Opened 3 months ago

Closed 3 months ago

#15411 closed enhancement (fixed)

firefox-91.0.1

Reported by: Bruce Dubbs Owned by: ken@…
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version. We should be able to get this into 11.0

Change History (4)

comment:1 by ken@…, 3 months ago

Owner: changed from blfs-book to ken@…
Priority: normalelevated
Status: newassigned
Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404)

Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to-tab results in the address bar panel (bug 1720369)

Various stability fixes

and https://www.mozilla.org/en-US/security/advisories/mfsa2021-37/

        Firefox 91.0.1

#CVE-2021-29991: Header Splitting possible with HTTP/3 Responses

Reporter
    Neal Poole
Impact
    high

Description

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3.
References

    Bug 1724896

For those unfamiliar with HTTP/3 wikipedia says it has been supported by Chrome since April 2020 and Firefox since May 2021, so in firefox it is still quite new and not supported in 78esr.

in reply to:  1 ; comment:2 by Tim Tassonis, 3 months ago

Replying to ken@…:

Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404)

Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to-tab results in the address bar panel (bug 1720369)

Various stability fixes

and https://www.mozilla.org/en-US/security/advisories/mfsa2021-37/

        Firefox 91.0.1

#CVE-2021-29991: Header Splitting possible with HTTP/3 Responses

Reporter
    Neal Poole
Impact
    high

Description

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3.
References

    Bug 1724896

For those unfamiliar with HTTP/3 wikipedia says it has been supported by Chrome since April 2020 and Firefox since May 2021, so in firefox it is still quite new and not supported in 78esr.

Never heard of it before, just checked the wikipedia page. According to them, "according to W3Techs, 21% of the top 10 million websites support it" Strange, because later on, neither nginx nor apache supports it yet. So I guess, that's again more marketing than reality. Anyway, what exactly is a "top 10 million website" ?

in reply to:  2 comment:3 by ken@…, 3 months ago

Never heard of it before, just checked the wikipedia page. According to them, "according to W3Techs, 21% of the top 10 million websites support it" Strange, because later on, neither nginx nor apache supports it yet. So I guess, that's again more marketing than reality. Anyway, what exactly is a "top 10 million website" ?

Via the link 3 at the bottom of the wikipedia page I got to https://w3techs.com/technologies - seems to be a commercial offering, with links to the commercial providers they use. Reading their text, if one subdomain at a location uses it, that "website" supports it, e.g. on their methodology wordpress.com is a website (if I've understood what they are saying).

From the wikipedia page, probably served by LiteSpeed or nginx with the patch from Cloudflare. Seems to be intended for very high volume websites.

comment:4 by ken@…, 3 months ago

Resolution: fixed
Status: assignedclosed

Fixed in @a4f2fb6a8428abb51efe1086b0300a9a6b96d590 10.1-820

Security Advisory SA 10.1-095

NB the fix is in the rust neqo code, so at least that library of the rust libraries listed by wikipedia as supporting HTTP/3 is affected.

Note: See TracTickets for help on using tickets.