I'd guess reasonably confidently that the majority of firefox users, are on window or mac, got firefox from the web, have auto updates enabled, and are already on 126 (they've had a week to update at this point).
With the exception of LTS releases, if you haven't got firefox 126 yet because you're on a "stable" package manager, I'd encourage you to promptly download firefox from mozilla.org (which will come with auto-updates) and uninstall your package managers insecure version. Given the state of the web and software security web browsers aren't something you should be delaying updating by a week.
>With the exception of LTS releases, if you haven't got firefox 126 yet because you're on a "stable" package manager, I'd encourage you to promptly download firefox from mozilla.org (which will come with auto-updates) and uninstall your package managers insecure version.
Which distros have this problem? AFAIK debian-based distros (eg. debian, ubuntu) package firefox ESR which is kept up to date with security patches.
At one point I realized Arch's firefox was greater than a week out of date and I promptly did exactly that. I don't know if it was a regular occurrence or something weird with that release though.
Given the abundance of desktop electron apps, it seems maybe irresponsible to publish this blog post (with an advertisement for Codean in the middle (which itself was at least tastefully done)) only 6 days after the fix was released and the CVE was published.
Yes, a fix landed in Firefox, but the vuln is in pdf.js, and now I’m giving the ol side-eye to the four or five electron apps I have running.
