I know it is difficult to actually read CVEs, you probably have a lot of things to do

Support
1

Continuing the discussion from Manjaro stable not safe?:

CVE-2020-15664: Attacker-induced prompt for extension installation

Reporter

Kaizer Soze

Impact

high

Description

By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed.

This is Windows?

1 Like
2

Yes, that applied to Windows only.

3

how?..

4

How what? It was a problem in the Windows implementation of Firefox.

GNU/Linux is not Microsoft Windows, and doesn’t even have anything in common with said platform. GNU/Linux is a UNIX-family operating system, while Microsoft Windows is a weird concoction, with a VMS-like kernel underneath a graphical user interface that itself still carries lots of legacy with it from MS-DOS and CP/M.

1 Like
5

I am not sure that is was a Windows-only issue:

Or I am missing something obvious.

Red Hat specifically mentions

Mozilla: Attacker-induced prompt for extension installation (CVE-2020-15664)

in their security advisory. That doesn’t rule out the possibility that they included it because it was in the upstream changelog (or something), but still.

1 Like
6

no maybe where it say windows… :sob:

7

Well it doesnt show up in my arch-audit
and … all branches have firefox 80.

…so whats the issue ?

8

old one say 80 was windows nto linux but linux is issue so i read like said

9

81 too now

10

And lets also be aware that the CVE in question depends on a number of factors…

  • User must visit malicious website
  • User must have ‘suggest extensions’ enabled
  • Then there is a possibility that you could be offered a malicious extension
  • If user then installs this malicious software … it could be … malicious.

How? So they didnt fix it in 80, even though they said they did ?

11

Well, at least this time we are talking about the same CVE.

12

no 81 now

https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/

13

So you mean you are now making the same complaint about firefox 81, regardless of the CVE you were first referencing ?

14

no complain :sob:

old post say windows linux not, i not saw windows so ask, 81 too is here so ask too

15

81 is windows not linux

16

I dont understand you.
Manjaro is a curated rolling release … packages are tested before shipping to stable.
Security biggies are often fast tracked.
Firefox 81 is in all branches except Stable … it was released in Arch less than 4 days ago … with 81.0-2 being released less than 24 hours ago.
Chill out … it will be in stable very soon.
If you cant possibly wait and you want the freshest all the time … just use Unstable Branch.

And you’ve lost me again…

17

Confusion? What a crock. Sh*t happens when the clueless blindly click on whatever the affirmation button is (yes, accept, continue, etc.) to whatever dialog suddenly appears.

18

the other thread said the problem was for windows only and then the thread was closed and i was told to read the cve so i did and it looks like the cve was valid for linux too. so i am asking about the problem here again, because someone closed the thread, maybe they don’t like to ask people about problems? I do not know why. i don’t know if i misunderstand something in the mozilla page. other thread also say that security updates released soon, but this is one that wasn’t so that I am asking why again.

Translated with www.DeepL.com/Translator (free version)

20

why post hidden? what wrong?

21

You probably write so badly in your mother language that the translator fails. Please, take more time for writing your posts so people get a chance to understand what you mean. Otherwise don’t post anything, because you create confusion and are annoying.
https://wiki.manjaro.org/index.php?title=Forum_Rules#No_Power-Posting.2FEmpty_Posts