firefox-115.8.0esr

[ken@…]

Now available, release notes are due tomorrow.

[ken@…]

Release notes ​https://www.mozilla.org/en-US/security/advisories/mfsa2024-06/

CVE-2024-1546 OOB memory read in networking channels, rated High

CVE-2024-1547 Alert dialog could have been spoofed on another site, rated High

CVE-2024-1548 Fullscreen Notification could have been hidden by select element, rated Medium

CVE-2024-1549 Custom cursor could obscure the permission dialog, rated Medium

CVE-2024-1550 Mouse cursor re-positioned unexpectedly could have led to unintended permission grants, rated Medium

CVE-2024-1551 Multipart HTTP Responses would accept the Set-Cookie header in response parts, rated Medium

(CVE-2024-1552 applies to 32-bit ARM)

CVE-2024-1553 Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8, rated High

[Xi Ruoyao]

Not sure how to do this. Maybe update Firefox (an end package) to 115.8 but keep SpiderMonkey 115.7 until March?

[Douglas R. Reno]

That's what I was thinking, as far as I can see there's not much of a reason to update Spidermonkey

[Bruce Dubbs]

Replying to Xi Ruoyao:

Not sure how to do this. Maybe update Firefox (an end package) to 115.8 but keep SpiderMonkey 115.7 until March?

That's one way. Can the code for js be easily compared between the versions?

[ken@…]

Replying to Bruce Dubbs:

Replying to Xi Ruoyao:

Not sure how to do this. Maybe update Firefox (an end package) to 115.8 but keep SpiderMonkey 115.7 until March?

That's one way. Can the code for js be easily compared between the versions?

The code in js/src can be easily compared, although I do not pretend to understand the few changes.

What is not obvious, at least to me, is what other parts of firefox are included by spidermonkey.

[ken@…]

Book updated at sha:r12.1-1633-g6354d179cd

[ken@…]

Security Advisory SA-12.0-104 created.