On Tuesday, Mozilla issued a security advisory for Firefox, the default web browser in Fedora. This advisory concerns a CVE for a vulnerability based on type confusion that can happen when JavaScript objects are being manipulated. It can be used to crash your browser. There are apparently already attacks in the wild that exploit the issue. Read on for more information, and how to protect your system against this flaw.
At the same time the security vulnerability was issued, Mozilla also released Firefox 67.0.3 (and ESR 60.7.1) to fix the issue.
Updating Firefox in Fedora
Firefox 67.0.3 (with the security fixes) has already been pushed to the stable Fedora repositories. The security fix will be applied to your system with your next update. You can also update the firefox package only by running the following command:
$ sudo dnf update --refresh firefox
This command requires you to have sudo setup. Note that not every Fedora mirrors syncs at the same rate. Community sites graciously donate space and bandwidth these mirrors to carry Fedora content. You may need to try again later if your selected mirror is still awaiting the latest update.
Kamil
Paul, please add “–refresh” to the command in the article. That’s how you increase probability that people hit the latest mirrors:
$ sudo dnf update –refresh firefox
Clément Verna
Thanks for the tip, I have made the edit 🙂
Danniello
In command there is typo – not
, it should be
:
Ryan Lerch
Thanks for the pickup there too! WordPress sometimes autocompletes two hyphens in a row into an emdash automagically. This is now fixed too! Thanks!
Martin Stransky
Fedora 30 update is in stable now. Fedora 29 update is waiting for your karma:
https://bodhi.fedoraproject.org/updates/FEDORA-2019-9d9ad2999e
Vibol
How about the flatpak version on the registry.fedoraproject.org? still in 66.0.1
Daniel
“On Friday” is supposed to say “On Tuesday”. Fedora shipped this update two days after Mozilla and not almost a full week later.
Paul W. Frields
@Daniel: Indeed, this was a copypasta error. Thanks, fixed.
Jan
I know it is knitpicking, but the DNF man page states for “update”:
Update Command
dnf [options] update
Deprecated alias for the Upgrade Command.
While it still works, it may be worth to use “upgrade” in a guide like this to encourage to use it the way intended by the command.
Paul W. Frields
@Jan: Thanks, we’ll use that in the future.
Jens Petersen
But
is one letter longer 😉
Artem
Another one 0day in Firefox 67.0.4
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
Paul W. Frields
@Artem: Good info to have. Since that vulnerability is not at the same level, it’s unlikely we’ll do another article on it. Users can pick up an update soon in Fedora for 67.0.4; the maintainer is quite responsive. We encourage users to provide update feedback!