Package: firefox-esr
Version: 91
Hi !
Since I read the firefox 91 have some serious bug/vuln issues
I perform an update on my system
:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.
Ready to upgrade firefox
$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.
I notice the update only give me the 91.13.0esr version
If I take a look on the site[1] the 91.13.0esr version is vulnerable
[1]https://www.debian.org/security/2022/dsa-5259
Also I see in this other site more info:
https://security.gentoo.org/glsa/202209-27
References
CVE-2022-40956
CVE-2022-40957
CVE-2022-40958
CVE-2022-40959
CVE-2022-40960
CVE-2022-40962
Affected versions
< 105.0
< 102.3.0
Unaffected versions
>= 105.0
>= 102.3.0
An extra check in the sources.list
$ cat /etc/apt/sources.list
# Package repositories
deb
http://deb.devuan.org/merged chimaera main
#deb
http://deb.devuan.org/merged chimaera-updates main
#deb
http://deb.devuan.org/merged chimaera-security main
#deb
http://deb.devuan.org/merged chimaera-backports main
In resume the update system can not delivery a safe version or a newer version of firefox-esr
Thanks in advance for your time and for the time you take to solve this issue
Cheers