In late December 2015 Mozilla released security updates for Firefox bringing it to version 43.0.2 and Firefox ESR (Extended Support Release) 38.5.2.
At that time the release notes for these updates didn’t reference any further security issues resolved since the previous updates (described in a previous post of mine). The above mentioned Firefox version numbers were not present in late December. I was aware of these updates but since they didn’t contain further security related changes I didn’t create a post about them. In future I will need to re-check those pages again in the days following such updates in order to avoid such a delay in posting.
Since that time the security advisory pages for Firefox and Firefox ESR (linked to below) now include details of a moderate severity security issue (assigned 1 CVE number (defined)) resolved by these updates. The issue relates to the Network Security Services (NSS) component of Firefox still accepting TLS 1.2 ServerKeyExchange messages with MD5 digital signatures. As discussed here and here, the use of MD5 is discouraged and Mozilla has rectified this issue using these updates.
Full details of the security issues resolved by these updates are available in the following links:
Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, please update it as soon as possible to resolve this security issue.
Note: The most recent version of Firefox 43 at the time of writing is 43.0.4. It has since been updated following the release of 43.0.2. Please ensure you are using the most up to date version available. 43.0.4 re-enables SHA-1 certificates for “man-in-the-middle” (defined) devices. More details are provided here.
In general, Mozilla Firefox updates install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.