Opened 3 years ago
Closed 3 years ago
#16197 closed enhancement (fixed)
firefox-91.7.0 js-91.7.0 (was 91.6.1)
| Reported by: | Bruce Dubbs | Owned by: | ken |
|---|---|---|---|
| Priority: | high | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | critical | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (13)
comment:1 by , 3 years ago
| Priority: | normal → high |
|---|---|
| Severity: | normal → critical |
comment:2 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
We are pleased to announce that the Firefox ESR 91.6.1 release is now available for download at: https://www.mozilla.org/firefox/organizations/all/ As always, we recommend that users keep up to date with the newest version of Firefox ESR for the latest stability and security fixes. This release addresses a security vulnerability which was reported to be actively under attack in the wild. Updating as soon as possible is strongly advised. Release notes for Firefox 91.6.1esr are available at: https://www.mozilla.org/firefox/91.6.1/releasenotes/ Associated security advisories are posted at: https://www.mozilla.org/security/advisories/mfsa2022-09/ Ryan VanderMeulen Firefox Release Manager
I'll have this done before I go to bed tonight.
follow-up: 5 comment:4 by , 3 years ago
I saw the xslt and expat changes in the diffs between candidate builds 2 and 3 for 91.7.0 and 98.0 yesterday, didn't realise it was so urgent. Thanks for picking these up.
comment:5 by , 3 years ago
Replying to ken@…:
I saw the xslt and expat changes in the diffs between candidate builds 2 and 3 for 91.7.0 and 98.0 yesterday, didn't realise it was so urgent. Thanks for picking these up.
You're welcome, I'll have the trio of packages (along with js91-91.6.1) in today. Ideally I would've had it done yesterday, but I hadn't planned on Thunderbird and Seamonkey coming in.
comment:6 by , 3 years ago
| Summary: | firefox-91.6.1 → firefox-91.6.1 js-91.6.1 |
|---|
comment:7 by , 3 years ago
firefox-91.7.0esr is now out, I plan to do that tomorrow once the release notes are available.
comment:8 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | assigned → new |
comment:9 by , 3 years ago
I'll get Thunderbird in as soon as you get Firefox in.
Release notes are available BTW. More security fixes
comment:10 by , 3 years ago
| Summary: | firefox-91.6.1 js-91.6.1 → firefox-91.7.0 js-91.7.0 (was 91.6.1) |
|---|
The additional fixes in 91.7.0 are rated as High.
follow-up: 12 comment:11 by , 3 years ago
Fixed in @b635b9da2af63f18914882a8545866ac01a4681d 11.1-34
comment:12 by , 3 years ago
Replying to ken@…:
Fixed in @b635b9da2af63f18914882a8545866ac01a4681d 11.1-34
Thank you Ken. Doing Thunderbird now, already have Seamonkey good to go.
Once you've got the SA filed, I'll file one for Thunderbird and Seamonkey, and then send a mail out to the lists.
comment:13 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I believe this would be classified as an emergency, so I'm promoting it to High severity with a severity of Critical.
This is a security update that contains fixes for two CVEs which are being actively exploited in the wild. One of them has to do with XSLT parameter processing, and one in the WebGPU IPC Framework. Details:
Mozilla Foundation Security Advisory 2022-09 Security Vulnerabilities fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0
Announced
Impact
Products
Fixed in
#CVE-2022-26485: Use-after-free in XSLT parameter processing
Reporter
Impact
Description
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. References
#CVE-2022-26486: Use-after-free in WebGPU IPC Framework
Reporter
Impact
Description
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. References