Opened 15 months ago
Closed 15 months ago
#17521 closed enhancement (fixed)
firefox-102.7.0 JS-102.7.0
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 11.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Now available, release is tomorrow.
Change History (4)
comment:1 by , 15 months ago
comment:2 by , 15 months ago
Looking at my measurements, on the (haswell) system where I measured JS-102.6.0 with rustc-1.64.0 the 'make' time for 4 cores was just over 5 minutes. After upgrading that system to rustc-1.66.1 (and with a revised average SBU for linux-6.1.3) the 'make' time was over 14 minutes.
comment:3 by , 15 months ago
Details of the security advisories relevant to linux:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
CVE-2023-23598 High
Arbitrary file read from GTK drag and drop on Linux
CVE-2023-23601 Medium
Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks
CVE-2023-23602 Medium
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers.
CVE-2023-23603 Low
Regular expressions used to filter out forbidden properties and values from style directives in calls to console.log weren't accounting for external URLs. Data could then be potentially exfiltrated from the browser.
CVE-2023-23605 High
Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 108 and Firefox ESR 102.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
CVE-2022-46871 High
An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited.
CVE-2023-46877 Low
By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks.
Release note now available, as usual the changes are for Security Vulnerabilities, several rated as High.
AFAICS, no vulnerability fixes in JS-102.7.0 - the only change there is that upstream disabled a setarch call in their automation because it requires extra docker privileges.
The JIT tests for JS102 have recently all passed for me, so I stopped logging them. This time, one test failed and had scrolled out of the screen buffer. When I retried with a log, all the JIT tests passed (the other tests had a similar number of UNEXPECTED failures to previous versions).