Bug 2460531
| Summary: | Firefox 150 fixes 271 unspecified security issues (F44 blocker consideration) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | firefox | Assignee: | Martin Stransky <stransky> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 44 | CC: | gary.buhrmaster, gecko-bugs-nobody, geraldo.simiao.kutz, jhorak, klaas, kparal, pbrobinson, robatino, rstrode, sagitterghostproton.me, stransky, suraj.ghimire7 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | AcceptedBlocker | ||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-04-24 07:44:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2362359 | ||
|
Description
Adam Williamson
2026-04-22 08:30:48 UTC
FEDORA-2026-fb08ad61f2 (firefox-150.0-1.fc44 and nss-3.122.1-1.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb08ad61f2 (In reply to Adam Williamson from comment #0) > Technically, we don't *know for sure* that any of these 271 issues (alone or > in combination) would be "'important' or higher impact according to the Red > Hat severity classification scale". But...betting against it might not be > smart. None of the fixes identified in https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/ are more than "high" (no "critical"), but the use after free and privilege escalation bugs seem, to me, to be concerning (and there may be ways to chain the bugs together to move to a critical (I would half expect RH itself to be among the trusted orgs who have access to mythos, so the security team might know, but they cannot share until the disclosure day)). I have no vote here, but as a minimum I would like to see firefox 150 be a 0-day stable update so that the community is protected as soon as possible. Mapping that scale to RH's is sometimes strangely unpredictable, unfortunately :/ Technically all the criteria are 'objective' so we can do the evaluation ourselves with sufficient expertise, but it's a tricky exercise. Actually, looking at it closely, I don't think the mfsa2026-30 list is the Mythos bugs. It's too short and the credits don't match. Just to say that Fedora 44 RC 1.7 correctly have the firefox 150 build. FEDORA-2026-fb08ad61f2 has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-fb08ad61f2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb08ad61f2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Discussed at 2026-04-23 Fedora 44 Go/No-Go Meeting #2, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/meeting_matrix_fedoraproject-org/2026-04-23/f44-final-go-no-go-meeting-2.2026-04-23-18.00.html . Accepted as a blocker as a violation of Final criterion "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)"; we do not know for absolute certain that any of the Mythos-discovered issues are 'important' or higher, but without definite information, it seemed much safer to assume some of them are than to assume all of them aren't. FEDORA-2026-fb08ad61f2 (firefox-150.0-1.fc44 and nss-3.122.1-1.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report. The update is stable, closing. |