Firefox Version Update

My organization’s web proxy blocks Firefox 78-*.

What would be the best method to update our systems, even if only to 79 or 80?

What brand of OS are you working on? ALMALinux? CentOS? RHEL?

Are you allowed/permitted to download the associated image’s ISO? If so, confirm whether or not the latest ISO (Everything, DVD, whatever) contains the package that your organization would permit. Then execute a mount of the latest ISO into your machine, and manually execute:

dnf update firefox

That’s one way around the issue, but be careful about sneaking around security controls. They are there for a reason, perhaps you just need to speak with your proxy/firewall administrators and explain them the constraints, perhaps they can lift them for a short period of time? Hmm?

AlmaLinux 8.4 (sorry should have specified).

Yes, I have the ability and permission to download the ISO. Firefox 78 is highest version that installs from the ISO on AlmaLinux 8.3 and 8.4 (and the same CentOS versions) or from the public repo @ Index of /almalinux/8.4/AppStream/x86_64/os/Packages/

And just to clarify, I’m not trying to bypass any security instructions. The security team is the one requesting that we move to a version of Firefox other than 78. I just don’t know the best location or repo to install a newer version from.

This makes no sense. Why is your security team requesting you upgrade from v78? Or more specifically, why is anything before v79 blocked? My initial reaction (which may be wrong) is that they are making the mistake of thinking ‘v90.0.2 is the latest, so anything older than v79 wont be permitted because it’s too old’. There may be another reason to block versions 78 and below, but not v79-89, but I can’t think of one off the top of my - admittedly tired - head.

Firefox doesn’t work like that, it has multiple concurrent release channels (ESR/Extended Support Release, Desktop, Beta, Nightly etc). The latest desktop release version is 90.0.2. The latest stable Enterprise/ESR version is 78.12.0, released July 13 2021. As such, version 78 ESR is ‘up to date’, supported, and fully patched. Versions 79, 80 etc are not - they’re old regular desktop (non-ESR) releases and now out of date.

My point being, it’s strange for your org’s web proxy to block a fully up to date and patched ESR version 78, but allow an old, outdated and unpatched version 80 (for example). It’d be worth speaking to the ‘security’ team again and asking them to clarify. The reason Alma/Rocky/CentOS/RHEL ship version 78 is because it’s the latest version of the Enterprise/stable release, and thus suits a similar Enterprise/stable OS.

If anything, it would make more sense for your org to block anything but the latest ESR (i.e. v78) and have their own group/enterprise policies applied to the installs company wide. :man_shrugging:t2: If they insist on you updating, don’t go for ‘even version 79 or 80’ as they’ll contain known vulnerabilities and bugs. Just install the mainline desktop release direct from Mozilla if you must, but first try to stick with the ESR version supplied in the Alma repo.

This seems like a case of the company needing to fix its policy, not a case of the employee needing to run unsupported and vulnerable software to bypass a poorly implemented proxy.

I hear and understand what you’re saying, and I’m in discussions with them concerning this. I don’t want to “bash” on my company, but I wouldn’t mind a bit of re-evaluation around this and other security policies, either.

I can’t comment fully on their reasoning, but my thoughts on why is closer to “there was a vulnerability identified with 78, so block every version 78 and below”. It seems to be as simple and straightforward as that without further analysis or consideration of desktop-vs-nightly-vs-ESR or security patching from Mozilla going into the decision. Changing the user agent string on a given Firefox version allows it to connect through the proxy successfully.

That said, I tried just downloading the latest desktop version, and the tar.gz file download is blocked because it’s considered to be an “un-scanable” file type by my company’s security software. Is there a mirror available that allows downloading of this in a different format? If the solution is removed from AlmaLinux specifically, then this may just be resolved, and I’ll have to look elsewhere.

Hey @smansberger. Have you tried Flatpak? I think that may be an option for you.

You can find out more about Flatpak here:

You can install Flatpak by running dnf install flatpak. Once it is installed, you will need to add the flathub repo there flatpak remote-add --if-not-exists flathub Then you can do a flatpak install firefox. They currently have Firefox 90.0.2 there. Does this help you?

Alternatively, I am glad to download the firefox portable from their site and repack it as a zip file for you.

I was able to install Firefox 90 with flatpak, but it’s running into certificate issues.

Looks like I’ll have to address this internally at my company. I appreciate everyone’s comments and help!

@smansberger I know that you have taken this matter internal to your corporation, but wanted to provide this link for other Firefox version-release archives:

I confirmed a minute ago that the site and url are still valid.

Also, you could perhaps always download the latest/greatest version extract it and then recompress it with a known-trusted compression algorithm that your company’s Cross Domain Solution accepts. Work with your Security Team on that front.

He said he can’t download tar files though.

Well, there is always downloading/extracting and then zipping with gzip. That might work.

@smansberger I’m glad flatpak worked. What are the certificate issues? Maybe we can help.

I’m given a Firefox warning screen with the header “Software is Preventing Firefox From Safely Connecting to This Site”.

The precise error under “Advanced” is MOZILLA_PKIX_ERROR_MITM_DETECTED, which looks to be an issue with Mozilla not picking up the certs on the system?

It does give me the option to allow an exception here, but I suppose that is what I’m trying to avoid.