1PW Posted April 18, 2023 ID:1563752 Share Posted April 18, 2023 Mozilla Firefox Schedule Update 112 112.0.1 dot release rolled out at 100% today Planned dot release 112.0.2 scheduled for 2023-04-25 2 Link to post
sten2 Posted April 25, 2023 ID:1564573 Share Posted April 25, 2023 Firefox release 112.0.2 April 25, 2023 Fixed Fixes a high memory usage issue with animated images in minimized (or completely covered) windows, especially when using animated themes (bug 1828587). Fixes an issue where Linux users with bitmap fonts installed may have had entire sections of text invisible to them on some sites (bug 1827950). Fixes an issue where web notifications with images were not displaying for Windows 8 users (bug 1822817). 3 Link to post
1PW Posted May 9, 2023 ID:1566598 Share Posted May 9, 2023 Version 113.0, first offered to Release channel users on May 9, 2023 New Say hello to enhanced Picture-in-Picture! Rewind, check video duration, and effortlessly switch to full-screen mode on the web's most popular video websites. Firefox's address bar is already a great place to search for what you're looking for. Now you'll always be able to see your web search terms and refine them while viewing your search's results - no additional scrolling needed! Also, a new result menu has been added making it easier to remove history results and dismiss sponsored Firefox Suggest entries. Private windows now protect users even better by blocking third-party cookies and storage of content trackers. Passwords automatically generated by Firefox now include special characters, giving users more secure passwords by default. Firefox 113 introduces a redesigned accessibility engine which significantly improves the speed, responsiveness, and stability of Firefox when used with: Screen readers, as well as certain other accessibility software; East Asian input methods; Enterprise single sign-on software; and Other applications which use accessibility frameworks to access information. Importing bookmarks from Safari or a Chrome-based browser? The favicons for those bookmarks will now also be imported by default to make them easier to identify. Firefox 113 now supports AV1 Image Format files containing animations (AVIS), improving support for AVIF images across the web. The Windows GPU sandbox first shipped in the Firefox 110 release has been tightened to enhance the security benefits it provides. A 13-year-old feature request was fulfilled and Firefox now supports files being drag-and-dropped directly from Microsoft Outlook. A special thanks to volunteer contributor Marco Spiess for helping to get this across the finish line! Users on macOS can now access the Services sub-menu directly from Firefox context menus. On Windows, the elastic overscroll effect has been enabled by default. When two-finger scrolling on the touchpad or scrolling on the touchscreen, you will now see a bouncing animation when scrolling past the edge of a scroll container. Firefox is now available in the Tajik (tg) language. Fixed Various security fixes. Changed The long-deprecated mozRTCPeerConnection, mozRTCIceCandidate, and mozRTCSessionDescription WebRTC interfaces have been removed. Sites should utilize the non-prefixed versions instead. Mozilla Foundation Security Advisory 2023-16Security Vulnerabilities fixed in Firefox 113 Announced May 9, 2023 Impact high Products Firefox Fixed in Firefox 113 #CVE-2023-32205: Browser prompts could have been obscured by popups Reporter Alesandro Ortiz Impact high Description In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. References Bug 1753339 Bug 1753341 #CVE-2023-32206: Crash in RLBox Expat driver Reporter Irvan Kurniawan Impact high Description An out-of-bound read could have led to a crash in the RLBox Expat driver. References Bug 1824892 #CVE-2023-32207: Potential permissions request bypass via clickjacking Reporter Hafiizh Impact high Description A missing delay in popup notifications could have made it possible for an attacker to trick a user into granting permissions. References Bug 1826116 #CVE-2023-32208: Leak of script base URL in service workers via import() Reporter Anne van Kesteren Impact moderate Description Service workers could reveal script base URL due to dynamic import(). References Bug 1646034 #CVE-2023-32209: Persistent DoS via favicon image Reporter Sam Ezeh Impact moderate Description A maliciously crafted favicon could have led to an out of memory crash. References Bug 1767194 #CVE-2023-32210: Incorrect principal object ordering Reporter Nika Layzell Impact moderate Description Documents were incorrectly assuming an ordering of principal objects when ensuring we were loading an appropriately privileged principal. In certain circumstances it might have been possible to cause a document to be loaded with a higher privileged principal than intended. References Bug 1776755 #CVE-2023-32211: Content process crash due to invalid wasm code Reporter P1umer and xmzyshypnc Impact moderate Description A type checking bug would have led to invalid code being compiled. References Bug 1823379 #CVE-2023-32212: Potential spoof due to obscured address bar Reporter Hafiizh Impact moderate Description An attacker could have positioned a datalist element to obscure the address bar. References Bug 1826622 #CVE-2023-32213: Potential memory corruption in FileReader::DoReadData() Reporter Ronald Crane Impact moderate Description When reading a file, an uninitialized value could have been used as read limit. References Bug 1826666 #MFSA-TMP-2023-0002: Race condition in dav1d decoding Reporter Tyson Smith Impact moderate Description A race condition during dav1d decoding could have led to an out-of-bounds memory access, potentially leading to memory corruption and execution of malicious code. References Bug 1814790 Bug 1819796 Bug 1814560 #CVE-2023-32214: Potential DoS via exposed protocol handlers Reporter Gijs Kruitbosch Impact low Description Protocol handlers ms-cxh and ms-cxh-full could have been leveraged to trigger a denial of service.Note: This attack only affects Windows. Other operating systems are not affected. References Bug 1828716 #CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11 Reporter Mozilla developers and community Impact high Description Mozilla developers and community members Gabriele Svelto, Andrew Osmond, Emily McDonough, Sebastian Hengst, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112 and Firefox ESR 102.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11 #CVE-2023-32216: Memory safety bugs fixed in Firefox 113 Reporter Mozilla developers and community Impact high Description Mozilla developers and community members Ronald Crane, Andrew McCreight, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 112. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 113 1 1 Link to post
1PW Posted May 11, 2023 ID:1566907 Share Posted May 11, 2023 Firefox Schedule Update Quote 113 Desktop 113.0 rollout still at 0%, likely staying that way Looking at a 113.0.1 dot release to address bug 1832215 and bug 1830721 Probably building Friday, aiming to ship Monday 3 Link to post
sten2 Posted May 12, 2023 ID:1567079 Share Posted May 12, 2023 Now it is released. Firefox 113.0.1 Fixed Fixed incorrect colors for Windows users with installed monitor/display color profiles, particularly on wide gamut displays (bug 1832215) Fixed borders being visible around fullscreen windows for some configurations (bug 1830721) Fixed an issue which may cause users in some configurations to experience tearing when watching videos in fullscreen mode (bug 1830792) 2 1 Link to post
sten2 Posted May 23, 2023 ID:1568734 Share Posted May 23, 2023 Version 113.0.2, first offered to Release channel users on May 23, 2023 Fixed Fixed an issue which caused Picture-in-Picture windows to not be snappable on Windows 11 or on systems with the FancyZones PowerToy installed (bug 1832331) Fixed a video playback crash on some Windows systems with Intel graphics (bug 1831329) Fixed a bug which could cause Firefox to freeze on some pages when loading them with the Developer Tools Web Console open (bug 1828026) Fixed a bug which would cause the bookmarks and history sidebars to not properly react to the browser window being vertically resized (bug 1831535) 3 Link to post
1PW Posted June 6, 2023 ID:1570930 Share Posted June 6, 2023 Version 114.0, first offered to Release channel users on June 6, 2023 Quote New Added UI to manage the DNS over HTTPS exception list. Bookmarks can now be searched from the Bookmarks menu. The Bookmarks menu is accessible by adding the Bookmarks menu button to the toolbar. Restrict searches to your local browsing history by selecting Search history from the History, Library or Application menu buttons. Mac users can now capture video from their cameras in all supported native resolutions. This enables resolutions higher than 1280x720. It is now possible to reorder the extensions listed in the extensions panel. Users on macOS, Linux, and Windows 7 can now use FIDO2 / WebAuthn authenticators over USB. Some advanced features, such as fully passwordless logins, require a PIN to be set on the authenticator. Pocket Recommended content can now be seen in France, Italy, and Spain. Fixed Various security fixes. Changed DNS over HTTPS settings are now part of the Privacy & Security section of the Settings page and allow the user to choose from all the supported modes. Quote Mozilla Foundation Security Advisory 2023-20 Security Vulnerabilities fixed in Firefox 114 Announced June 6, 2023 Impact high Products Firefox Fixed in Firefox 114 #CVE-2023-34414: Click-jacking certificate exceptions through rendering lag Reporter Irvan Kurniawan Impact high Description The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. References Bug 1695986 #CVE-2023-34415: Site-isolation bypass on sites that allow open redirects to data: urls Reporter Jun Kokatsu Impact moderate Description When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an "open redirect". Firefox no longer follows HTTP redirects to data: URLs. References Bug 1811999 #CVE-2023-34416: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12 Reporter Mozilla developers and community Impact high Description Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst reported memory safety bugs present in Firefox 113 and Firefox ESR 102.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12 #CVE-2023-34417: Memory safety bugs fixed in Firefox 114 Reporter Mozilla developers and community Impact high Description Mozilla developers and community members Andrew McCreight, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 114 3 Link to post
1PW Posted June 8, 2023 ID:1571395 Share Posted June 8, 2023 https://wiki.mozilla.org/Firefox/Channels/Meetings/2023-06-08#Schedule_Update Quote Quote Schedule Update 114 Desktop 114.0 rollout currently throttled Waiting on a patch for a start-up crash Aiming to build Desktop 114.0.1 and Fenix/Focus 114.1.0 today ready for QA and release tomorrow Firefox iOS 114.1 scheduled for next week Build on Monday, 2023-06-12 and release after QA sign-off on Tuesday, 2023-06-13 3 Link to post
sten2 Posted June 9, 2023 ID:1571570 Share Posted June 9, 2023 1PW: Like you posted,the updates indeed comes fast!😮 Version 114.0.1, first offered to Release channel users on June 9, 2023 https://www.mozilla.org/en-US/firefox/114.0.1/releasenotes/ Fixed Fix a startup crash (bug 1837201). 3 Link to post
1PW Posted June 20, 2023 ID:1573479 Share Posted June 20, 2023 Version 114.0.2, first offered to Release channel users on June 20, 2023 Fixed Several crash fixes. Web Extensions: Fixes for 114 regressions in our Native Messaging support. 1 3 Link to post
Root Admin AdvancedSetup Posted June 28, 2023 Author Root Admin ID:1574850 Share Posted June 28, 2023 (edited) Firefox Release Calendarhttps://wiki.mozilla.org/index.php?title=Release_Management/Calendar&redirect=no The RELEASE versions of Firefox for 2023 2023-04-11 Firefox 112 2023-05-09 Firefox 113 2023-06-06 Firefox 114 2023-07-04 Firefox 115 2023-08-01 Firefox 116 2023-08-29 Firefox 117 2023-09-26 Firefox 118 2023-10-24 Firefox 119 2023-11-21 Firefox 120 2023-12-19 Firefox 121 Firefox 113: 28 days after Firefox 112 (April has 30 days) Firefox 114: 28 days after Firefox 113 (May has 31 days) Firefox 115: 29 days after Firefox 114 (June has 30 days) Firefox 116: 28 days after Firefox 115 (July has 31 days) Firefox 117: 28 days after Firefox 116 (August has 31 days) Firefox 118: 28 days after Firefox 117 (September has 30 days) Firefox 119: 28 days after Firefox 118 (October has 31 days) Firefox 120: 28 days after Firefox 119 (November has 30 days) Firefox 121: 28 days after Firefox 120 (December has 31 days) To find the average, we add up the differences and divide by the total number of releases: (28 + 28 + 29 + 28 + 28 + 28 + 28 + 28) / 8 = 225 / 8 = 28.125 (approximately) Therefore, the average amount of days between these releases, accounting for the number of days in each month, is approximately 28.125 days. Edited June 28, 2023 by AdvancedSetup Updated information 1 Link to post
David H. Lipman Posted July 4, 2023 ID:1575770 Share Posted July 4, 2023 On 6/28/2023 at 4:55 AM, AdvancedSetup said: 2023-07-04 Firefox 115 Windows 7, 8, and 8.1 Support We are ending support for Windows 7, 8 and 8.1. Users of Firefox on these versions of Windows will be moved over to the Firefox 115 ESR and will be supported until September 2024. 2 Link to post
1PW Posted July 4, 2023 ID:1575823 Share Posted July 4, 2023 (edited) Version 115.0, first offered to Release channel users on July 4, 2023 Mozilla Foundation Security Advisory 2023-22 Security Vulnerabilities fixed in Firefox 115 Announced July 4, 2023 Impact high Products Firefox Fixed in Firefox 115 #CVE-2023-3482: Block all cookies bypass for localstorage Reporter Martin Hostettler Impact moderate Description When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. References Bug 1839464 #CVE-2023-37201: Use-after-free in WebRTC certificate generation Reporter Irvan Kurniawan Impact high Description An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS. References Bug 1826002 #CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey Reporter zx Impact high Description Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free. References Bug 1834711 #CVE-2023-37203: Drag and Drop API may provide access to local system files Reporter Paul Nickerson Impact moderate Description Insufficient validation in the Drag and Drop API in conjunction with social engineering, may have allowed an attacker to trick end-users into creating a shortcut to local system files. This could have been leveraged to execute arbitrary code. References Bug 291640 #CVE-2023-37204: Fullscreen notification obscured via option element Reporter Irvan Kurniawan Impact moderate Description A website could have obscured the fullscreen notification by using an option element by introducing lag via an expensive computational function. This could have led to user confusion and possible spoofing attacks. References Bug 1832195 #CVE-2023-37205: URL spoofing in address bar using RTL characters Reporter Rohan Sharma Impact moderate Description The use of RTL Arabic characters in the address bar may have allowed for URL spoofing. References Bug 1704420 #CVE-2023-37206: Insufficient validation of symlinks in the FileSystem API Reporter Ameen Basha M K Impact moderate Description Uploading files which contain symlinks may have allowed an attacker to trick a user into submitting sensitive data to a malicious website. References Bug 1813299 #CVE-2023-37207: Fullscreen notification obscured Reporter Shaheen Fazim Impact moderate Description A website could have obscured the fullscreen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. References Bug 1816287 #CVE-2023-37208: Lack of warning when opening Diagcab files Reporter Puf Impact moderate Description When opening Diagcab files, Firefox did not warn the user that these files may contain malicious code. References Bug 1837675 #CVE-2023-37209: Use-after-free in `NotifyOnHistoryReload` Reporter Simon Descarpentries Impact moderate Description A use-after-free condition existed in NotifyOnHistoryReload where a LoadingSessionHistoryEntry object was freed and a reference to that object remained. This resulted in a potentially exploitable condition when the reference to that object was later reused. References Bug 1837993 #CVE-2023-37210: Full-screen mode exit prevention Reporter Hafiizh Impact low Description A website could prevent a user from exiting full-screen mode via alert and prompt calls. This could lead to user confusion and possible spoofing attacks. References Bug 1821886 #CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 Reporter Andrew McCreight, Matthew Gaudet, Tom Ritter, and the Mozilla Fuzzing Team, Impact high Description Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 #CVE-2023-37212: Memory safety bugs fixed in Firefox 115 Reporter Andrew McCreight, and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox 114. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 115 Quote New Migrating from another browser? Now you can bring over payment methods you've saved in Chrome-based browsers to Firefox. Hardware video decoding is now enabled for Intel GPUs on Linux. The Tab Manager dropdown now features close buttons, so you can close tabs more quickly. We've refreshed and streamlined the user interface for importing data in from other browsers. Users without platform support for H264 video decoding can now fallback to Cisco's OpenH264 plugin for playback. Fixed The Windows Magnifier now follows the text cursor correctly when the Firefox title bar is visible. Windows users on low-end/USB Wi-Fi drivers and with OS geolocation disabled, can now approve geolocation on a case by case basis without causing system-wide network instability. Various security fixes. Changed Undo and redo are now available in Password fields. On Linux, middle-clicks on the new tab button will now open the xclipboard contents in the new tab. If the xclipboard content is a URL then that URL is opened, any other text is opened with your default search provider. For users with a Firefox Colorways built-in theme, the theme will be automatically migrated to the same theme hosted on addons.mozilla.org for Firefox profiles that have disabled add-ons auto-updates. This allows users to keep their Colorways theme when they are later removed from Firefox installer files. Certain Firefox users may come across a message in the extension's panel indicating that their add-ons are not allowed on the site currently open. We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns. Edited July 4, 2023 by 1PW 1 Link to post
1PW Posted July 7, 2023 ID:1576253 Share Posted July 7, 2023 Excerpted from today's Firefox Scheduled Update: Schedule Update 115 Desktop 115.0 throttled at 0% We are keeping the rollout throttled while we investigate a fix for a start-up crash Desktop 115.0.1 timeline will depend on this fix Android Fenix and Focus/Klar 115.0.1 live at 100% rollout iOS Firefox and Focus/Klar 115.0 in a phased rollout Android/iOS scheduled dot release scheduled for next week gtb on 2023-06-10, go-live on 2023-06-11 after QA sign-off Reference: Schedule Update 1 Link to post
Root Admin AdvancedSetup Posted July 7, 2023 Author Root Admin ID:1576255 Share Posted July 7, 2023 I've not experienced any startup crash or issue so far and I'm on 115.0 Link to post
1PW Posted July 7, 2023 ID:1576257 Share Posted July 7, 2023 Although I usually run the latest stable release version of Firefox as my default browser on macOS 13 Ventura, I have experienced single startup crashes, just after version updates, up to a few months ago. I have not experienced any Firefox difficulties recently. 1 Link to post
Root Admin AdvancedSetup Posted July 7, 2023 Author Root Admin ID:1576263 Share Posted July 7, 2023 Thanks for the feedback @1PW Link to post
1PW Posted July 7, 2023 ID:1576302 Share Posted July 7, 2023 Version 115.0.1, first offered to Release channel users on July 7, 2023 Fixed Fixed a startup crash for Windows users with Kingsoft Antivirus software installed (bug 1837242) 1 Link to post
1PW Posted July 11, 2023 ID:1577008 Share Posted July 11, 2023 (edited) Version 115.0.2, first offered to Release channel users on July 11, 2023 Firefox 115.0.2 fixes a security issue and several crashes Quote Fixed Fixed a startup crash experienced by some Windows users by blocking instances of a malicious injected DLL (bug 1841751) Fixed a bug with displaying a caret in the text editor on some websites (bug 1840804) Fixed a bug with broken audio rendering on some websites (bug 1841982) Fixed a bug with patternTransform translate using the wrong units (bug 1840746) A security fix. Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2 Announced July 11, 2023 Impact high Products Firefox, Firefox ESR Fixed in Firefox 115.0.2 Firefox ESR 115.0.2 #CVE-2023-3600: Use-after-free in workers Reporter Andrew McCreight Impact moderate Description During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash. References Bug 1839703 Edited July 12, 2023 by 1PW 1 2 Link to post
1PW Posted July 25, 2023 ID:1579452 Share Posted July 25, 2023 Schedule Update. Quote 115 No dot release planned before 116 go-live Link to post
1PW Posted July 27, 2023 ID:1579696 Share Posted July 27, 2023 Version 115.0.3, first offered to Release channel users on July 27, 2023 Fixed Improved migration experience for users switching to the ESR release. (bug 1845338) 2 Link to post
1PW Posted August 1, 2023 ID:1580543 Share Posted August 1, 2023 Version 116.0, first offered to Release channel users on August 1, 2023 New Sidebar switcher allows users to access Bookmarks, History and Synced Tabs panels easily, quickly switch between them, move the sidebar to another side of the browser window, or close the sidebar. Now, keyboard users would be able to do it all with ease too, with or without any assistive technology running, without needing to memorize keyboard shortcuts to access these panels. When an update is available in English locales, users will now have access to the release notes in the update notification prompt in the form of a "Learn More" link. It is now possible to copy any file from your operating system and paste it into Firefox. You asked, and we listened! The volume slider is now available in Picture-in-Picture. We added the possibility to edit existing text annotations. Fixed The upload performance of HTTP/2 has been significantly improved starting with Firefox 115.0, particularly on those with a higher bandwidth delay product (i.e., networks characterized by both high bandwidth and high latency). Various security fixes. Changed The keyboard shortcut to reopen closed tabs (command + shift + t) now reopens last closed tab or last closed window, in the order items were closed. If there aren't any tabs or windows to reopen, this command restores the previous session. This change is in anticipation of upcoming changes to recently closed tabs. Mozilla Foundation Security Advisory 2023-29 Security Vulnerabilities fixed in Firefox 116 Announced August 1, 2023 Impact high Products Firefox Fixed in Firefox 116 #MFSA-RESERVE-2023-0001: Offscreen Canvas could have bypassed cross-origin restrictions Reporter Max Vlasov Impact high Description Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of same-origin policy. References Bug 1833876 #MFSA-RESERVE-2023-0002: Incorrect value used during WASM compilation Reporter Alexander Guryanov Impact high Description In some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. References Bug 1837686 #MFSA-RESERVE-2023-0003: Potential permissions request bypass via clickjacking Reporter Axel Chong (@Haxatron) Impact high Description A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. References Bug 1839073 #MFSA-RESERVE-2023-0004: Crash in DOMParser due to out-of-memory conditions Reporter Irvan Kurniawan Impact high Description An out-of-bounds read could have led to an exploitable crash when parsing HTML with DOMParser in low memory situations. References Bug 1841368 #MFSA-RESERVE-2023-0005: Fix potential race conditions when releasing platform objects Reporter Nika Layzell Impact high Description Race conditions in reference counting code were found through code inspection. These could have resulted in potentially exploitable use-after-free vulnerabilities. References Bug 1842658 #MFSA-RESERVE-2023-0006: Stack buffer overflow in StorageManager Reporter Mark Brand Impact high Description In some cases, an untrusted input stream was copied to a stack buffer without checking its size. This resulted in a potentially exploitable crash which could have led to a sandbox escape. References Bug 1843038 #MFSA-RESERVE-2023-0007: Full screen notification obscured by file open dialog Reporter Hafiizh Impact moderate Description A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. References Bug 1821884 #MFSA-RESERVE-2023-0008: File deletion and privilege escalation through Firefox uninstaller Reporter ycdxsb Impact moderate Description The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user.This bug only affects Firefox on Windows. Other operating systems are unaffected. References Bug 1824420 #MFSA-RESERVE-2023-0009: Full screen notification obscured by external program Reporter P Umar Farooq Impact moderate Description A website could have obscured the full screen notification by using a URL with a scheme handled by an external program, such as a mailto URL. This could have led to user confusion and possible spoofing attacks. References Bug 1839079 #MFSA-RESERVE-2023-0010: Lack of warning when opening appref-ms files Reporter P Umar Farooq Impact moderate Description When opening appref-ms files, Firefox did not warn the user that these files may contain malicious code.This bug only affects Firefox on Windows. Other operating systems are unaffected. References Bug 1840777 #MFSA-RESERVE-2023-0011: Cookie jar overflow caused unexpected cookie jar state Reporter Marco Squarcina Impact low Description When the number of cookies per domain was exceeded in document.cookie, the actual cookie jar sent to the host was no longer consistent with expected cookie jar state. This could have caused requests to be sent with some cookies missing. References Bug 1782561 #MFSA-RESERVE-2023-0012: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 Reporter Dianna Smith, Ryan VanderMeulen, Timothy Nikkel, and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ESR 102.13, Thunderbird 115.0, and Thunderbird 102.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 #MFSA-RESERVE-2023-0013: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1 Reporter The Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and Thunderbird 115.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1 #MFSA-RESERVE-2023-0014: Memory safety bugs fixed in Firefox 116 Reporter Andrew McCreight and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox 115. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 116 3 Link to post
1PW Posted August 2, 2023 ID:1580805 Share Posted August 2, 2023 Firefox users on Windows 7, 8 and 8.1 moving to Extended Support Release Firefox version 115 will be the last supported Firefox version for users of Windows 7, Windows 8 and Windows 8.1. If you are using these versions of Windows, you will be moved to the Firefox Extended Support Release (ESR) channel by an application update. Mozilla will provide security updates for these users until September 2024. No security updates will be provided after that date. more… 1 Link to post
1PW Posted August 4, 2023 ID:1581227 Share Posted August 4, 2023 Version 116.0.1, first offered to Release channel users on August 4, 2023 Fixed Fixed an issue which caused chart elements to render incorrectly for Windows users. (bug 1846613) 1 1 Link to post
sten2 Posted August 7, 2023 ID:1581648 Share Posted August 7, 2023 Version 116.0.2, first offered to Release channel users on August 7, 2023 Fixed Fixes an issue that was causing keystrokes to be scrambled for users using ZoneAlarm anti-keylogger. (bug 1847033) 2 Link to post
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now