Tuesday, December 19, 2023

Mozilla Firefox Version 121.0 Released with Security Updates

 FirefoxMozilla sent Firefox Version 121.0 to the release channel.  Firefox ESR was updated to Version 115.6.

The update includes eighteen security updates of which five (5) are rated high, eight (8) moderate, and five (5) rated low.

High

#CVE-2023-6856: Heap-buffer-overflow affecting WebGL <code>DrawElementsInstanced</code> method with Mesa VM driver

#CVE-2023-6135: NSS susceptible to "Minerva" attack

#CVE-2023-6865: Potential exposure of uninitialized data in <code>EncryptingOutputStream</code>

#CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6

#CVE-2023-6873: Memory safety bugs fixed in Firefox 121



Moderate

#CVE-2023-6857: Symlinks may resolve to smaller than expected buffers

#CVE-2023-6858: Heap buffer overflow in <code>nsTextFragment</code>

#CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer

#CVE-2023-6866: TypedArrays lack sufficient exception handling

#CVE-2023-6860: Potential sandbox escape due to <code>VideoBridge</code> lack of texture validation

#CVE-2023-6867: Clickjacking permission prompts using the popup transition

#CVE-2023-6861: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode

#CVE-2023-6868: WebPush requests on Firefox for Android did not require VAPID key


Low

#CVE-2023-6869: Content can paint outside of sandboxed iframe

#CVE-2023-6870: Android Toast notifications may obscure fullscreen event notifications

#CVE-2023-6871: Lack of protocol handler warning in some instances

#CVE-2023-6872: Browsing history leaked to syslogs via GNOME

#CVE-2023-6863: Undefined behavior in <code>ShutdownObserver()</code>


New

  • Firefox now prompts Windows users to install the Microsoft AV1 Video Extension to enable hardware decoding support for the AV1 video codec from about:support if not already installed.

  • Firefox now supports Voice Control commands on macOS systems.

  • On Linux, Firefox now defaults to the Wayland compositor when available instead of XWayland. This brings support for touchpad & touchscreen gestures, swipe-to-nav, per-monitor DPI settings, better graphics performance, and more.

    Note that due to Wayland protocol limitations, Picture-in-Picture windows require an extra user interaction (generally right-click on the window) or a shell / desktop-environment tweak. See bug 1621261 for related discussion and tracking, this post for a KDE configuration, and this extension for GNOME.

  • Firefox can now force links to always be underlined. This option can be enabled in the Browsing section of the Firefox Settings menu.

    Screenshot of new Always underline links option

  • The PDF viewer now includes a floating button to simplify deleting drawings, text, and images added in PDFs.


Update: To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu. If you do not use the English language version, Fully Localized Versions are available for download.

References


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: