[Solved] Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Questions about applications and software
Forum rules
Before you post please read how to get help
User avatar
karlchen
Level 21
Level 21
Posts: 13675
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

[Solved] Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by karlchen »

Please, be alerted that two 0-day vulnerabilities have been identified in Firefox 74.0 and Firefox 68.6.0.

Final Update 08-April-2020:
The Linux Mint Repos offer Firefox 75.0 for the main editions LM 19.x and LM 18.x.
The Linux Mint repos offer Firefox 68.7 for LMDE 4 and LMDE 3.

No more workarounds needed. Those who have applied any such workarounds may revert them.


---------------------------------------------obsolete as of today, 08-April-2020----------------------------
Ubuntu have made available Firefox 74.0.1 to their users in their software repositories.
USN-4317-1: Firefox vulnerabilities
Please, watch out for Firefox 74.0.1 in Update Manager and install it as soon as it becomes available.
As no advice has been given on what to do or on what not to do, this very likely means there is no way of reducing the risk, while we are waiting for Firefox 74.0.1 to arrive in the software repos.

How to patch now:
Please, find the "... how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily." 3 posts below.

Update 07-April-2020:
Today Ubuntu has published Ubuntu Firefox 75.0 in their software repositories. So when following the instruction, linked above, select Firefox 75.0 instead of Firefox 74.0.1.
Who has already installed Firefox 74.0.1: Update Manager should offer Firefox 75.0 as a normal update.

Update 08-April-2020:
The Linux Mint Repos now offer Firefox 75.0 for the main editions LM 19.x and LM 18.x.
The Linux Mint repos now offer Firefox 68.7 for LMDE 4 and LMDE 3.

So this thread has come to an end, I guess.
Last edited by karlchen on Sun Apr 05, 2020 6:01 am, edited 3 times in total.
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
User avatar
all41
Level 16
Level 16
Posts: 6656
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by all41 »

Seems pretty straightforward--if it's a concern--just download the 74.0.01 tar.bz2 from mozilla.org--extract it to a folder and run it from there--untill the repositories update.
Light travels faster than sound. That's why some people appear smart until you hear what they are saying.
You will seldom see a grey-beard wearing a tinfoil hat.
User avatar
Linux-Is-Best
Level 1
Level 1
Posts: 12
Joined: Fri Apr 03, 2020 11:55 am

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by Linux-Is-Best »

This is why the first thing I do when I install any distro is download Firefox directly from Mozilla and uninstall the one provided by the distro. I like my real-time updates that Mozilla Firefox provides. Over the years, I learned not everyone knows how to manually install Mozilla Firefox so I made an automated script that does that all on its own. https://github.com/Linux-Is-Best/Firefo ... -for-Linux
* Please be as detail as possible. As if you were speaking to a child
* I don't understand sarcasm on the internet. Please avoid it
* I don't check PMs. Want my attention? Quote me
* Please remember that experiences differ and opinions are not facts
User avatar
karlchen
Level 21
Level 21
Posts: 13675
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by karlchen »

Hi, folks.

Here is how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily.

No need to fiddle around with the genuine Mozilla .tar.bz2 file. The solution is already in your repos, just not used automatically.
  1. Use Synaptic package manager, which comes pre-installed with Linux Mint (whew, yes, it does! :D ), in order to switch to the Ubuntu provided Firefox version, which has already been updated to 74.0.1.
    .
  2. Inside Synaptic locate the installed Firefox package and each Firefox language package, which has been installed for it on your system.
    Below is my list, yours may/will look a bit differently.

    Image
    .
  3. Mark each of the identified packages at a time and tell Synaptic to force its version.

    Select 1 Firefox (language) package at a time. Then click on "Package" in the menu => "Force version".
    In the "Force Version" dialogue select the "74.0.1 .... (bionic-updates)" version.
    Click on [Force version].
    Image
    .
    Result:
    Image
    .
  4. Repeat the step above for each installed Firefox package.
    Result:
    Image
    .
  5. Now click on "Apply". Synaptic will display a summary of what is going to be upgraded. Click the [Apply] button. Wait for the installation to finish.
    Result:
    Image
Note:
Switching back to the Mint provided Firefox 74.0.1, as soon as it will be available in the Mint repos, is as simple as illustrated above. Basically the same steps.

HTH,
Karl
Last edited by karlchen on Sun Apr 05, 2020 2:50 pm, edited 1 time in total.
Reason: Corrected: The menu item is "Package" not "Packet". So it is "Package" => "Force version"
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
dorsetUK
Level 5
Level 5
Posts: 506
Joined: Thu Sep 19, 2019 4:40 am

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by dorsetUK »

Thanks Karl, worked a treat.

Jon
User avatar
AZgl1500
Level 15
Level 15
Posts: 5558
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by AZgl1500 »

now you tell me :)

I just used the method as suggested up above, and it worked slicker than the door knob.

Took me a long while though, to make sure that all of my New Tab icons were duplicated.
that is the one feature that is missing in Sync, and I don't understand why.

Sync restores every thing else, but not the New Tabs, and I have 4 rows of them.

I just used the Edit feature to copy the links in all of them, and store them in text file, to copy to the new FF.

glad it is done, I had this in 18.3 Cinnamon, but never got around to doing it with my new 19.3 Cinnamon.
Linux Mint 19.3 Cinnamon
User avatar
Flemur
Level 19
Level 19
Posts: 9049
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by Flemur »

karlchen wrote:
Sat Apr 04, 2020 7:09 pm
Please, be alerted that two 0-day vulnerabilities have been identified in Firefox 74.0 and Firefox 68.6.0.
FWIW, I'd been using 68.6.0 ESR, and yesterday it asked to be updated to 68.6.1 (I noticed the article didn't mention 68.6.x)
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
User avatar
karlchen
Level 21
Level 21
Posts: 13675
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by karlchen »

Thanks, Flemur, for mentioning Firefox ESR. :D

The sticky alert post had been created last night, a bit in a hurry. And the Ubuntu security alert of course only mentions Firefox 74.0, because this is what is in their repos (and in the Mint repos)

By the way:

Code: Select all

karl@unimatrix0:~$ apt-cache policy firefox-esr-mozilla-build
firefox-esr-mozilla-build:
  Installed: 68.6.1esr-0ubuntu1 <====
  Candidate: 68.6.1esr-0ubuntu1
  Version table:
 *** 68.6.1esr-0ubuntu1 500
        500 https://downloads.sourceforge.net/project/ubuntuzilla/mozilla/apt all/main i386 Packages
        100 /var/lib/dpkg/status
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
User avatar
PhilAypee
Level 3
Level 3
Posts: 144
Joined: Sat Jul 30, 2016 5:14 am
Location: Bramley, Surrey, UK

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by PhilAypee »

karlchen wrote:
Sun Apr 05, 2020 5:47 am

No need to fiddle around with the genuine Mozilla .tar.bz2 file. The solution is already in your repos, just not used automatically.

Use Synaptic package manager, which comes pre-installed with Linux Mint (whew, yes, it does! :D ), in order to switch to the Ubuntu provided Firefox version, which has already been updated to 74.0.1.
Thank you, it all worked seamlessly for me too. :)

Question: does anybody know what the vulnerabilities are :?:
Take care,
Phil.

Minimize your therbligs until it becomes automatic;
this doubles your effective lifetime – and thereby gives time to enjoy
butterflies and kittens and rainbows.


LM 19.3 Xfce 64 bit - 4Gb RAM Dual Core Celeron N3350
🚂🚃🚃🚃🚃🚃🚃🚃🚃🚃🚃🚃🚃🚃
User avatar
majpooper
Level 6
Level 6
Posts: 1381
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by majpooper »

Sorry for being so dense but I don't see where to apply step 3

Code: Select all

Select 1 Firefox (language) package at a time. Then click on "Packet" => "Force version".
In the "Force Version" dialogue select the "74.0.1 .... (bionic-updates)" version.
Click on [Force version].
How to I get to the Packet=>Force version to click on it?
User avatar
karlchen
Level 21
Level 21
Posts: 13675
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by karlchen »

majpooper wrote:
Sun Apr 05, 2020 1:33 pm
How to I get to the Packet=>Force version to click on it?
In the Synaptic menu.
And sorry, it is "Package" => "Force version ..."
My fault. When translating back from German to English, I sometimes (frequently?) end up picking the wrong English term. :(
Have corrected my post above accordingly now.
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
User avatar
majpooper
Level 6
Level 6
Posts: 1381
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by majpooper »

karlchen wrote:
Sun Apr 05, 2020 2:48 pm
My fault. When translating back from German to English, I sometimes (frequently?) end up picking the wrong English term. :(
Not a problem - I spent a whole tour in Germany and never got past basically tourist level German. I guess in my defence I worked with native English speakers all day and generally German people can speak English so I wasn't forced to learn but I still felt self conscious never the less. My wife on the other hand is of German decent, took four years of German in High School, signed up for German classes when we got in country. She went out of her way to immerse herself in the German language. Our closest German friends are from her the friends she made.

So let me say - Danke meinem Freund ein pils für dich
User avatar
karlchen
Level 21
Level 21
Posts: 13675
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by karlchen »

majpooper wrote:
Sun Apr 05, 2020 4:46 pm
So let me say - Danke meinem Freund ein pils für dich
Sadly, the kiosk on the opposite side of the street closed 3 hours ago for today. :( So, the pils will have to wait till tomorrow after work. :wink:
By the way, invoking LC_ALL=C synaptic-pkexec from the terminal window instead of launching it from the application menu will persuade Synaptic to speak perfect English. Hope I will remember next time, before posting Synaptic screenshots again.
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
SweetBearCub
Level 1
Level 1
Posts: 49
Joined: Sat Aug 15, 2015 12:06 am

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by SweetBearCub »

Can someone please explain to me why the repos don't just carry Firefox's direct updates, and why by default we are stuck with a modified version of Firefox that lags on security updates? (About box specifically says "Mozilla Firefox for Linux Mint - mint 1.0)

I'm aware that I could add their PPA and get faster updates, as is possible for many packages, but what I want to know is why it's done this way, especially on something that is an unusually large attack surface overall.

Thanks.
User avatar
karlchen
Level 21
Level 21
Posts: 13675
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by karlchen »

SweetBearCub wrote:
Sun Apr 05, 2020 5:21 pm
I'm aware that I could add their PPA and get faster updates,
No PPA needed as had been explained and illustrated in the post above: ... how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily.
Image
Linux Mint 19.3 64-bit Cinnamon, Total Commander 9.51 64-bit
SweetBearCub
Level 1
Level 1
Posts: 49
Joined: Sat Aug 15, 2015 12:06 am

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by SweetBearCub »

Thank you, but I did not ask for that. I have read the thread.

My question is closely related, but different.
User avatar
Linux-Is-Best
Level 1
Level 1
Posts: 12
Joined: Fri Apr 03, 2020 11:55 am

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by Linux-Is-Best »

SweetBearCub wrote:
Sun Apr 05, 2020 5:21 pm
Can someone please explain to me why the repos don't just carry Firefox's direct updates, and why by default we are stuck with a modified version of Firefox that lags on security updates? (About box specifically says "Mozilla Firefox for Linux Mint - mint 1.0)

I'm aware that I could add their PPA and get faster updates, as is possible for many packages, but what I want to know is why it's done this way, especially on something that is an unusually large attack surface overall.

Thanks.
Your frustration is exactly why I prefer to use Mozilla Firefox directly from Mozilla. It updates itself and I don't have to worry about distro's modifying things. I first download my script (previously posted), uninstall Firefox that comes with Mint (or any distro), and run my little installer. Problem solved.
* Please be as detail as possible. As if you were speaking to a child
* I don't understand sarcasm on the internet. Please avoid it
* I don't check PMs. Want my attention? Quote me
* Please remember that experiences differ and opinions are not facts
User avatar
mikaelrask
Level 4
Level 4
Posts: 358
Joined: Wed Mar 13, 2019 7:38 am
Location: Sweden
Contact:

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by mikaelrask »

thanks for the information and the instructions how to get it from synaptic. learned something today :D
CPU Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz
Graphic Card: nvidia 2070 super
Ram 16 GB
Kernel: 5.4.0.60-generic
kubuntu 20.04

Laptop:
CPU Intel(R) Core(TM) i5-245m
cinnamon 20.1
Kernel 5,4.0.60-generic
Ram 4 gb
venco
Level 1
Level 1
Posts: 31
Joined: Mon Apr 15, 2013 10:43 am

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by venco »

karlchen wrote:
Sun Apr 05, 2020 5:47 am
Hi, folks.

Here is how to switch to the Ubuntu provided bugfixed Firefox 74.0.1 easily.
....

Karl

Thank you Very Much Karl.
cliffcoggin
Level 6
Level 6
Posts: 1298
Joined: Sat Sep 17, 2016 6:40 pm
Location: England

Re: Alert: Firefox 74.0 - 0-day security vulnerabilities detected

Post by cliffcoggin »

karlchen wrote:
Sat Apr 04, 2020 7:09 pm

As no advice has been given on what to do or on what not to do, this very likely means there is no way of reducing the risk, while we are waiting for Firefox 74.0.1 to arrive in the software repos.
Can I assume that Mint will be updated with the revised Firefox within a few days as normal? If so I'll wait for it.
Cliff Coggin
Locked

Return to “Software & Applications”