearly four hours with no issues to report.
CC: (none) => andrewsfarm
MGA8-64 Plasma system, HP Pavilion 15, AMD A8-4555, AMD "Aruba" graphics, rtl8818EE wifi. Updated Firefox and Thunderbird at the same time, read my morning newspaper, checked tracking of a package, making this report, all OK.
Tested with Canadian English, and with French. Validating. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0475.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
- Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates. from this nss update is CVE-2022-23491: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPGIG3RLJJT2HMZS76SNGJZMTWOTMFUX/ So that was fixed in this update too.