Opened 6 years ago
Closed 6 years ago
#11277 closed enhancement (fixed)
firefox-63.0
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 8.4 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
The sources have been available since yesterday, I assume the release notes will appear in the next few hours.
Build changes: cbindgen now required, nodejs recommended (will be required in 64.0).
The paranoid will wish to note that telemetry has now become opt-out in the release channel (instead of opt-in). This is apparently to provide more data about what people are actually using, instead of saying "we can remove it because nobody uses it". NB it was always opt-out in the beta channel.
From https://www.ghacks.net/2018/09/21/mozilla-wants-to-estimate-firefoxs-telemetry-off-population/ :
from https://www.ghacks.net/2018/09/21/mozilla-wants-to-estimate-firefoxs-telemetry-off-population/
(start quote) All that it takes is to load about:preferences#privacy in the browser's address bar and check or uncheck the following options:
Allow Firefox to send technical and interaction data to Mozilla
Allow Firefox to install and run studies
Allow Firefox to send backlogged crash reports on your behalf
(end quote)
This is also on the Privacy & Security tab of the hamburger menu. On my build, the first is greyed out with a 'learn more' link, the second is enabled, again with a 'learn more' link, the third is replaced by "Data reporting is disabled for this build configuration"
So, by default, as with beta, firefox can run studies.
I'm assuming that this provides some security fixes. ISTR it also distrusts Symantec security certs, but some of that might be in nss in which case we will already be doing that.
Change History (3)
comment:1 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 6 years ago
| Priority: | normal → high |
|---|
Release notes now there. Meanwhile, I had tried to update some 8.2 (gcc-7.3.0) systems and failed - for those I have installed 60.3.0esr successfully. Looking at the release notes, for some reason 63.0 does not mention security. But in 60.3.0 there is the following: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/#CVE-2018-12390 -
Description
Mozilla developers and community members Daniel Veditz and Philipp reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References
#CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
Mozilla developers and community members Christian Holler, Bob Owen, Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond Forbes, and Bogdan Tara reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.