:: Re: [devuan-dev] bug#719: Firefox-e…
Página Principal
Delete this message
Reply to this message
Autor: onefang
Data:  
Para: devuan-dev
Assunto: Re: [devuan-dev] bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
On 2022-10-20 04:29:10, Alter Kim wrote:
>    Package: firefox-esr
>    Version: 91

>
>     Hi !
>     Since I read the firefox 91 have some serious bug/vuln issues

>
>     I perform an update on my system
>    :~$sudo apt update
>    Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
>    Fetched 33.5 kB in 3s (9,913 B/s)  
>    Reading package lists... Done
>    Building dependency tree... Done
>    Reading state information... Done
>    80 packages can be upgraded. Run 'apt list --upgradable' to see them.
>    Ready to upgrade firefox
>    $ sudo apt-get install firefox-esr
>    Reading package lists... Done
>    Building dependency tree... Done
>    Reading state information... Done
>    firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
>    firefox-esr set to manually installed.
>    I notice the update only give me the 91.13.0esr version
>     If I take a look on the site[1] the 91.13.0esr version is vulnerable
>    [1]https://www.debian.org/security/2022/dsa-5259
>     Also I see in this other site more info:
>    https://security.gentoo.org/glsa/202209-27
>    References
>        CVE-2022-40956
>        CVE-2022-40957
>        CVE-2022-40958
>        CVE-2022-40959
>        CVE-2022-40960
>        CVE-2022-40962
>    Affected versions       
>     < 105.0
>     < 102.3.0

>
>    Unaffected versions     
>     >= 105.0
>     >= 102.3.0

>
>    An extra check in the sources.list

>
>    $ cat /etc/apt/sources.list
>    # Package repositories
>    deb http://deb.devuan.org/merged chimaera main  
>    #deb http://deb.devuan.org/merged chimaera-updates main  
>    #deb http://deb.devuan.org/merged chimaera-security main  
>    #deb http://deb.devuan.org/merged chimaera-backports main  

>
>    In resume the update system can not delivery a safe version or a newer
>    version of firefox-esr

>
>     Thanks in advance for your time and for the time you take to solve this
>    issue

>
>     Cheers


Odd I did that update on Chimaera a couple of hours ago, and got
firefox-esr amd64 102.4.0esr-1~deb11u1 fine.

Maybe you hit a mirror while it was in the middle of updating? Try again?

--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.