Your message dated Thu, 20 Oct 2022 09:26:17 +0100
with message-id <Y1EGKQTXJhLGNqp9@???>
and subject line Re: bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
has caused the Devuan bug report #719,
regarding Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@???
immediately.)
--
719:
https://bugs.devuan.org/cgi/bugreport.cgi?bug=719
Devuan Bug Tracking System
Contact owner@??? with problems
Package: firefox-esr
Version: 91
Hi !
Since I read the firefox 91 have some serious bug/vuln issues
I perform an update on my system
:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.
Ready to upgrade firefox
$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.
I notice the update only give me the 91.13.0esr version
If I take a look on the site[1] the 91.13.0esr version is vulnerable
[1]https://www.debian.org/security/2022/dsa-5259
Also I see in this other site more info:
https://security.gentoo.org/glsa/202209-27
References
CVE-2022-40956
CVE-2022-40957
CVE-2022-40958
CVE-2022-40959
CVE-2022-40960
CVE-2022-40962
Affected versions
< 105.0
< 102.3.0
Unaffected versions
>= 105.0
>= 102.3.0
An extra check in the sources.list
$ cat /etc/apt/sources.list
# Package repositories
deb
http://deb.devuan.org/merged chimaera main
#deb
http://deb.devuan.org/merged chimaera-updates main
#deb
http://deb.devuan.org/merged chimaera-security main
#deb
http://deb.devuan.org/merged chimaera-backports main
In resume the update system can not delivery a safe version or a newer version of firefox-esr
Thanks in advance for your time and for the time you take to solve this issue
Cheers
Alter,
On Thu, Oct 20, 2022 at 07:09:19AM +0000, Alter Kim wrote:
> Hi Mark;
> Yes, I have the security in my source list.
>
> ( But Is need it to remove the # to make it works, if other user(s)
> don't remove that character the update to new versions of firefox can
> not be deliverd )
Well, not really if it is commented out.
Anyway, I am glad it works as expected when security is enabled.
> Can be possible to add the newest package of firefox to the deb
> http://deb.devuan.org/merged chimaera main ??,please
When Debian does the next stable point release, I expect that will happen.
Mark