"We found a vulnerability..." - eviltoast

Can I get more info on why these are showing up? I’ve never seen such a thing on F-Droid before.

    • SatyrSack@feddit.org
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 month ago

      The issue preventing updates should be resolved soon thanks to @linsui fixing it!

      What is wrong with updating?

      • WhyJiffie@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        22
        ·
        1 month ago

        it was mentioned in a This Week In F-droid blog post around September. basically google fucked up an important development library, and any firefox forks (possibly some other apps too) could not be built anymore normally. of course google was unwilling to fix the issue, so linsui (and F-droid member) fixed the build process somehow, possibly temporarily.

        you may ask how is this not a problem for the official release of the firefox app, and my answer is that they probably build this component for themselves, and fixed the problem in house (if they had it at all)

        • SatyrSack@feddit.org
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          1 month ago

          Right, but that comment that I quoted from the F-Droid forum makes it sound like there is some sort of issue updating to a build with the vulnerability patched. My Mull is on 131.0.3, and I do not remember having an issue updating it.

          • N4CHEM@lemmy.ml
            link
            fedilink
            arrow-up
            11
            ·
            1 month ago

            You’re probably getting your Mull updates via the DivestOS repository, not the official F-Droid repository.

  • N4CHEM@lemmy.ml
    link
    fedilink
    arrow-up
    47
    ·
    edit-2
    1 month ago

    There was a critical vulnerability found on Firefox some days ago: CVE-2024-9680. Fennec and Mull are forks of Firefox. They both fixed this issue already in their source code, BUT there is a problem preventing F-Droid from building these updated, fixed versions.

    In the case of Mull, you can download the updated version from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/, but if you are currently using the F-Droid version you will need to uninstall it first, since they have different signatures.

  • Kajika@lemmy.ml
    link
    fedilink
    arrow-up
    34
    ·
    edit-2
    29 days ago

    The current version has a critical security vulnerability (https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/) but to fix it the new version compiled against libclang version 27 but Google decided to remove it from Android so the building pipeline needs to be adjusted.

    There’s a long discussion: https://gitlab.com/relan/fennecbuild/-/merge_requests/63 , about building the newer version

    In the meanwhile the app is a security hazard.

  • mac@lemm.ee
    link
    fedilink
    arrow-up
    25
    ·
    edit-2
    29 days ago

    There should really be push notifications around installed apps with known vulns… Its tracked here: https://forum.f-droid.org/t/vulnerability-warnings-in-f-droid-app/20505

    Could someone with a gitlab account open a feature request on the f droid repo?

    I tried to open an account but it required email + cell phone (it picked up my VoIP number) and a credit card…

    EDIT: I generated an RSS feed based off of Mozilla’s known vuln list. If anyone knows of a better way to do this, please let me know!

  • Quintus@lemmy.ml
    link
    fedilink
    arrow-up
    21
    ·
    1 month ago

    Are these two from the same maintainer? If not, considering that they both use Firefox Android as their base, does this mean there is a vulnerability in Firefox Android?

    • Piwix@lemm.ee
      link
      fedilink
      arrow-up
      35
      ·
      1 month ago

      There was and it was fixed by the looks of it. Guessing these apps have not urgently pulled the fixes in and released an update, so F-droid is urging people not to use the apps until so

      • WhyJiffie@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 month ago

        they pulled the fixes, but couldn’t build because google fucked up the NDK. my other comment has more details

    • kitnaht@lemmy.world
      link
      fedilink
      arrow-up
      20
      ·
      edit-2
      1 month ago

      Yes, there was a remote code execution vulnerability in the CSS engine of firefox a little while ago. If you’re on desktop version 131 or lower, update to 131.0.3 when possible. I don’t know how the versioning works for the Android versions here…

          • Redjard@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            9
            ·
            1 month ago

            Yeah that seems about right.

            I don’t know how the versioning works for the Android versions here…

            Android has the same versions as desktop here, which is why there is no differentiation. The main chunk of firefox is platform independent (and even used in thunderbird too).

            So any firefox android app and fork thereof needs that version 131.0.3+ too (unless it is esr which is 128 currently).

  • DishonestBirb@lemmy.world
    link
    fedilink
    arrow-up
    13
    arrow-down
    4
    ·
    edit-2
    30 days ago

    Uninstalling my primary browser isn’t really a practical solution, what am I supposed to use, Chrome? How about fixing the version they’re shipping? Or should I be looking somewhere other than F-Droid for Android Firefox?

    • cyberwolfie@lemmy.ml
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      30 days ago

      I changed to the Divest-repo for Mull, and they have an updated version that has fixed these security issues.

      ETA: Different signing keys though, so you can’t just update it, but have to reinstall.

    • kazaika@lemmy.world
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      30 days ago

      Theyre the distributor, the dont fix apps and its not their job to do so. Getting the same app from a different source wont change anything

      • Swedneck@discuss.tchncs.de
        link
        fedilink
        arrow-up
        5
        ·
        30 days ago

        huh? no one’s asking them to fix firefox, we’re asking that they just ship the latest version.

        the warning states that several vulnerabilities have been fixed since firefox version 130, f-droid’s latest version of the package is 129: that very much makes it sound like the problem is wholly caused by f-droid not making version 130 available.

        • AlpacaChariot@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          29 days ago

          To ship it they have to work out how to build that version themselves from source though - that’s their whole thing. It’s not like a normal app store where they take pre-built binaries from the developer.

        • kazaika@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          30 days ago

          Well ok if thats the case you are completely right, as long as there isnt some kind of issue and others have already updated the package pushing security fixes asap is indeod important

        • abbenm@lemmy.ml
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          29 days ago

          huh? no one’s asking them to fix firefox, we’re asking that they just ship the latest version.

          Huh to your huh? What’s significant about the latest version, other than that it includes requested fixes? This is 12 of one, a dozen of the other.

              • abbenm@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                29 days ago

                But Firefox good…?

                Yes! They are the most important alternative to major corporate backed browsers, helping sustain a diversified browser ecosystem so that no one company can monopolize the web, and push it toward standards that reinforce their monopoly. Google has tried to lock down the phone, app market, browsing experience that sustains their ad networks, and regularly pushes new standards that de-emphasize things like RSS, and that break ad blocking functionality to sustain their monopoly and invade privacy.

                Firefox reverses or mitigates most of those and are explicitly driven by a mission of sustaining an open web with standards that don’t bend the web to corporate dominance. Google’s cheeky dont be evil mantra was in reference to exactly the things they are doing now, and it’s a little too on the nose to their actual behavior so it’s no longer a slogan of theirs, cheeky or otherwise.

                • Victor@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  28 days ago

                  Exactly my point. I don’t get why there’s a fuss about installing it from the Play Store. Like, why is the Play Store bad, inherently. I’m not saying it isn’t, I’m curious as to why it would be.

              • username@lemm.ee
                link
                fedilink
                Español
                arrow-up
                2
                arrow-down
                1
                ·
                edit-2
                30 days ago

                I think it’s just that normal Firefox has more propietary stuff and more tracking by default

    • abbenm@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      29 days ago

      Or should I be looking somewhere other than F-Droid for Android Firefox?

      FFUpdater, on F-Droid, manages updates for Firefox and other browsers. I counted nine variations of Firefox or forks of Firefox. As well as eight variations of Chromium based browsers that aren’t Chrome. So that’s 17 options.

  • GolfNovemberUniform@lemmy.ml
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    1 month ago

    It doesn’t say anything like that in Droid-ify. I don’t remember any recent reports of vulnerabilities either.

  • Teknikal
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    30 days ago

    I dealt with this on mine yesterday I used a Mozilla account to back up mull settings then uninstalled it and installed the new one from the DivestOS repo.

    Yes it was a nuisance and I was a little annoyed it didn’t keep my extensions but I guess I had to do it if I wanted a browser that wasn’t a risk.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    6
    ·
    edit-2
    1 month ago

    Its a nice feature

    Many apps need security patches from time to time and web browsers tend to need the most security updates outside of the OS.

    As far as security goes please use a up to date browser. I would recommend using the official repo for each of those apps.

      • username@lemm.ee
        link
        fedilink
        Español
        arrow-up
        3
        arrow-down
        2
        ·
        edit-2
        28 days ago

        f-droid got paid by mozilla to add that warning, so that people switch to the normal version of firefox… it’s obvious… /s

        edit: dang not even the /s is enough :{