Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2241187 - Update Firefox in Fedora 39 Final to fix CVE-2023-5169, CVE-2023-5171, CVE-2023-5217
Summary: Update Firefox in Fedora 39 Final to fix CVE-2023-5169, CVE-2023-5171, CVE-20...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 39
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Gecko Maintainer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F39FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2023-09-28 13:45 UTC by Marko Bevc
Modified: 2023-10-31 05:36 UTC (History)
9 users (show)

Fixed In Version: firefox-118.0.1-4.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-10-05 21:15:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Marko Bevc 2023-09-28 13:45:23 UTC
https://www.mozilla.org/en-US/firefox/118.0.1/releasenotes/

It contains a security fix.

Reproducible: Always

Comment 1 Bojan Smojver 2023-10-03 23:23:33 UTC
A build for F39 is still pending. This should be done before the release for sure, given 118.0.1 was a security update.

Comment 2 Adam Williamson 2023-10-04 15:27:18 UTC
In general, you don't need to report to the Firefox maintainer that a new Firefox release exists. You can assume they are aware of this. Builds can take a while to appear because building Firefox isn't trivial and takes quite a long time.

Per https://access.redhat.com/security/cve/CVE-2023-5169 and https://access.redhat.com/security/cve/CVE-2023-5171, at least two of the CVEs fixed in 118.0 were "important" on the RH scale, and per https://access.redhat.com/security/cve/CVE-2023-5217 , the one fixed in 118.0.1 is also "important". That does appear to constitute a violation of Final criterion "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)."

Comment 3 Adam Williamson 2023-10-04 16:47:13 UTC
+3 in https://pagure.io/fedora-qa/blocker-review/issue/1370 , marking accepted.

Comment 4 Bojan Smojver 2023-10-04 21:36:28 UTC
Looks like x86_64 build for F39 failed again in koji. Interestingly, that worked fine in copr from the same source:

https://copr.fedorainfracloud.org/coprs/bojan/FF/build/6488602/

Weird...

Comment 5 Bojan Smojver 2023-10-04 21:57:56 UTC
Looks like ld got killed by signal 9 at 162:33:52. Out of memory or something?

Comment 6 Adam Williamson 2023-10-05 00:28:24 UTC
Yes. There's some discussion at https://bugzilla.redhat.com/show_bug.cgi?id=2241690 . It depends to some extent on what builder the job gets assigned to.

I tried to apply a mitigation suggested by Kalev Lember on devel@ , but didn't notice it was inside a conditional that's not currently active, so it didn't work. I've tweaked that and sent new F38/F39 builds. Let's hope these work :(

Comment 7 Fedora Update System 2023-10-05 06:00:51 UTC
FEDORA-2023-bbb8d72c6f has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-bbb8d72c6f

Comment 8 Fedora Update System 2023-10-05 20:10:29 UTC
FEDORA-2023-bbb8d72c6f has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-bbb8d72c6f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-bbb8d72c6f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2023-10-05 21:15:58 UTC
FEDORA-2023-bbb8d72c6f has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Bojan Smojver 2023-10-31 05:36:57 UTC
Security fixes in 119.0 are not as dire, but lining up the existing build in bodhi would still be nice to have for the release of F39. :-)


Note You need to log in before you can comment on or make changes to this bug.