Bug 2460531 - Firefox 150 fixes 271 unspecified security issues (F44 blocker consideration)
Summary: Firefox 150 fixes 271 unspecified security issues (F44 blocker consideration)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 44
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F44FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2026-04-22 08:30 UTC by Adam Williamson
Modified: 2026-04-24 07:44 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-04-24 07:44:44 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2026-04-22 08:30:48 UTC
Per Mozilla, Firefox 150 fixes 271 unspecified security issues discovered by Mythos:

https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/

F44 RC-1.5 has 149.0.

Do we take this as a blocker and respin? Discuss.

Criterion: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)."

Technically, we don't *know for sure* that any of these 271 issues (alone or in combination) would be "'important' or higher impact according to the Red Hat severity classification scale". But...betting against it might not be smart.

Comment 1 Fedora Update System 2026-04-22 08:31:24 UTC
FEDORA-2026-fb08ad61f2 (firefox-150.0-1.fc44 and nss-3.122.1-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb08ad61f2

Comment 2 Gary Buhrmaster 2026-04-22 12:40:24 UTC
(In reply to Adam Williamson from comment #0)

> Technically, we don't *know for sure* that any of these 271 issues (alone or
> in combination) would be "'important' or higher impact according to the Red
> Hat severity classification scale". But...betting against it might not be
> smart.

None of the fixes identified in https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/ are more than "high" (no "critical"), but the use after free and privilege escalation bugs seem, to me, to be concerning (and there may be ways to chain the bugs together to move to a critical (I would half expect RH itself to be among the trusted orgs who have access to mythos, so the security team might know, but they cannot share until the disclosure day)).  I have no vote here, but as a minimum I would like to see firefox 150 be a 0-day stable update so that the community is protected as soon as possible.

Comment 3 Adam Williamson 2026-04-22 15:18:37 UTC
Mapping that scale to RH's is sometimes strangely unpredictable, unfortunately :/ Technically all the criteria are 'objective' so we can do the evaluation ourselves with sufficient expertise, but it's a tricky exercise.

Comment 4 Adam Williamson 2026-04-22 15:26:39 UTC
Actually, looking at it closely, I don't think the mfsa2026-30 list is the Mythos bugs. It's too short and the credits don't match.

Comment 5 Geraldo Simião 2026-04-22 22:25:35 UTC
Just to say that Fedora 44 RC 1.7 correctly have the firefox 150 build.

Comment 6 Fedora Update System 2026-04-23 01:34:18 UTC
FEDORA-2026-fb08ad61f2 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-fb08ad61f2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb08ad61f2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Adam Williamson 2026-04-23 20:19:22 UTC
Discussed at 2026-04-23 Fedora 44 Go/No-Go Meeting #2, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/meeting_matrix_fedoraproject-org/2026-04-23/f44-final-go-no-go-meeting-2.2026-04-23-18.00.html . Accepted as a blocker as a violation of Final criterion "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)"; we do not know for absolute certain that any of the Mythos-discovered issues are 'important' or higher, but without definite information, it seemed much safer to assume some of them are than to assume all of them aren't.

Comment 8 Fedora Update System 2026-04-24 05:56:43 UTC
FEDORA-2026-fb08ad61f2 (firefox-150.0-1.fc44 and nss-3.122.1-1.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Kamil Páral 2026-04-24 07:44:44 UTC
The update is stable, closing.


Note You need to log in before you can comment on or make changes to this bug.