[Solved] Alert: Firefox 74.0 - 0-day security vulnerabilities detected

[karlchen]

Please, be alerted that two 0-day vulnerabilities have been identified in Firefox 74.0 and Firefox 68.6.0.

Final Update 08-April-2020:
The Linux Mint Repos offer Firefox 75.0 for the main editions LM 19.x and LM 18.x.
The Linux Mint repos offer Firefox 68.7 for LMDE 4 and LMDE 3.
No more workarounds needed. Those who have applied any such workarounds may revert them.


---------------------------------------------obsolete as of today, 08-April-2020----------------------------
Ubuntu have made available Firefox 74.0.1 to their users in their software repositories.
USN-4317-1: Firefox vulnerabilities
Please, watch out for Firefox 74.0.1 in Update Manager and install it as soon as it becomes available.
As no advice has been given on what to do or on what not to do, this very likely means there is no way of reducing the risk, while we are waiting for Firefox 74.0.1 to arrive in the software repos.

How to patch now:
Please, find the "... how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily." 3 posts below.

Update 07-April-2020:
Today Ubuntu has published Ubuntu Firefox 75.0 in their software repositories. So when following the instruction, linked above, select Firefox 75.0 instead of Firefox 74.0.1.
Who has already installed Firefox 74.0.1: Update Manager should offer Firefox 75.0 as a normal update.

Update 08-April-2020:
The Linux Mint Repos now offer Firefox 75.0 for the main editions LM 19.x and LM 18.x.
The Linux Mint repos now offer Firefox 68.7 for LMDE 4 and LMDE 3.
So this thread has come to an end, I guess.

[all41]

Seems pretty straightforward--if it's a concern--just download the 74.0.01 tar.bz2 from mozilla.org--extract it to a folder and run it from there--untill the repositories update.

[Linux-Is-Best]

This is why the first thing I do when I install any distro is download Firefox directly from Mozilla and uninstall the one provided by the distro. I like my real-time updates that Mozilla Firefox provides. Over the years, I learned not everyone knows how to manually install Mozilla Firefox so I made an automated script that does that all on its own. https://github.com/Linux-Is-Best/Firefo ... -for-Linux

[karlchen]

Hi, folks.

Here is how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily.

No need to fiddle around with the genuine Mozilla .tar.bz2 file. The solution is already in your repos, just not used automatically.

1. Use Synaptic package manager, which comes pre-installed with Linux Mint (whew, yes, it does! ), in order to switch to the Ubuntu provided Firefox version, which has already been updated to 74.0.1.
   .
2. Inside Synaptic locate the installed Firefox package and each Firefox language package, which has been installed for it on your system.
   Below is my list, yours may/will look a bit differently.
   
   
   .
3. Mark each of the identified packages at a time and tell Synaptic to force its version.
   
   Select 1 Firefox (language) package at a time. Then click on "Package" in the menu => "Force version".
   In the "Force Version" dialogue select the "74.0.1 .... (bionic-updates)" version.
   Click on [Force version].
   
   .
   Result:
   
   .
4. Repeat the step above for each installed Firefox package.
   Result:
   
   .
5. Now click on "Apply". Synaptic will display a summary of what is going to be upgraded. Click the [Apply] button. Wait for the installation to finish.
   Result:
   

Note:
Switching back to the Mint provided Firefox 74.0.1, as soon as it will be available in the Mint repos, is as simple as illustrated above. Basically the same steps.

HTH,
Karl

[dorsetUK]

Thanks Karl, worked a treat.

Jon

[AZgl1500]

now you tell me

I just used the method as suggested up above, and it worked slicker than the door knob.

Took me a long while though, to make sure that all of my New Tab icons were duplicated.
that is the one feature that is missing in Sync, and I don't understand why.

Sync restores every thing else, but not the New Tabs, and I have 4 rows of them.

I just used the Edit feature to copy the links in all of them, and store them in text file, to copy to the new FF.

glad it is done, I had this in 18.3 Cinnamon, but never got around to doing it with my new 19.3 Cinnamon.

[Flemur]

Please, be alerted that two 0-day vulnerabilities have been identified in Firefox 74.0 and Firefox 68.6.0.

FWIW, I'd been using 68.6.0 ESR, and yesterday it asked to be updated to 68.6.1 (I noticed the article didn't mention 68.6.x)

[karlchen]

Thanks, Flemur, for mentioning Firefox ESR.

The sticky alert post had been created last night, a bit in a hurry. And the Ubuntu security alert of course only mentions Firefox 74.0, because this is what is in their repos (and in the Mint repos)

By the way:

Code: Select all

karl@unimatrix0:~$ apt-cache policy firefox-esr-mozilla-build
firefox-esr-mozilla-build:
  Installed: 68.6.1esr-0ubuntu1 <====
  Candidate: 68.6.1esr-0ubuntu1
  Version table:
 *** 68.6.1esr-0ubuntu1 500
        500 https://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all/main i386 Packages
        100 /var/lib/dpkg/status

[PhilAypee]

No need to fiddle around with the genuine Mozilla .tar.bz2 file. The solution is already in your repos, just not used automatically.

Use Synaptic package manager, which comes pre-installed with Linux Mint (whew, yes, it does! ), in order to switch to the Ubuntu provided Firefox version, which has already been updated to 74.0.1.

Thank you, it all worked seamlessly for me too.

Question: does anybody know what the vulnerabilities are

[majpooper]

Sorry for being so dense but I don't see where to apply step 3

Code: Select all

Select 1 Firefox (language) package at a time. Then click on "Packet" => "Force version".
In the "Force Version" dialogue select the "74.0.1 .... (bionic-updates)" version.
Click on [Force version].

How to I get to the Packet=>Force version to click on it?

[karlchen]

How to I get to the Packet=>Force version to click on it?

In the Synaptic menu.
And sorry, it is "Package" => "Force version ..."
My fault. When translating back from German to English, I sometimes (frequently?) end up picking the wrong English term.
Have corrected my post above accordingly now.

[majpooper]

My fault. When translating back from German to English, I sometimes (frequently?) end up picking the wrong English term.

Not a problem - I spent a whole tour in Germany and never got past basically tourist level German. I guess in my defence I worked with native English speakers all day and generally German people can speak English so I wasn't forced to learn but I still felt self conscious never the less. My wife on the other hand is of German decent, took four years of German in High School, signed up for German classes when we got in country. She went out of her way to immerse herself in the German language. Our closest German friends are from her the friends she made.

So let me say - Danke meinem Freund ein pils für dich

[karlchen]

So let me say - Danke meinem Freund ein pils für dich

Sadly, the kiosk on the opposite side of the street closed 3 hours ago for today. So, the pils will have to wait till tomorrow after work.
By the way, invoking LC_ALL=C synaptic-pkexec from the terminal window instead of launching it from the application menu will persuade Synaptic to speak perfect English. Hope I will remember next time, before posting Synaptic screenshots again.

[SweetBearCub]

Can someone please explain to me why the repos don't just carry Firefox's direct updates, and why by default we are stuck with a modified version of Firefox that lags on security updates? (About box specifically says "Mozilla Firefox for Linux Mint - mint 1.0)

I'm aware that I could add their PPA and get faster updates, as is possible for many packages, but what I want to know is why it's done this way, especially on something that is an unusually large attack surface overall.

Thanks.

[karlchen]

I'm aware that I could add their PPA and get faster updates,

No PPA needed as had been explained and illustrated in the post above: ... how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily.

[SweetBearCub]

Thank you, but I did not ask for that. I have read the thread.

My question is closely related, but different.

[Linux-Is-Best]

Can someone please explain to me why the repos don't just carry Firefox's direct updates, and why by default we are stuck with a modified version of Firefox that lags on security updates? (About box specifically says "Mozilla Firefox for Linux Mint - mint 1.0)

I'm aware that I could add their PPA and get faster updates, as is possible for many packages, but what I want to know is why it's done this way, especially on something that is an unusually large attack surface overall.

Thanks.

Your frustration is exactly why I prefer to use Mozilla Firefox directly from Mozilla. It updates itself and I don't have to worry about distro's modifying things. I first download my script (previously posted), uninstall Firefox that comes with Mint (or any distro), and run my little installer. Problem solved.

[mikaelrask]

thanks for the information and the instructions how to get it from synaptic. learned something today

[venco]

Hi, folks.

Here is how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily.
....

Karl

Thank you Very Much Karl.

[cliffcoggin]

As no advice has been given on what to do or on what not to do, this very likely means there is no way of reducing the risk, while we are waiting for Firefox 74.0.1 to arrive in the software repos.

Can I assume that Mint will be updated with the revised Firefox within a few days as normal? If so I'll wait for it.