F-Droid is featuring various Firefox builds and none of them get updated with critical patches (fast enough). Here’s that -partial- list, in no particular order:
Firefox Klar, ver. 6.1.1 Added on 8/20/18
IceCatMobile, ver. 60.5.1 Added 2/19/19
Fennec F-Droid, ver. 67.0.2 Added 6/6/19
Android Firefox ESR: not available, Mozilla doesn’t build it.
EXTRA: Firefox Lite, ver. 1.4.0 Added 5/1/19
… Actual (GitHub) version: 1.6.2 Added 6/18/19; the only one which actually got patched.
The issue in question:
0-day critical (JavaScript) vulnerability (June 18, 2019), NOT patched in any F-Droid releases, as of June 19, 2019: https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
Mozilla Foundation Security Advisory 2019-18
Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1
Announced
June 18, 2019 Impact
critical Products
Firefox, Firefox ESR Fixed in
Firefox 67.0.3
Firefox ESR 60.7.1
One article link, “Update Your Firefox Browser, Hackers Are Abusing a Serious Bug”, https://www.pcmag.com/news/369097/update-your-firefox-browser-hackers-are-abusing-a-serious-b
Just btw., I am not affected as I’m using the gHacks (pants) user.js (hosted on GitHub and mirrored on GitLab) config file, which can be injected to a non-rooted Android device using Firefox Developer Tools:
The file is made for desktop Firefox (the way that I use it) and there are redundant /extra settings for Android. I would probably need to add more entries to the list!
(There are settings which break functionality and especially so in the original file, as it’s built for Tor; for privacy and security - and against tracking and fingerprinting.)
EDIT: For example, even though I’m using uBlock Origin (together with Decentraleyes and a few more add-ons), the internal Mozilla blocking systems are left on - so, the browser IS connecting and downloading those -various- blocklists from them; and btw., the user.js does “sanitize” some of those requests - it’s documented in the file.
Fdroid is known to have a week or so lag between a new release of an open source app and the time it is available for users. Personally, given that f-droid is a volunteer driven organization, I accept that extra risk.
I understand the problem if your threat model makes this security risk unacceptable, however it is not fair to blame f-droid contributors if they don’t have the resources to identify, test and deploy near instant updates.
F-Droid should handle browser more important then other apps to fix it ASAP (not only this important 0-day).
It’s sad a Webview/ Chromium browser is ATM more secure then Fennec because of slow update
Thank you very much for the replies; I apologise if anything in my posts had indicated any sort of hostility!.. Not my intention, at all (!), I get what and how is the whole system.
Speaking of which, may I also mention how STRANGE F-Droid gets - with certain things disabled on the phone… This is what it looks like, it’ll only sometimes load (some) images and apparently randomly to make it more confusing:
Definitely not mobile data… It’s crazy, had to set “Data limit” to 0 B as not to have it auto-activate under certain conditions. No big deal I guess, haven’t been able to figure out what’s blocking and firewalling what.
The real issue is that F-Droid Fennec is lagging behind again, two minor builds: 68.0.1 and 68.0.2
What are we to do, if anybody knows of plans to keep the build cycle up with releases?
, please don’t! See