The current version has a critical security vulnerability (https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/) but to fix it the new version compiled against libclang version 27 but Google decided to remove it from Android so the building pipeline needs to be adjusted.
There was a critical vulnerability found on Firefox some days ago: CVE-2024-9680. Fennec and Mull are forks of Firefox. They both fixed this issue already in their source code, BUT there is a problem preventing F-Droid from building these updated, fixed versions.
In the case of Mull, you can download the updated version from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/, but if you are currently using the F-Droid version you will need to uninstall it first, since they have different signatures.
it was mentioned in a This Week In F-droid blog post around September. basically google fucked up an important development library, and any firefox forks (possibly some other apps too) could not be built anymore normally. of course google was unwilling to fix the issue, so linsui (and F-droid member) fixed the build process somehow, possibly temporarily.
you may ask how is this not a problem for the official release of the firefox app, and my answer is that they probably build this component for themselves, and fixed the problem in house (if they had it at all)
Uninstalling my primary browser isn't really a practical solution, what am I supposed to use, Chrome? How about fixing the version they're shipping? Or should I be looking somewhere other than F-Droid for Android Firefox?
huh? no one's asking them to fix firefox, we're asking that they just ship the latest version.
the warning states that several vulnerabilities have been fixed since firefox version 130, f-droid's latest version of the package is 129: that very much makes it sound like the problem is wholly caused by f-droid not making version 130 available.
Or should I be looking somewhere other than F-Droid for Android Firefox?
FFUpdater, on F-Droid, manages updates for Firefox and other browsers. I counted nine variations of Firefox or forks of Firefox. As well as eight variations of Chromium based browsers that aren't Chrome. So that's 17 options.
Are these two from the same maintainer? If not, considering that they both use Firefox Android as their base, does this mean there is a vulnerability in Firefox Android?
There was and it was fixed by the looks of it. Guessing these apps have not urgently pulled the fixes in and released an update, so F-droid is urging people not to use the apps until so
Yes, there was a remote code execution vulnerability in the CSS engine of firefox a little while ago. If you're on desktop version 131 or lower, update to 131.0.3 when possible. I don't know how the versioning works for the Android versions here...
You can download an updated version of Mull with the security issue fixed, from the DivestOS F-Droid repository: https://divestos.org/fdroid/official/. If you currently have the F-Droid version of Mull installed you will need to uninstall it first.