[devuan-dev] bug#719: marked as done (Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version )

Author: Devuan bug Tracking System
Date:
To: Mark Hindley
Subject: [devuan-dev] bug#719: marked as done (Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version )

Your message dated Thu, 20 Oct 2022 09:26:17 +0100
with message-id <Y1EGKQTXJhLGNqp9@???>
and subject line Re: bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
has caused the Devuan bug report #719,
regarding Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@???
immediately.)

--
719: https://bugs.devuan.org/cgi/bugreport.cgi?bug=719
Devuan Bug Tracking System
Contact owner@??? with problems
Package: firefox-esr

Version: 91


 Hi !


 Since I read the firefox 91 have some serious bug/vuln issues


 I perform an update on my system


:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.


Ready to upgrade firefox

$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.


I notice the update only give me the 91.13.0esr version

 If I take a look on the site[1] the 91.13.0esr version is vulnerable



[1]https://www.debian.org/security/2022/dsa-5259


 Also I see in this other site more info:

https://security.gentoo.org/glsa/202209-27


References

    CVE-2022-40956
    CVE-2022-40957
    CVE-2022-40958
    CVE-2022-40959
    CVE-2022-40960
    CVE-2022-40962

Affected versions       
 < 105.0
 < 102.3.0

Unaffected versions

>= 105.0
>= 102.3.0

An extra check in the sources.list

$ cat /etc/apt/sources.list
# Package repositories
deb http://deb.devuan.org/merged chimaera main
#deb http://deb.devuan.org/merged chimaera-updates main
#deb http://deb.devuan.org/merged chimaera-security main
#deb http://deb.devuan.org/merged chimaera-backports main

In resume the update system can not delivery a safe version or a newer version of firefox-esr

Thanks in advance for your time and for the time you take to solve this issue

Cheers

Alter,

On Thu, Oct 20, 2022 at 07:09:19AM +0000, Alter Kim wrote:
> Hi Mark; > Yes, I have the security in my source list.

>
> ( But Is need it to remove the # to make it works, if other user(s) > don't remove that character the update to new versions of firefox can > not be deliverd )

Well, not really if it is commented out.

Anyway, I am glad it works as expected when security is enabled.

> Can be possible to add the newest package of firefox to the deb > http://deb.devuan.org/merged chimaera main ??,please

When Debian does the next stable point release, I expect that will happen.

Mark

This message is part of the following thread:
	the complete thread tree sorted by date

Donate to Dyne.org