Can I get more info on why these are showing up? I've never seen such a thing on F-Droid before.

  • N4CHEM@lemmy.ml
    ·
    edit-2
    27 days ago

    There was a critical vulnerability found on Firefox some days ago: CVE-2024-9680. Fennec and Mull are forks of Firefox. They both fixed this issue already in their source code, BUT there is a problem preventing F-Droid from building these updated, fixed versions.

    In the case of Mull, you can download the updated version from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/, but if you are currently using the F-Droid version you will need to uninstall it first, since they have different signatures.

  • Kajika@lemmy.ml
    ·
    edit-2
    26 days ago

    The current version has a critical security vulnerability (https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/) but to fix it the new version compiled against libclang version 27 but Google decided to remove it from Android so the building pipeline needs to be adjusted.

    There's a long discussion: https://gitlab.com/relan/fennecbuild/-/merge_requests/63 , about building the newer version

    In the meanwhile the app is a security hazard.

  • mac@lemm.ee
    ·
    edit-2
    26 days ago

    There should really be push notifications around installed apps with known vulns... Its tracked here: https://forum.f-droid.org/t/vulnerability-warnings-in-f-droid-app/20505

    Could someone with a gitlab account open a feature request on the f droid repo?

    I tried to open an account but it required email + cell phone (it picked up my VoIP number) and a credit card....

    EDIT: I generated an RSS feed based off of Mozilla's known vuln list. If anyone knows of a better way to do this, please let me know!

  • Quintus@lemmy.ml
    ·
    27 days ago

    Are these two from the same maintainer? If not, considering that they both use Firefox Android as their base, does this mean there is a vulnerability in Firefox Android?

    • Piwix@lemm.ee
      ·
      27 days ago

      There was and it was fixed by the looks of it. Guessing these apps have not urgently pulled the fixes in and released an update, so F-droid is urging people not to use the apps until so

    • N4CHEM@lemmy.ml
      ·
      edit-2
      27 days ago

      You can download an updated version of Mull with the security vulnerability fixed, from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/. If you currently have the F-Droid version of Mull installed you will need to uninstall it first.