7 days ago • 97%

Mull & Fennec Vulnerability

So I went to update my apps and was greeted with these warnings in FDroid. A quick and basic search online and in various communities yielded no news regarding a major compromise in Fennec and Mull, does anyone know more about this or have you seen any news regarding a vulnerability? Curious if this is a false positive or if there is something going on with firefox forks.

21 comments

Mull was fixed in the DivestOS repository as early as October 17th, but to do this you need to add to F-Droid and reinstall Mull.

58
- Or you can install directly from Divest via FFupdater, or from their github (I use Obtainium for that).
  
  10
  
  How do you use obtainium to download from their repo? I'm trying but can't seem to make it work.
  
  5
- Ah phew, was wondering why I hadn't even had the notification.
  
  7
- I get an incompatibility error after adding their repo to FDroid.
  
  1
  
  Signatures are different. Uninstall old FDroid version first
  
  8
It is the recent use after free vuln actively exploited found in FF, which both Fennec and Mull relies as upstream. This compounds on changes made to Android NDK and the source of FF move into the monorepo, making them harder to build. Hence, they're still vulnerable to the attack.

28
- found in Fx*
  
  the source of Fx*
  
  -4
It's still waiting on a repackaging effort

https://gitlab.com/relan/fennecbuild/-/merge_requests/63

Looks like the latest hurdle is that Firefox is relying on some Google-specific variables being present, which fails on AOSP

18
Mull at least has been fixed in the divestOS repo. I can't speak to fennec as I don't use it.

The version in the f-droid main repo is behind because of Mozilla changing their repo system thus screwing with the build process and at least for now currently requiring a compiler that doesn't meet F-Droid's (IMO slightly ridiculous) standards for allowable software.

16
- Thanks! Added their repo and reinstalled. Secure again. 😎
  
  4
☞ https://lemmy.ml/post/21783142

2 of the last 5 posts on !fdroid@lemmy.ml are on this

12
Mull from divestos repo works fine! Use FFupdater to install it or link the fdroid repo to your fdroid

10
Mull is fine if you use the divestos repo directly, but the f-droid version is behind

10
Had the same, promptly uninstalled, didnt find infos.

6
- .
  
  3
  
  True, but the config settings should be good Form the get go, that's the reason the app exitists after all and ublck and noscript are installed fast. But thanks for the tip :)
  
  2
Haven't read so can't tell you but you will find info at https://leminal.space/post/11699480

2

You've viewed 21 comments.