Mozilla has released Firefox 102.7.0 today (January 17): https://www.mozilla.org/en-US/firefox/102.7.0/releasenotes/ Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ There is also an nss update: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE https://firefox-source-docs.mozilla.org/security/nss/releases/index.html https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html Package list should be as follows. Updated packages in core/updates_testing: ======================================== libnss3-3.87.0-1.mga8 libnss-devel-3.87.0-1.mga8 libnss-static-devel-3.87.0-1.mga8 nss-3.87.0-1.mga8 nss-doc-3.87.0-1.mga8 firefox-102.7.0-1.mga8 firefox-af-102.7.0-1.mga8 firefox-an-102.7.0-1.mga8 firefox-ar-102.7.0-1.mga8 firefox-ast-102.7.0-1.mga8 firefox-az-102.7.0-1.mga8 firefox-be-102.7.0-1.mga8 firefox-bg-102.7.0-1.mga8 firefox-bn-102.7.0-1.mga8 firefox-br-102.7.0-1.mga8 firefox-bs-102.7.0-1.mga8 firefox-ca-102.7.0-1.mga8 firefox-cs-102.7.0-1.mga8 firefox-cy-102.7.0-1.mga8 firefox-da-102.7.0-1.mga8 firefox-de-102.7.0-1.mga8 firefox-el-102.7.0-1.mga8 firefox-en_CA-102.7.0-1.mga8 firefox-en_GB-102.7.0-1.mga8 firefox-en_US-102.7.0-1.mga8 firefox-eo-102.7.0-1.mga8 firefox-es_AR-102.7.0-1.mga8 firefox-es_CL-102.7.0-1.mga8 firefox-es_ES-102.7.0-1.mga8 firefox-es_MX-102.7.0-1.mga8 firefox-et-102.7.0-1.mga8 firefox-eu-102.7.0-1.mga8 firefox-fa-102.7.0-1.mga8 firefox-ff-102.7.0-1.mga8 firefox-fi-102.7.0-1.mga8 firefox-fr-102.7.0-1.mga8 firefox-fy_NL-102.7.0-1.mga8 firefox-ga_IE-102.7.0-1.mga8 firefox-gd-102.7.0-1.mga8 firefox-gl-102.7.0-1.mga8 firefox-gu_IN-102.7.0-1.mga8 firefox-he-102.7.0-1.mga8 firefox-hi_IN-102.7.0-1.mga8 firefox-hr-102.7.0-1.mga8 firefox-hsb-102.7.0-1.mga8 firefox-hu-102.7.0-1.mga8 firefox-hy_AM-102.7.0-1.mga8 firefox-ia-102.7.0-1.mga8 firefox-id-102.7.0-1.mga8 firefox-is-102.7.0-1.mga8 firefox-it-102.7.0-1.mga8 firefox-ja-102.7.0-1.mga8 firefox-ka-102.7.0-1.mga8 firefox-kab-102.7.0-1.mga8 firefox-kk-102.7.0-1.mga8 firefox-km-102.7.0-1.mga8 firefox-kn-102.7.0-1.mga8 firefox-ko-102.7.0-1.mga8 firefox-lij-102.7.0-1.mga8 firefox-lt-102.7.0-1.mga8 firefox-lv-102.7.0-1.mga8 firefox-mk-102.7.0-1.mga8 firefox-mr-102.7.0-1.mga8 firefox-ms-102.7.0-1.mga8 firefox-my-102.7.0-1.mga8 firefox-nb_NO-102.7.0-1.mga8 firefox-nl-102.7.0-1.mga8 firefox-nn_NO-102.7.0-1.mga8 firefox-oc-102.7.0-1.mga8 firefox-pa_IN-102.7.0-1.mga8 firefox-pl-102.7.0-1.mga8 firefox-pt_BR-102.7.0-1.mga8 firefox-pt_PT-102.7.0-1.mga8 firefox-ro-102.7.0-1.mga8 firefox-ru-102.7.0-1.mga8 firefox-si-102.7.0-1.mga8 firefox-sk-102.7.0-1.mga8 firefox-sl-102.7.0-1.mga8 firefox-sq-102.7.0-1.mga8 firefox-sr-102.7.0-1.mga8 firefox-sv_SE-102.7.0-1.mga8 firefox-szl-102.7.0-1.mga8 firefox-ta-102.7.0-1.mga8 firefox-te-102.7.0-1.mga8 firefox-th-102.7.0-1.mga8 firefox-tl-102.7.0-1.mga8 firefox-tr-102.7.0-1.mga8 firefox-uk-102.7.0-1.mga8 firefox-ur-102.7.0-1.mga8 firefox-uz-102.7.0-1.mga8 firefox-vi-102.7.0-1.mga8 firefox-xh-102.7.0-1.mga8 firefox-zh_CN-102.7.0-1.mga8 firefox-zh_TW-102.7.0-1.mga8 from SRPMS: nss-3.87.0-1.mga8.src.rpm firefox-102.7.0-1.mga8.src.rpm firefox-l10n-102.7.0-1.mga8.src.rpm
Updates have been committed to SVN and are in the process of being built. Advisory: ======================== Updated firefox packages fix security vulnerabilities: An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited (CVE-2022-46871). By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks (CVE-2022-46877). Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData (CVE-2023-23598). Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks (CVE-2023-23601). A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers (CVE-2023-23602). Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren't accounting for external URLs, allowing bypassing Content Security Policy via format directives. Data could then be potentially exfiltrated from the browser (CVE-2023-23603). Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2023-23605). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23602 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23605 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
Version: Cauldron => 8
Updates have been submitted to the build system and should be available by the end of the day.
Assignee: luigiwalser => qa-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Running now, checked newspapersite with text and sound and video, all works OK.
CC: (none) => herman.viaene
mga8-64 OK for me Plasma, i7-3770, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display. Updated to: - firefox-102.7.0-1.mga8.x86_64 - firefox-sv_SE-102.7.0-1.mga8.noarch - lib64nss3-3.87.0-1.mga8.x86_64 - nss-3.87.0-1.mga8.x86_644 Kernels desktop-5.15.88-1 and desktop-6.1.6-1 Tested various banking, authority, shops, different login methods, video sites. Swedish locale. __Still not fixed__ The about box still say "mageia - 1.0" Are we never gonna get this sorted? ----8<---- Weird: First, I had it segfaults I resize Firefox while playing YT; Repeatable: Play https://youtu.be/-lR0qoIW1Cw?list=PLhTQil6jHokkfblf5xsL4grv4Wxtcvv9a grab a corner of firefox and drag it around, crash within a few seconds. I also verified this for our last version in updates. Tried our release repo version and it did not crash, but it had created a new profile. When i again updated to 102.7.0-1 it also did not crash with the new profile. So I restored my old profile, and it crashed again. So something in the profile made it crash. Reliably. But now this: abive tests was all with Kernel desktop-5.15.88-1. Now while testing kernel desktop-6.1.6-1, i cant get firefox to crash. So it is some compound effect... Anyway, i think it is OK - no regression over opur previous with same profile, and with new profile or backport kernel!? it do not crash. For me.
CC: (none) => fri
sidenote, the output in terminal from crashing firefox: $ firefox ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs [2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}" [2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}" [2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}" [2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}" Crash Annotation GraphicsCriticalError: |[0][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=45.4169) [GFX1-]: GFX: RenderThread detected a device reset in PostUpdate Crash Annotation GraphicsCriticalError: |[0][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=45.4169) |[1][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=46.4581) [GFX1-]: GFX: RenderThread detected a device reset in PostUpdate Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Segmenteringsfel (minnesutskrift skapad)
There's a separate bug for the about box thing. Please refrain from commenting about it in security updates unless a packager mentions that it has been addressed.
Hi, Installed on Mga8 Plasma x64. No issues for the moment. - Video ok. - Banks ok. - Addons ok. - Spanish language ok. - Private mode ok. Writing from this new version right now! Greetings!
CC: (none) => joselp
Blocks: (none) => 31438
- Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database. in this nss update is CVE-2022-3479: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPGIG3RLJJT2HMZS76SNGJZMTWOTMFUX/ So that's fixed in this update as well. Advisory: ======================== Updated firefox packages fix security vulnerabilities: A vulnerability was found in NSS. The NSS client auth crashes without a user certificate in the database, leading to a segmentation fault or crash (CVE-2022-3479). An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited (CVE-2022-46871). By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks (CVE-2022-46877). Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK treating all text/plain MIMEs containing file URLs as being dragged a website could arbitrarily read a file via a call to DataTransfer.setData (CVE-2023-23598). Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks (CVE-2023-23601). A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers (CVE-2023-23602). Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren't accounting for external URLs, allowing bypassing Content Security Policy via format directives. Data could then be potentially exfiltrated from the browser (CVE-2023-23603). Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2023-23605). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3479 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46877 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23602 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23603 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23605 https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPGIG3RLJJT2HMZS76SNGJZMTWOTMFUX/
MGA8-64, on Xfce, Toshiba Laptop AMD A6-3420M APU Radeon HD 6520G RTL8188CE 802.11b/g/n WiFi Adapter The following 6 packages are going to be installed: - firefox-102.7.0-1.mga8.x86_64 - firefox-en_CA-102.7.0-1.mga8.noarch - firefox-en_GB-102.7.0-1.mga8.noarch - firefox-en_US-102.7.0-1.mga8.noarch - lib64nss3-3.87.0-1.mga8.x86_64 - nss-3.87.0-1.mga8.x86_64 verified version working as expected
CC: (none) => brtians1
- firefox-102.7.0-1.mga8.x86_64 - firefox-en_GB-102.7.0-1.mga8.noarch - lib64nss-devel-3.87.0-1.mga8.x86_64 - lib64nss-static-devel-3.87.0-1.mga8.x86_64 - lib64nss3-3.87.0-1.mga8.x86_64 - nss-3.87.0-1.mga8.x86_64 - nss-doc-3.87.0-1.mga8.noarch Restarted and tried a few astronomical sites, links to The Guardian from Thunderbird, and a baroque high definition music video on Youtube. Also no trouble with resizing before or after the new version.
CC: (none) => tarazed25
RedHat has issued an advisory for this today (January 23): https://access.redhat.com/errata/RHSA-2023:0288
MGA8-64 Plasma. No installation issues. I've been using this for two days now, with no issues to report. I did some banking, sent an email with Thunderbird from a website link, downloaded a couple of pdfs, watched some of Morgan's Youtube link. No problems resizing while on Youtube.
CC: (none) => andrewsfarm
No regressions noticed. Tested on x86_64, aarch64, and i586 (vb). Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK, MGA8-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0018.html
Status: NEW => RESOLVEDResolution: (none) => FIXED