Opened 4 months ago

Closed 4 months ago

#15369 closed enhancement (fixed)

firefox-91.0esr

Reported by: ken@… Owned by: ken@…
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

Now available, release notes expected in about 24 hours.

Note that ftp links are no-longer supported, and the outline of the current tab is less prominent than in 78.

Change History (14)

comment:1 by ken@…, 4 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by Bruce Dubbs, 4 months ago

Not supporting ftp is a big mistake in my opinion. I, for one, ill not be upgrading on my workstation.

comment:3 by ken@…, 4 months ago

It builds on most of my recent systems (back to 10.1), but on one of those where I had earlier built 91.0b8 it failed and I could neither rebuild 91.0b8 nor any of the release candidates. Gave up on that, newer systems were fine. Today I tried to update an old 10.0 system, got the same error:

/scratch/working/firefox-91.0/firefox-build-dir/_virtualenvs/common/bin/python -m mozbuild.action.check_binary --target --networking /scratch/working/firefox-91.0/firefox-build-dir/x86_64-unknown-linux-gnu/release/libgkrust.a

21:24.27 TEST-UNEXPECTED-FAIL | check_networking | libgkrust.a | Identified 1 networking function(s) being imported in the rust static library (getsockname)

21:24.27 make[4]: *** [/scratch/working/firefox-91.0/config/makefiles/rust.mk:418: /scratch/working/firefox-91.0/firefox-build-dir/x86_64-unknown-linux-gnu/release/libgkrust.a] Error 1

No idea what causes this.

in reply to:  2 ; comment:4 by Douglas R. Reno, 4 months ago

Replying to Bruce Dubbs:

Not supporting ftp is a big mistake in my opinion. I, for one, ill not be upgrading on my workstation.

Unfortunately, it looks like all the other major browsers have removed it too. The only browser in the book that *might* open FTP links is Epiphany, and even then, I don't know how long that will last.

Chrome 88 removed support for FTP entirely from the browser. That impacts QtWebEngine/Falkon as well.

Seamonkey might be the only one left here soon for FTP support (unless they update to FF90's rendering engine, and in that case, it'll be gone too).

It's looking like the end for FTP unless people like using Lynx/links

comment:5 by ken@…, 4 months ago

People who wish to stick with 78.13.0esr for the moment should follow the instructions in the 10.1 book re how to invoke mach, while noting that the final release of the 78esr series will be 78.15.0 in October.

in reply to:  3 ; comment:6 by ken@…, 4 months ago

Replying to ken@…:

It builds on most of my recent systems (back to 10.1), but on one of those where I had earlier built 91.0b8 it failed and I could neither rebuild 91.0b8 nor any of the release candidates. Gave up on that, newer systems were fine. Today I tried to update an old 10.0 system, got the same error:

/scratch/working/firefox-91.0/firefox-build-dir/_virtualenvs/common/bin/python -m mozbuild.action.check_binary --target --networking /scratch/working/firefox-91.0/firefox-build-dir/x86_64-unknown-linux-gnu/release/libgkrust.a

21:24.27 TEST-UNEXPECTED-FAIL | check_networking | libgkrust.a | Identified 1 networking function(s) being imported in the rust static library (getsockname)

21:24.27 make[4]: * /scratch/working/firefox-91.0/firefox-build-dir/x86_64-unknown-linux-gnu/release/libgkrust.a Error 1

}}}

No idea what causes this.

I've now hit this twice: first on the system from May with updated gcc-11.1.0 where I had been looking at firefox betas and had successfully built 91.0b8, now on one of my BLFS-10.0 systems (gcc-10.2.0), the other is fine. On the May system, due to excessive cleaning up of my local esr script I was initially using clang, but the problem persisted with gcc.

On both my current glibc-2.34 systems 91 builds fine, as it does on three BLFS-10.1 systems and one other recent system with patched gcc-10.1.

comment:7 by ken@…, 4 months ago

Starting to wonder if, as a short-term measure, it is worth adding a firefox-legacy page for 78.13.0.

comment:8 by ken@…, 4 months ago

Priority: normalelevated

Release notes:

First, the changes from 90.0:

Building on Total Cookie Protection, we've added a more comprehensive logic for clearing cookies that prevents hidden data leaks and makes it easy for users to understand which websites are storing local information. Learn more


Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more


The simplify page when printing feature is back! When printing, under More settings > Format select the Simplified option when available to get a clutter-free page. Learn more


HTTPS-First Policy: Firefox Private Browsing windows now attempt to make all connections to websites secure, and fall back to insecure connections only when websites do not support it. Learn more


We've added a new locale: Scots (sco)
 

The address bar now provides Switch to Tab results also in Private Browsing windows.


Firefox now automatically enables High Contrast Mode when "Increase Contrast" is checked on MacOS


Firefox now does catch-up paints for almost all user interactions, enabling a 10-20% improvement in response time to most user interactions.

comment:9 by ken@…, 4 months ago

And now the security fixes, these are common to both 78.13 and 91.0

#CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption

Reporter
    pahhur
Impact
    high

Description

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash.
Note: This issue only affected Linux operating systems. Other operating systems are unaffected.
References

    Bug 1696138


#CVE-2021-29988: Memory corruption as a result of incorrect style treatment

Reporter
    Irvan Kurniawan
Impact
    high

Description

Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash.
References

    Bug 1717922


#CVE-2021-29984: Incorrect instruction reordering during JIT optimization

Reporter
    Lukas Bernhard
Impact
    high

Description

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
References

    Bug 1720031


#CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption

Reporter
    Irvan Kurniawan
Impact
    high

Description

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash.
References

    Bug 1722204


#CVE-2021-29985: Use-after-free media channels

Reporter
    Marcin 'Icewall' Noga of Cisco Talos
Impact
    moderate

Description

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash.
References

    Bug 1722083


#CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers Christoph Kerschbaumer, Simon Giesecke, Sandor Molnar, and Olli Pettay reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

comment:10 by ken@…, 4 months ago

On my recent system where I cannot build 91.0, I've given up on that. checked the kernel config (it was 5.13.4) against a current system, only two changes from what works on this box. and both of those are in use on another machine where 91.0 builds ok.

Looked at what packages have been updated since I last successfully built 91.0b8 here - JS78 and firefox with certs, polkit, elogind, node.js for 78.12.0, nss, certs, 78.13.0 for JS78, polkit, elogind. Then I tried latest c-ares, as expected no change. I've now adapted my scripts to let me build 78.13.0 in this case (omit new mach command). I'm now using that (with a new profile - don't want to mess up my newer systems on this box.

I now intend to create a firefox-legacy page for people who are, in the short term, sticking with 78.13.0.

in reply to:  4 comment:11 by Tim Tassonis, 4 months ago

Replying to Douglas R. Reno:

Replying to Bruce Dubbs:

Not supporting ftp is a big mistake in my opinion. I, for one, ill not be upgrading on my workstation.

Unfortunately, it looks like all the other major browsers have removed it too. The only browser in the book that *might* open FTP links is Epiphany, and even then, I don't know how long that will last.

Chrome 88 removed support for FTP entirely from the browser. That impacts QtWebEngine/Falkon as well.

Seamonkey might be the only one left here soon for FTP support (unless they update to FF90's rendering engine, and in that case, it'll be gone too).

It's looking like the end for FTP unless people like using Lynx/links

I have successfully built firefox 90.2 on my LFS 10.0 (llvm 11.0.0) based system.

I'll give it a try, after having upgraded to rustc 1.52.0. I'll report success or failure when I'm finished.

Regarding ftp: For me, that's clearly regrettable, but no showstopper. I usually copy ftp links in the clipboard and then download them with curl anyway.

I'm also gonna have a look if there is a nice ftp addon for firefox, that might fill the gap.

comment:12 by ken@…, 4 months ago

Book updated in @883e3763504bb709345891b0daf4ed4fe7b07d03 10.1-757.

Security advisories are pending (maybe tomorrow, maybe thursday).

in reply to:  6 comment:13 by Tim Tassonis, 4 months ago

Replying to ken@…:

Replying to ken@…:

It builds on most of my recent systems (back to 10.1), but on one of those where I had earlier built 91.0b8 it failed and I could neither rebuild 91.0b8 nor any of the release candidates. Gave up on that, newer systems were fine. Today I tried to update an old 10.0 system, got the same error:

/scratch/working/firefox-91.0/firefox-build-dir/_virtualenvs/common/bin/python -m mozbuild.action.check_binary --target --networking /scratch/working/firefox-91.0/firefox-build-dir/x86_64-unknown-linux-gnu/release/libgkrust.a

21:24.27 TEST-UNEXPECTED-FAIL | check_networking | libgkrust.a | Identified 1 networking function(s) being imported in the rust static library (getsockname)

21:24.27 make[4]: * /scratch/working/firefox-91.0/firefox-build-dir/x86_64-unknown-linux-gnu/release/libgkrust.a Error 1

}}}

No idea what causes this.

I've now hit this twice: first on the system from May with updated gcc-11.1.0 where I had been looking at firefox betas and had successfully built 91.0b8, now on one of my BLFS-10.0 systems (gcc-10.2.0), the other is fine. On the May system, due to excessive cleaning up of my local esr script I was initially using clang, but the problem persisted with gcc.

On both my current glibc-2.34 systems 91 builds fine, as it does on three BLFS-10.1 systems and one other recent system with patched gcc-10.1.

I just now successfully built and am running firefox 91.0 on an LFS 10.0 based system. My toolchain is:

  • gcc 10.2.0
  • binutils 2.35
  • llvm 11.0.0
  • rustc 1.52.0

Had to upgrade icu to 69.1, but then it went fine.

comment:14 by ken@…, 4 months ago

Resolution: fixed
Status: assignedclosed

Security Advisory SA 10.1-089

Note: See TracTickets for help on using tickets.