Package: firefox-esr

Version: 91


 Hi !


 Since I read the firefox 91 have some serious bug/vuln issues


 I perform an update on my system


:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.


Ready to upgrade firefox

$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.


I notice the update only give me the 91.13.0esr version

 If I take a look on the site[1] the 91.13.0esr version is vulnerable



[1]https://www.debian.org/security/2022/dsa-5259


 Also I see in this other site more info:

https://security.gentoo.org/glsa/202209-27


References

    CVE-2022-40956
    CVE-2022-40957
    CVE-2022-40958
    CVE-2022-40959
    CVE-2022-40960
    CVE-2022-40962

Affected versions       
 < 105.0
 < 102.3.0

Unaffected versions     

>= 105.0
>= 102.3.0


An extra check in the sources.list

$ cat /etc/apt/sources.list
# Package repositories
deb http://deb.devuan.org/merged chimaera main
#deb http://deb.devuan.org/merged chimaera-updates main
#deb http://deb.devuan.org/merged chimaera-security main
#deb http://deb.devuan.org/merged chimaera-backports main




In resume the update system can not delivery a safe version or a newer version of firefox-esr



Thanks in advance for your time and for the time you take to solve this issue


Cheers