Opened 16 months ago
Closed 16 months ago
#17394 closed enhancement (fixed)
firefox-102.6.0 and JS-102.6.0
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Now available, release notes expected tomorrow.
Matches the candidate, which built with the current instructions (i.e. the grep and xargs sed is still needed with python-3.11-series).
In the main JS tests I grepped the log and got: 119 UNEXPECTED (failures), 6179 TEST-KNOWN failurs and 43910 TEST-PASS - that is a total of 50111 so now more than 50,000 tests.
For anyone like me who updates their certs when updating firefox-esr, the current certs include Mozilla's removal of the Trustcor root cert (at last!). Note that python-3.11.1's pip seems to still include that ('certifi' was updated after 3.11.1), but the envvar solves the problem.
Release notes expected tomorrow.
Change History (2)
comment:1 by , 16 months ago
comment:2 by , 16 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in 8d219de89c638279ca1d1fab8b5ce6191de214c2 11.2-554
Advisory SA 11.2-052.
Release note now available. AFAICS there are no obvious security fixes in JS91 although there are changes in the js module loader (which might be security related) and also in the js wasm code.
Both contain TZ updates to 2022g.
Upstream advisory for firefox-102.6.0 is at https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
Security Vulnerabilities fixed in Firefox ESR 102.6 Announced December 13, 2022 Impact high Products Firefox ESR Fixed in Firefox ESR 102.6 #CVE-2022-46880: Use-after-free in WebGL Reporter Atte Kettunen Impact high Description A missing check related to tex units could have led to a use-after-free and potentially exploitable crash. References Bug 1749292 #CVE-2022-46872: Arbitrary file read from a compromised content process Reporter Nika Layzell Impact high Description An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages. This bug only affects Firefox for Linux. Other operating systems are unaffected. References Bug 1799156 #CVE-2022-46881: Memory corruption in WebGL Reporter Karl and an Anonymous ASAN Nightly User Impact high Description An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash. References Bug 1770930 #CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions Reporter Matthias Zoellner Impact moderate Description A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code. References Bug 1746139 #CVE-2022-46882: Use-after-free in WebGL Reporter Irvan Kurniawan Impact moderate Description A use-after-free in WebGL extensions could have led to a potentially exploitable crash. References Bug 1789371 CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 Reporter Mozilla developers Impact high Description Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107 and Firefox ESR 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6There was also a macOS-specific CVE.