Update request: all firefox forks (CVE-2024-9680)

[janWilejan]

• Package name:
  • librewolf 130.0-3 → 131.0.2-1
  • mullvad-browser 13.5.6 →13.5.7
  • floorp 11.19.0 → 11.19.1
  • tor-browser: 13.5.6 → 13.5.7
• Latest released version: 131.0.2-1, 13.5.7, 11.19.1, 13.5.7
• Current version on the unstable channel: 130.0-3, 13.5.6, 11.19.0, 13.5.6
• Current version on the stable/release channel: 130.0-3, 13.5.6, 11.19.0, 13.5.6

• [*] Checked the nixpkgs pull requests
  • PRs for all affected firefox forks have already been made, but only firefox{,-bin,-esr} has been merged into stable nixos-24.05.
  • mullvad-browser: 13.5.6 -> 13.5.7 #347594
  • [Backport release-24.05] librewolf-unwrapped: 130.0-3 -> 131.0.2-1 #347613
  • floorp: 11.19.0 -> 11.19.1 #347677
  • tor-browser: 13.5.6 -> 13.5.7 #347593

This critical 0-day vulnerability affects all forks of firefox and they all need to be backported to stable nixos.
PRs for tor-browser, mullvad-browser, and librewolf were opened 2 days ago and still aren't available on nixos-24.05 or unstable. Why aren't they available yet?

https://search.nixos.org/packages?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=floorp+librewolf+mullvad-browser

Notify maintainers

@felschr @panicgh @dotlambda @christoph-heiss @mweinelt

---

Note for maintainers: Please tag this issue in your PR.

---

Add a 👍 reaction to issues you find important.

[felschr]

tor-browser & mullvad-browser fixes were already backported: #347595 #347600

[felschr]

The issue is that channel updates haven't included them yet: https://status.nixos.org/
That always takes a while.

[janWilejan]

I'm new to nix, so I'm not sure what kind of CI gauntlet PRs have to traverse before ending up in stable. I figured that if firefox can make it then so can its siblings.

The issue is that channel updates haven't included them yet: https://status.nixos.org/ That always takes a while.

How long is "a while"?

It's been 2 days since the PRs have been opened. Is >2 days considered a reasonable wait for fixing a critical 0-day that is being exploited in the wild?

[christoph-heiss]

Backport for Floorp was openend hours after the master PR & both merged minutes after each other: #347716

[felschr]

I figured that if firefox can make it then so can its siblings.

The backport for Firefox got merged a bit earlier than those for the other forks, that time was enough to have Firefox included in the last successful Hydra build on 2024-10-10T08:45:02Z that advanced the nixos-24.05 channel.

How long is "a while"?

It depends. Channels only get updated when all required checks succeed, so if one of those break it can be days until the next release. You can see historic channel age on Grafana:

It's been 2 days since the PRs have been opened. Is >2 days considered a reasonable wait for fixing a critical 0-day that is being exploited in the wild?

I don't like the current situation either. However, the reproducible nature of Nix probably makes this harder than for most other Linux distros. E.g. if a core library like glibc gets updated pretty much all packages need to be rebuilt.

I haven't really seen a lot of discussion about this topic. Maybe someone else can point us somewhere?

[janWilejan]

Closing this as it's been resolved (in nixos-24.05; unstable is still behind). Thank y'all for fixing this. Sorry for being impatient.

I do think it's strange that maintainers aren't able to prioritize builds with important security fixes in Nix.