Opened 3 months ago

Closed 3 months ago

#14995 closed enhancement (fixed)

firefox-78.10.1esr mozjs-78.10.1

Reported by: ken@… Owned by: ken@…
Priority: low Milestone: 10.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

Release Notes: {{ Fixed Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bug 1705138) }

Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=1705138 it seems to be windows 10 (macOS issue is apparently different), not sure if widevine content works on linux nowadays.

Security fix https://www.mozilla.org/en-US/security/advisories/mfsa2021-18/

CVE-2021-29951

The Mozilla Maintenance Service granted SERVICE_START access to 
BUILTIN|Users which, in a domain network, grants normal remote users
access to start or stop the service. This could be used to prevent
the browser update service from operating (if an attacker spammed
the 'Stop' command); but also exposed attack surface in the
maintenance service.

''Note: This issue only affected Windows operating systems older than 
Win 10 build 1709. Other operating systems are unaffected''

Change History (8)

comment:1 by ken@…, 3 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by Tim Tassonis, 3 months ago

Just watched a couple of hours of Arrested Development on Netflix (Firefox 78.10.0esr), no issues. Netflix uses widevine.

in reply to:  2 comment:3 by ken@…, 3 months ago

Replying to Tim Tassonis:

Just watched a couple of hours of Arrested Development on Netflix (Firefox 78.10.0esr), no issues. Netflix uses widevine.

From the bug, Amazon Prime is not affected, so I guess not everything using widevine uses the same content protection or License Enforcement.

Anyway, glad it works for you. I'm expecting to do this in 2 or 3 days after the next rust release.

comment:4 by Douglas R. Reno, 3 months ago

Summary: firefox-78.10.1esrfirefox-78.10.1esr mozjs-78.10.1

comment:5 by Tim Tassonis, 3 months ago

Ok, I did the thunderbird release now. Do you think it would be a good idea to then also re-do the thunderbird release? I could do that, to make sure it also builds fine with new rust.

in reply to:  5 ; comment:6 by ken@…, 3 months ago

Replying to Tim Tassonis:

Ok, I did the thunderbird release now. Do you think it would be a good idea to then also re-do the thunderbird release? I could do that, to make sure it also builds fine with new rust.

No sign of rust-1.52.0 yet, I think it is due tomorrow. When I can get hold of it (my broadband may be down for a while tomorrow) I'll be rebuilding *everything* which uses rust to check.

At the moment I've built them all with patched 1.51.0 (and gcc-11.1.0).

in reply to:  6 comment:7 by ken@…, 3 months ago

Replying to ken@…:

Replying to Tim Tassonis:

Ok, I did the thunderbird release now. Do you think it would be a good idea to then also re-do the thunderbird release? I could do that, to make sure it also builds fine with new rust.

No sign of rust-1.52.0 yet, I think it is due tomorrow. When I can get hold of it (my broadband may be down for a while tomorrow) I'll be rebuilding *everything* which uses rust to check.

At the moment I've built them all with patched 1.51.0 (and gcc-11.1.0).

Didn't mean to say "it's mine, all mine", only "I'm already intending to do this". If you have the time, and interest, feel free to build 1.52.0 (using sysllvm, so same instructions as for now) and try thunderbird, then report back. If thunderbird has problems, I suspect firefox will have similar problems.

comment:8 by ken@…, 3 months ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.