Can I get more info on why these are showing up? I’ve never seen such a thing on F-Droid before.

65 points
*

Fennec and Mull 129.0.2 in F-Droid.org repository have 42 known security issues

Ref: https://forum.f-droid.org/t/fennec-vulnerability-recommended-to-uninstall/

permalink
report
reply
10 points

The issue preventing updates should be resolved soon thanks to @linsui fixing it!

What is wrong with updating?

permalink
report
parent
reply
23 points

it was mentioned in a This Week In F-droid blog post around September. basically google fucked up an important development library, and any firefox forks (possibly some other apps too) could not be built anymore normally. of course google was unwilling to fix the issue, so linsui (and F-droid member) fixed the build process somehow, possibly temporarily.

you may ask how is this not a problem for the official release of the firefox app, and my answer is that they probably build this component for themselves, and fixed the problem in house (if they had it at all)

permalink
report
parent
reply
4 points

Right, but that comment that I quoted from the F-Droid forum makes it sound like there is some sort of issue updating to a build with the vulnerability patched. My Mull is on 131.0.3, and I do not remember having an issue updating it.

permalink
report
parent
reply
44 points
*

There was a critical vulnerability found on Firefox some days ago: CVE-2024-9680. Fennec and Mull are forks of Firefox. They both fixed this issue already in their source code, BUT there is a problem preventing F-Droid from building these updated, fixed versions.

In the case of Mull, you can download the updated version from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/, but if you are currently using the F-Droid version you will need to uninstall it first, since they have different signatures.

permalink
report
reply
32 points
*

The current version has a critical security vulnerability (https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/) but to fix it the new version compiled against libclang version 27 but Google decided to remove it from Android so the building pipeline needs to be adjusted.

There’s a long discussion: https://gitlab.com/relan/fennecbuild/-/merge_requests/63 , about building the newer version

In the meanwhile the app is a security hazard.

permalink
report
reply
24 points
*

There should really be push notifications around installed apps with known vulns… Its tracked here: https://forum.f-droid.org/t/vulnerability-warnings-in-f-droid-app/20505

Could someone with a gitlab account open a feature request on the f droid repo?

I tried to open an account but it required email + cell phone (it picked up my VoIP number) and a credit card…

EDIT: I generated an RSS feed based off of Mozilla’s known vuln list. If anyone knows of a better way to do this, please let me know!

permalink
report
reply
19 points

Are these two from the same maintainer? If not, considering that they both use Firefox Android as their base, does this mean there is a vulnerability in Firefox Android?

permalink
report
reply
32 points

There was and it was fixed by the looks of it. Guessing these apps have not urgently pulled the fixes in and released an update, so F-droid is urging people not to use the apps until so

permalink
report
parent
reply
11 points

they pulled the fixes, but couldn’t build because google fucked up the NDK. my other comment has more details

permalink
report
parent
reply
21 points
*

Yes, there was a remote code execution vulnerability in the CSS engine of firefox a little while ago. If you’re on desktop version 131 or lower, update to 131.0.3 when possible. I don’t know how the versioning works for the Android versions here…

permalink
report
parent
reply
11 points

173? What happened to firefox versions? We just started the 130s

permalink
report
parent
reply
13 points
*

shit, woops. I’ve got memory issues, my bad. Let me fix that rq. Thanks for catching it.

https://nvd.nist.gov/vuln/detail/CVE-2024-9680

permalink
report
parent
reply

F-Droid

!fdroid@lemmy.ml

Create post

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

Community stats

  • 512

    Monthly active users

  • 209

    Posts

  • 1K

    Comments