Fedora Account System
Red Hat Associate
Red Hat Customer
Per Mozilla, Firefox 150 fixes 271 unspecified security issues discovered by Mythos: https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/ F44 RC-1.5 has 149.0. Do we take this as a blocker and respin? Discuss. Criterion: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." Technically, we don't *know for sure* that any of these 271 issues (alone or in combination) would be "'important' or higher impact according to the Red Hat severity classification scale". But...betting against it might not be smart.
FEDORA-2026-fb08ad61f2 (firefox-150.0-1.fc44 and nss-3.122.1-1.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb08ad61f2
(In reply to Adam Williamson from comment #0) > Technically, we don't *know for sure* that any of these 271 issues (alone or > in combination) would be "'important' or higher impact according to the Red > Hat severity classification scale". But...betting against it might not be > smart. None of the fixes identified in https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/ are more than "high" (no "critical"), but the use after free and privilege escalation bugs seem, to me, to be concerning (and there may be ways to chain the bugs together to move to a critical (I would half expect RH itself to be among the trusted orgs who have access to mythos, so the security team might know, but they cannot share until the disclosure day)). I have no vote here, but as a minimum I would like to see firefox 150 be a 0-day stable update so that the community is protected as soon as possible.
Mapping that scale to RH's is sometimes strangely unpredictable, unfortunately :/ Technically all the criteria are 'objective' so we can do the evaluation ourselves with sufficient expertise, but it's a tricky exercise.
Actually, looking at it closely, I don't think the mfsa2026-30 list is the Mythos bugs. It's too short and the credits don't match.
Just to say that Fedora 44 RC 1.7 correctly have the firefox 150 build.
FEDORA-2026-fb08ad61f2 has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-fb08ad61f2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-fb08ad61f2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Discussed at 2026-04-23 Fedora 44 Go/No-Go Meeting #2, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/meeting_matrix_fedoraproject-org/2026-04-23/f44-final-go-no-go-meeting-2.2026-04-23-18.00.html . Accepted as a blocker as a violation of Final criterion "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)"; we do not know for absolute certain that any of the Mythos-discovered issues are 'important' or higher, but without definite information, it seemed much safer to assume some of them are than to assume all of them aren't.
FEDORA-2026-fb08ad61f2 (firefox-150.0-1.fc44 and nss-3.122.1-1.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
The update is stable, closing.