On Friday, Mozilla issued a security advisory for Firefox, the default web browser in Fedora. This advisory centered around two CVEs — both of which allowed an out of bounds memory write while processing Vorbis audio data, leading to arbitrary code execution. CVE-2018-5146 is against the bundled library libvorbis that Firefox ships to process Vorbis audio on most architectures. CVE-2018-5147 is against libtremor, which firefox bundles for the same task on ARM architectures.

At the same time as the security advisory was issued, Mozilla released Firefox 59.0.1 that fixes these issues.

Updating Firefox in Fedora

At the time of writing, Firefox 59.0.1 (with the security fixes) is heading through the update process in Fedora, and will be in the stable repositories soon. When it reaches the stable repositories, the fixes will be applied during your next system update.

However, you want to update Firefox now, install the firefox-59.0.1-1 package from the updates-testing repository with the following command:

sudo dnf --enablerepo updates-testing update firefox