Mozilla Firefox Version 36 Released with Security Updates

Corrine · February 24, 2015, 07:35:49 PM

Mozilla sent Firefox Version 36.0 to the release channel, with Firefox ESR updated to 31.5. The update includes eight (8) security updates, of which three (3) are identified as critical, two (2) high, two (2) moderate and one (1) low.

A security feature finally incorporated in version 36.0 is full HTTP/2 support. Additional information this change is available in the Mozilla Security Blog, Phase 2: Phasing out Certificates with 1024-bit RSA Keys | Mozilla Security Blog.

Additional information regarding the security fixes and other changes made in this update are available in my blog post here.

To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."

siljaline · February 24, 2015, 08:41:57 PM

Keep in mind Mozilla's Hello chat feature phones home metrics (your personal information) to Mozilla and other undisclosed parties. Inquire via asking how to disable this feature if you do not want to mistakenly use it and allow Firefox to collect more metrics than it already does.

As I remarked elsewhere - Beware of strange men bearing gifts.

siljaline · February 25, 2015, 11:06:21 PM

Alert Alert !! Firefox 36.0 is requesting a Firewall exception I've alerted Mozilla via Twitter and await feedback. For now I am not using the Browser.

ky331 · February 25, 2015, 11:27:02 PM

I received the firewall exception alert on two systems, but not on three others. Not exactly sure what the difference was.

Corrine · February 26, 2015, 02:16:41 AM

After I saw your report about the Windows Firewall, siljaline, I launched FF, checked a couple of links on Bing and didn't get an alert. I also wonder what the difference is.

satrow · February 26, 2015, 03:09:33 AM

I've seen reports of this behaviour for ~12 hours now, just updated FF here and, on restart, it flashed up a 2nd tab with Hello? and a dropdown from the Hello? icon that I'd dragged away from the icon bar before forcing the update - and I got the firewall message - I denied it.

Checking the Advanced *inbound* settings for the firewall, the only Blocked lines are 2 from FF, 1 for Public UDP over all ports, the other for Public TCP over all ports.

Seriously, can Mozilla be trusted anymore, changing my setup (from no Hello? icon to waving it in my face) and expecting full inbound access - too much.

Corrine · February 26, 2015, 03:13:10 AM

I followed the link that siljaline provided in the FF 35 update thread and disabled Hello.

Quote from: siljaline on February 20, 2015, 09:56:55 PM
How do I disable hello ? Note this is a Mozilla Forum suggestion as best answer and should not be construed as officially sanctioned by Mozilla but it gets the job done as Hello is a privacy concern.

https://support.mozilla.org/en-US/questions/1043588

Glad I'm sticking with Pale Moon!

plodr · February 26, 2015, 05:15:31 AM

QuoteGlad I'm sticking with Pale Moon!

Me too!

I do have FF 31 ESR installed on three of the four computers as another "choice".
On the computer that updated to 36, I'll have to see if hello returns. I did block it in v35.

siljaline · February 26, 2015, 07:07:03 AM

I've reverted to FF 35.01 as I don't want any outbound or inbound traffic through the Firewall. I'll take a slightly less secure Browser than one that breaches my firewall. Watch out your Pale Moon users - you might see some mission creep soon. Turn off auto-majic updates across all platforms.

satrow · February 26, 2015, 07:29:23 AM

Quote from: siljaline on February 26, 2015, 07:07:03 AM
Watch out your Pale Moon users - you might see some mission creep soon.

Unlikely - but I'll find out before you do ;)

Corrine · February 26, 2015, 02:27:13 PM

Quote from: satrow on February 26, 2015, 07:29:23 AM
Quote from: siljaline on February 26, 2015, 07:07:03 AM
Watch out your Pale Moon users - you might see some mission creep soon.
Unlikely - but I'll find out before you do ;)

Indeed you will, satrow!

Discussion at mozillazine.org regarding the firewall exception: Which service - fx36 and up - is responsible for SSDP?

Two bug reports that appear to apply: 1086278 – Windows/Mac firewall dialog pops up on startup and 1111967 – Add an option to disable SSDP in Firefox

As to the Firewall exception, I booted a second computer to the partition with Windows 7 (I don't have FF installed on the partition with Windows 10) and didn't get the firewall exception prompt there either.

winchester73 · February 26, 2015, 04:33:46 PM

I haven't gotten it on either 8.1 box :uhm:

plodr · February 26, 2015, 07:26:11 PM

FF 36 on Win 7 Pro 32 bit:
1. no firewall popup
2. Hello stayed off and I also checked about:config as a double-check.

Ghost · February 26, 2015, 09:49:24 PM

Yesterday i updated to Firefox 36 on OEM Win 7 Ultimate 64 bit without windows firewall pop up.
Then changed Hello to false.
No problems here.

DonnaB · February 26, 2015, 11:27:11 PM

I am having issues with FF 36.0. Seems I get a scroll bar at the bottom of the reply box as if Word Wrap is disabled and I have no idea how to fix it. This only happens at Geek To Go and Bleeping Computer which is IP.board software. It does not happen here. So, could it be the forum software at those 2 sites? This is driving me nuts! Reverting back to FF 35.0.1 to see if that will fix it. :angry: