Mozilla has released Firefox 102.10.0 today (April 10): https://www.mozilla.org/en-US/firefox/102.10.0/releasenotes/ The release notes have not been posted yet. Package list should be as follows. Updated packages in core/updates_testing: ======================================== firefox-102.10.0-1.mga8 firefox-af-102.10.0-1.mga8 firefox-an-102.10.0-1.mga8 firefox-ar-102.10.0-1.mga8 firefox-ast-102.10.0-1.mga8 firefox-az-102.10.0-1.mga8 firefox-be-102.10.0-1.mga8 firefox-bg-102.10.0-1.mga8 firefox-bn-102.10.0-1.mga8 firefox-br-102.10.0-1.mga8 firefox-bs-102.10.0-1.mga8 firefox-ca-102.10.0-1.mga8 firefox-cs-102.10.0-1.mga8 firefox-cy-102.10.0-1.mga8 firefox-da-102.10.0-1.mga8 firefox-de-102.10.0-1.mga8 firefox-el-102.10.0-1.mga8 firefox-en_CA-102.10.0-1.mga8 firefox-en_GB-102.10.0-1.mga8 firefox-en_US-102.10.0-1.mga8 firefox-eo-102.10.0-1.mga8 firefox-es_AR-102.10.0-1.mga8 firefox-es_CL-102.10.0-1.mga8 firefox-es_ES-102.10.0-1.mga8 firefox-es_MX-102.10.0-1.mga8 firefox-et-102.10.0-1.mga8 firefox-eu-102.10.0-1.mga8 firefox-fa-102.10.0-1.mga8 firefox-ff-102.10.0-1.mga8 firefox-fi-102.10.0-1.mga8 firefox-fr-102.10.0-1.mga8 firefox-fy_NL-102.10.0-1.mga8 firefox-ga_IE-102.10.0-1.mga8 firefox-gd-102.10.0-1.mga8 firefox-gl-102.10.0-1.mga8 firefox-gu_IN-102.10.0-1.mga8 firefox-he-102.10.0-1.mga8 firefox-hi_IN-102.10.0-1.mga8 firefox-hr-102.10.0-1.mga8 firefox-hsb-102.10.0-1.mga8 firefox-hu-102.10.0-1.mga8 firefox-hy_AM-102.10.0-1.mga8 firefox-ia-102.10.0-1.mga8 firefox-id-102.10.0-1.mga8 firefox-is-102.10.0-1.mga8 firefox-it-102.10.0-1.mga8 firefox-ja-102.10.0-1.mga8 firefox-ka-102.10.0-1.mga8 firefox-kab-102.10.0-1.mga8 firefox-kk-102.10.0-1.mga8 firefox-km-102.10.0-1.mga8 firefox-kn-102.10.0-1.mga8 firefox-ko-102.10.0-1.mga8 firefox-lij-102.10.0-1.mga8 firefox-lt-102.10.0-1.mga8 firefox-lv-102.10.0-1.mga8 firefox-mk-102.10.0-1.mga8 firefox-mr-102.10.0-1.mga8 firefox-ms-102.10.0-1.mga8 firefox-my-102.10.0-1.mga8 firefox-nb_NO-102.10.0-1.mga8 firefox-nl-102.10.0-1.mga8 firefox-nn_NO-102.10.0-1.mga8 firefox-oc-102.10.0-1.mga8 firefox-pa_IN-102.10.0-1.mga8 firefox-pl-102.10.0-1.mga8 firefox-pt_BR-102.10.0-1.mga8 firefox-pt_PT-102.10.0-1.mga8 firefox-ro-102.10.0-1.mga8 firefox-ru-102.10.0-1.mga8 firefox-si-102.10.0-1.mga8 firefox-sk-102.10.0-1.mga8 firefox-sl-102.10.0-1.mga8 firefox-sq-102.10.0-1.mga8 firefox-sr-102.10.0-1.mga8 firefox-sv_SE-102.10.0-1.mga8 firefox-szl-102.10.0-1.mga8 firefox-ta-102.10.0-1.mga8 firefox-te-102.10.0-1.mga8 firefox-th-102.10.0-1.mga8 firefox-tl-102.10.0-1.mga8 firefox-tr-102.10.0-1.mga8 firefox-uk-102.10.0-1.mga8 firefox-ur-102.10.0-1.mga8 firefox-uz-102.10.0-1.mga8 firefox-vi-102.10.0-1.mga8 firefox-xh-102.10.0-1.mga8 firefox-zh_CN-102.10.0-1.mga8 firefox-zh_TW-102.10.0-1.mga8 from SRPMS: firefox-102.10.0-1.mga8.src.rpm firefox-l10n-102.10.0-1.mga8.src.rpm
Updates submitted to the build system, freeze move request posted for Cauldron, updated packages should be available on mirrors by the end of the day.
Assignee: luigiwalser => qa-bugs
Physical hardware - AMD/Nvidia (390), Plasma $ uname -a Linux localhost 5.15.98-desktop-1.mga8 #1 SMP Sat Mar 4 12:16:27 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux The following 3 packages are going to be installed: - firefox-102.10.0-1.mga8.x86_64 - firefox-en_GB-102.10.0-1.mga8.noarch - firefox-en_US-102.10.0-1.mga8.noarch $ firefox -version Mozilla Firefox 102.10.0esr I've spent some time on a few sites as well as audio/video. No issues.
CC: (none) => brtians1
mga8-64, Plasma, nvidia-current, kernel 5.15.88-desktop-1.mga8, Intel i7, Swedish $ firefox -version Mozilla Firefox 102.10.0esr Localisation OK Kept tabs, settings, plugins Three different login methods to Banking, shops Video sites working... but occasional crash when resizing. Actually I had that once with previous version yesterday too. $ firefox Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs --< and here i played a film on svt.se, and when resizing firefox it crashed: >-- Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Exiting due to channel error. Segmenteringsfel (minnesutskrift skapad) --< segmentation fault >-- I also have seen, without crash, the following line output: Crash Annotation GraphicsCriticalError: |[0][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=21.8524) [GFX1-]: GFX: RenderThread detected a device reset in PostUpdate As in https://bugs.mageia.org/show_bug.cgi?id=31415#c5 So no regression, but nowadays Firefox is not as stable as it used to be, on my system.
CC: (none) => fri
Security issues fixed: https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/ One is in libwebp, which we'll have to fix as well. The Mozilla bug is private, but it's possibly this: https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129
(In reply to David Walser from comment #4) > Security issues fixed: > https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/ > > One is in libwebp, which we'll have to fix as well. The Mozilla bug is > private, but it's possibly this: > https://github.com/webmproject/libwebp/commit/ > a486d800b60d0af4cc0836bf7ed8f21e12974129 Upstream link for that commit: https://chromium.googlesource.com/webm/libwebp/+/a486d800b60d0af4cc0836bf7ed8f21e12974129%5E%21/#F0 Two other fixes that might be good to add: https://chromium.googlesource.com/webm/libwebp/+/0edbb6ea7176eca19955be701178fa70ecb497ee%5E%21/#F0 https://chromium.googlesource.com/webm/libwebp/+/8f7513b7c0aec45bf163c107284bccb86aa478ef%5E%21/#F0
Advisory: ======================== Updated firefox and libwebp packages fix security vulnerabilities: Unexpected data returned from the Safe Browsing API could have led to memory corruption and a potentially exploitable crash (CVE-2023-1945). A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks (CVE-2023-29533). Following a Garbage Collector compaction, weak maps may have been accessed before they were correctly traced. This resulted in memory corruption and a potentially exploitable crash (CVE-2023-29535). An attacker could, via JavaScript code, cause the memory manager to incorrectly free a pointer that addresses attacker-controlled memory, resulting in an assertion, memory corruption, or a potentially exploitable crash (CVE-2023-29536). When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware (CVE-2023-29539). Firefox did not properly handle downloads of files ending in .desktop, which can be interpreted to run attacker-controlled commands (CVE-2023-29541). Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 102.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2023-29550). A double-free in libwebp could have led to memory corruption and a potentially exploitable crash (MFSA-TMP-2023-0001). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29535 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29536 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29539 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29550 https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/ Adding to the package list: libwebp7-1.1.0-2.1.mga8 libwebp-tools-1.1.0-2.1.mga8 libwebpdecoder3-1.1.0-2.1.mga8 libwebp-devel-1.1.0-2.1.mga8 libwebpmux3-1.1.0-2.1.mga8 libwebpdemux2-1.1.0-2.1.mga8 from libwebp-1.1.0-2.1.mga8.src.rpm
Blocks: (none) => 31787
MGA8-64 MATE on Acer Aspire 5253 Installed firefox (+ en_US and en_GB) and lib64webp7-1.1.0-2.1.mga8 libwebp-tools-1.1.0-2.1.mga8 lib64webpdecoder3-1.1.0-2.1.mga8 lib64webp-devel-1.1.0-2.1.mga8 lib64webpmux3-1.1.0-2.1.mga8 lib64webpdemux2-1.1.0-2.1.mga8 Fired up new version of firefox and tested on newspapersite and youtube: all works OK.
CC: (none) => herman.viaene
Added the following to my firefox update The following 4 packages are going to be installed: - lib64webp7-1.1.0-2.1.mga8.x86_64 - lib64webpdemux2-1.1.0-2.1.mga8.x86_64 - lib64webpmux3-1.1.0-2.1.mga8.x86_64 - libwebp-tools-1.1.0-2.1.mga8.x86_64 I've spent a few hours doing my normal stuff. Working as expected.
(In reply to Brian Rockwell from comment #8) > Added the following to my firefox update > > The following 4 packages are going to be installed: > > - lib64webp7-1.1.0-2.1.mga8.x86_64 > - lib64webpdemux2-1.1.0-2.1.mga8.x86_64 > - lib64webpmux3-1.1.0-2.1.mga8.x86_64 > - libwebp-tools-1.1.0-2.1.mga8.x86_64 > > > I've spent a few hours doing my normal stuff. Working as expected. Also included a full reboot to confirm new versions were used.
No nss packages this time. Seems odd...
CC: (none) => andrewsfarm
MGA8-64 Plasma. The following 5 packages are going to be installed: - firefox-102.10.0-1.mga8.x86_64 - firefox-en_US-102.10.0-1.mga8.noarch - lib64webp7-1.1.0-2.1.mga8.x86_64 - lib64webpdemux2-1.1.0-2.1.mga8.x86_64 - lib64webpmux3-1.1.0-2.1.mga8.x86_64 No installation issues. Checked Facebook, weather forecast (80% chance of rain on Monday), watched a brief video. No issues to report.
(In reply to Thomas Andrews from comment #10) > No nss packages this time. Seems odd... Indeed. I can't remember that ever happening.
Ok in my testing. Advisory committed to svn. Validating.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0146.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
RedHat has issued an advisory for this on April 14: https://access.redhat.com/errata/RHSA-2023:1786
(In reply to David Walser from comment #4) > Security issues fixed: > https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/ > > One is in libwebp, which we'll have to fix as well. The Mozilla bug is > private, but it's possibly this: > https://github.com/webmproject/libwebp/commit/ > a486d800b60d0af4cc0836bf7ed8f21e12974129 This is now CVE-2023-1999 (Mozilla advisory updated). RedHat has issued an advisory for this on May 2: https://access.redhat.com/errata/RHSA-2023:2077
Summary: Firefox 102.10 => Firefox 102.10 (and libwebp CVE-2023-1999)