Critical updates release speed in Fedora

Hello,

Mozilla informed about a critical vulnerability that is being exploited in the wild. As far as I know the vulnerability got a scoring of 9.8 out of 10.0. So it seems very severe.

Now, if I check koji.fedoraproject.org I can see that a new firefox version (131.0.2) was built yesterday. However, today, 24h later, it still is not offered through the update channels for Fedora 40.

So I wonder, how slow or fast are those critical security fixes released usually on Fedora? 24h to fix an exploit, that needs no user interaction seems like a long time. I was using the tar.gz from Mozilla directly, but then some folks said: No, don’t use that, its not using all the security features, stick to the firefox version that comes with the distribution, this is much more hardened and much safer. Well, if fixes take so long that point doesn’t seem to make a lot of sense.

Does it pull the latest update version if you run sudo dnf upgrade --refresh instead of the GNOME or KDE software centers?

I switched from the system packaged version to the Flatpak version for several reasons, so I can’t immediately test it.

Thanks for the tip. No, sudo dnf upgrade --refresh does not pull the update yet.

I just ran dnf info firefox on a VM running Fedora Server 40 as well as my laptop running the KDE spin of Fedora Workstation 40. On both, I am getting the following:

Available Packages
Name         : firefox
Version      : 131.0
Release      : 2.fc40
Architecture : x86_64
Size         : 77 M
Source       : firefox-131.0-2.fc40.src.rpm
Repository   : updates
Summary      : Mozilla Firefox Web browser
URL          : https://www.mozilla.org/firefox/
License      : LicenseRef-Callaway-MPLv1.1 OR GPL-2.0-or-later OR LicenseRef-Callaway-LGPLv2+
Description  : Mozilla Firefox is an open-source web browser, designed for standards
             : compliance, performance and portability.

I have the following under /etc/yum.repos.d/fedora-updates.repo

[updates]
name=Fedora $releasever - $basearch - Updates
#baseurl=http://download.example/pub/fedora/linux/updates/$releasever/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=1
countme=1
repo_gpgcheck=0
type=rpm
gpgcheck=1
metadata_expire=6h
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
skip_if_unavailable=False

If I try to install the Fedora packaged version of Firefox by running sudo dnf install firefox, I am also seeing 131.0-2.fc40 listed as the version.

Is it possible that you are pulling packages from a different mirror that hasn’t been updated?

That’s still the “bad” version. I think we want 131.0.2-1, which seems to be on rawhide and Fedora 41 here:

and the F40 version is being worked on here
https://bodhi.fedoraproject.org/updates/FEDORA-2024-db72f480e8

Seems like there’s some action on that page so hopefully we’ll get the new version soon.

Ah, good to know. Thanks!

Hello,

Mozilla informed about a critical vulnerability that is being exploited in the wild. As far as I know the vulnerability got a scoring of 9.8 out of 10.0. So it seems very severe.

Now, if I check koji.fedoraproject.org I can see that a new firefox version (131.0.2) was built yesterday. However, today, 24h later, it still is not offered through the update channels for Fedora 40.

Yeah. It’s going to stable now.

So I wonder, how slow or fast are those critical security fixes released usually on Fedora? 24h to fix an exploit, that needs no user interaction seems like a long time. I was using the tar.gz from Mozilla directly, but then some folks said: No, don’t use that, its not using all the security features, stick to the firefox version that comes with the distribution, this is much more hardened and much safer. Well, if fixes take so long that point doesn’t seem to make a lot of sense.

It depends.

In general things do not get pushed out until they have had some
testing. If it’s broken, the fix is worse than the cure sometimes.

There was a dbus critical security update that we had a long while back
that got pushed out super fast and actually broke people’s ability to
get the working fixed version after that without manual intervention. ;(

Anyhow, this update is pushing to stable now, should be there in a
bit…

already online