Firefox 77.0.1 will be released today to fix one issue

[Karlston]

Firefox 77.0.1 will be released today to fix one issue

Mozilla plans to release Firefox 77.0.1 to the Stable channel later today. The new version of the web browser comes just a day after the release of Firefox 77.0 Stable on June 2, 2020.

 

While it is not uncommon for Mozilla to release a smaller update shortly after a major version update, the time between a major release and a bug fix release is usually a good indicator of the importance of the update.

 

 

The release notes list a single bug:

Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way

The linked bug, 1642723, provides additional insight on the fix. According to its assignee and other contributors, the fix "prefs-off a feature" related to Firefox's rollout of DNS over HTTPS that caused network strain on the network of the provider NextDNS.

We need to be able to roll this out gradually so that we don't overload any providers. Even the dry-run involves up to 10 requests per client which can be very significant when the entire release population updates.

NextDNS is one of the providers that Mozilla selected for inclusion as a default HTTPS over DNS providers in the Firefox web browser.

This prefs-off a feature that seems to be effectively DDoS'ing NextDNS, one of our DNS over HTTPs providers. This patch is blocking the rollout of Fx77.

DNS over HTTPS is a new security and privacy feature that is being rolled out in Firefox, and also available in other browsers. Most browser makers, e.g. Google, plan to introduce support for DNS over HTTPS this year. Microsoft has integrated the feature in the company's Windows 10 operating system as well recently.

 

 

Mozilla stopped the rollout of Firefox 77.0 Stable because of the bug. The organization created a patch and plans to release it on June 3, 2020 to the Firefox Stable population.

 

 

Firefox 77.0.1 will be released today to fix one issue

 

[Front paged here... Mozilla Firefox Browser 77.0.1 ]

 

[steven36]

Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws

 

 

Mozilla has emitted security updates for Firefox to address eight CVE-listed security flaws, five of them considered to be high-risk vulnerabilities.

 

The patches, present in Firefox 77, should be downloaded and installed automatically for most users, so if you haven't closed out and relaunched your browser in a while, now might be a good time.

 

Of the five high-risk flaws, three are confirmed to allow arbitrary code execution, which in the case of a web browser means that simply loading up a malicious page could lead to malware running on your machine. As it turns out, all three of the code execution bugs were found in-house by Mozilla developers, rather than miscreants exploiting them in the wild, which is good news.

 

 

Iain Ireland took credit for uncovering CVE-2020-12406, a JavaScript type confusion error that occurs when handling NativeTypes. Devs Tom Tung and Karl Tomlinson shared credit for the discovery of the memory corruption bugs described in CVE-2020-12410, while Mozilla developers :Gijs and Randell Jesup found multiple memory corruption bugs that fell under the designation CVE-2020-12411. While Mozilla did not say it had specifically seen proof-of-concept code in circulation exploiting the bugs, it's pretty sure that with a bit of effort a miscreant could get a working exploit up and running from reading the source changes – so patch away.

 

Another high-risk vulnerability is CVE-2020-12399. Described as a timing attack in the NSS library, used to secure HTTPS connections, the flaw can be exploited to disclose keys. "NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys," Mozilla explained.

 

Credit for the discovery went to Cesar Pereida Garcia and the Network and Information Security Group at Finland's Tampere University.

 

The fifth of the high-risk flaws is CVE-2020-12405, discovered and reported by Marcin "Icewall" Noga of Cisco Talos. Noga found a use-after-free() bug in the SharedWorkService component that, when exploited by a web page, would cause what Mozilla termed a potentially "exploitable crash."

 

Of the remaining three CVE-entries, CVE-2020-12407 is the most serious. The moderate-rated flaw is a GPU memory leak bug that, interestingly enough, displays memory contents on the screen so that the local user can see them, but not to any web content. Credit for the discovery went to Mozilla developer Nicolas Silva.

 

CVE-2020-12408 and CVE-2020-12409 are both low-risk URL spoofing bugs discovered by independent researcher Rayyan Bijoora.

 

Source

 

[steven36]

I been ruining  Firefox  77 since May 25th  i stay on the  Mozilla release candidate ppa  always the last release candidate is the final will be the same hash . all stable is the last RC  i been knowing this since the 2000s . I do this because if you get Firefox from Ubuntu they only  give updates when there is security updates  . You ether get updates  a little faster . or manually install it like I do Basilisk browser because they have no  PPA  or be behind a little  since I  have 6 browsers  to keep updated i just do it the easy way  and use the Mozilla release candidate PPA for Firefox.😎