On 10/01/2018 11:24 PM, Keith Lofstrom wrote: >> Subject: Security ERRATA Moderate: firefox on SL7.x x86_64 >>> This update upgrades Firefox to version 60.2.1 ESR. >>> ... >>> Mozilla: Setting a master password post-Firefox 58 does not delete >>> unencrypted previously stored passwords (CVE-2018-12383) > > On 10/01/2018 11:01 AM, Keith Lofstrom wrote: >> This "security fix" wiped out ALL my 130+ saved logins. > > On Mon, Oct 01, 2018 at 11:05:05AM -0500, O'Neal, Miles wrote: >> I switched to Chrome a while back. ... > > I'm running ancient 32 bit SL6.10 on the laptops, which > will get upgraded to SL 7.3 Real Soon Now. Then I will > upgrade myself to Chromium, preferred over Chrome because > complete source is available. > > Meanwhile, I restored 60.2.0.esr firefox from a September > 25 backup to a test laptop, and the .mozilla user files. > It's a bit annoying that I must do both. DELETING user > files with an update? That's barbaric. Nyet Kulturni. > > I added "firefox" to the /etc/sysconfig/yum-autoupdate > exclusions list. We'll see how that goes. > > I would be hosed without backups. I thought I needed > backups for security and for my bonehead mistakes, not > for protection from mozilla bonehead programmer mistakes. I suspect this is an unexpected interaction between Mozilla assuming that NSS would have updated user db files to the newer sqlite format and RHEL's NSS library which is still configured to use the old format. Some more details are still being worked out in bug reports: https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1633932&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Ohd3LJTuLnfcQyaRa-48fG2Vlowxl2Dn9QM1IZf9M_E&s=JWnnHe-sXVSb3Ead62rCI-yJ8gdEgZUUMPId-Vu4MYE&e= https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1475775&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Ohd3LJTuLnfcQyaRa-48fG2Vlowxl2Dn9QM1IZf9M_E&s=FUTiBdD6gXzRMSFV97smCEcndT_7RrbTefwOVHK7sk0&e= Looks like restoring key3.db is all that is needed. Another fun fact is that the first time you run 60.2.1 it's okay, but the second time will fail because it has removed key3.db. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [log in to unmask] Boulder, CO 80301 https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nwra.com_&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Ohd3LJTuLnfcQyaRa-48fG2Vlowxl2Dn9QM1IZf9M_E&s=Ys_SR8Y78vBFkdie8HPi-CQEGdrz9DfFX8oE_JsY__Q&e=