Hi Alter,

as you can see in the output of the following command, firefox 91 is
part of the main distribution. You should enable the security updates to
get the new firefox:

# apt-cache show firefox-esr
Package: firefox-esr
Version: 102.4.0esr-1~deb11u1
Installed-Size: 220256
Maintainer: Maintainers of Mozilla-related packages
<team+pkg-mozilla@???>
Architecture: amd64
Provides: gnome-www-browser, www-browser
Depends: libasound2 (>= 1.0.16), libatk1.0-0 (>= 1.12.4), libc6 (>=
2.30), libcairo-gobject2 (>= 1.10.0), libcairo2 (>= 1.10.0), libdbus-1-3
(>= 1.9.14), libdbus-glib-1-2 (>= 0.78), libevent-2.1-7 (>=
2.1.8-stable), libffi7 (>= 3.3~20180313), libfontconfig1 (>= 2.12.6),
libfreetype6 (>= 2.10.1), libgcc-s1 (>= 4.0), libgdk-pixbuf-2.0-0 (>=
2.22.0), libglib2.0-0 (>= 2.37.3), libgtk-3-0 (>= 3.13.7),
libpango-1.0-0 (>= 1.14.0), libstdc++6 (>= 9), libvpx6 (>= 1.8.0),
libx11-6, libx11-xcb1 (>= 2:1.7.2), libxcb-shm0, libxcb1, libxcomposite1
(>= 1:0.4.5), libxdamage1 (>= 1:1.1), libxext6, libxfixes3, libxrandr2
(>= 2:1.4.0), libxtst6, zlib1g (>= 1:1.2.11.dfsg), fontconfig, procps,
debianutils (>= 1.16)
Breaks: xul-ext-torbutton
Recommends: libavcodec59 | libavcodec-extra59 | libavcodec58 |
libavcodec-extra58 | libavcodec57 | libavcodec-extra57 | libavcodec56 |
libavcodec-extra56 | libavcodec55 | libavcodec-extra55 | libavcodec54 |
libavcodec-extra54 | libavcodec53 | libavcodec-extra53
Description-en: Mozilla Firefox web browser - Extended Support Release (ESR)
Firefox ESR is a powerful, extensible web browser with support for modern
web application technologies.
Description-md5: 88ee196fd829d9218a763b4d498a6f6a
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 |
libkrb53, libcanberra0, pulseaudio
Section: web
Priority: optional
Filename:
pool/DEBIAN-SECURITY/updates/main/f/firefox-esr/firefox-esr_102.4.0esr-1~deb11u1_amd64.deb
Size: 59947360
SHA256: 22fdda4bd485b4af7d1b9fd93e6da6c00ab6e4f0c35020b71ce224151436ae85

Package: firefox-esr
Version: 91.13.0esr-1~deb11u1
Installed-Size: 212318
Maintainer: Maintainers of Mozilla-related packages
<team+pkg-mozilla@???>
Architecture: amd64
Provides: gnome-www-browser, www-browser
Depends: libatk1.0-0 (>= 1.12.4), libc6 (>= 2.30), libcairo-gobject2 (>=
1.10.0), libcairo2 (>= 1.10.0), libdbus-1-3 (>= 1.9.14),
libdbus-glib-1-2 (>= 0.78), libevent-2.1-7 (>= 2.1.8-stable), libffi7
(>= 3.3~20180313), libfontconfig1 (>= 2.12.6), libfreetype6 (>= 2.10.1),
libgcc-s1 (>= 4.0), libgdk-pixbuf-2.0-0 (>= 2.22.0), libglib2.0-0 (>=
2.37.3), libgtk-3-0 (>= 3.9.14), libpango-1.0-0 (>= 1.14.0), libstdc++6
(>= 9), libvpx6 (>= 1.8.0), libx11-6, libx11-xcb1 (>= 2:1.7.2),
libxcb-shm0, libxcb1, libxcomposite1 (>= 1:0.4.5), libxdamage1 (>=
1:1.1), libxext6, libxfixes3, libxrender1, zlib1g (>= 1:1.2.11.dfsg),
fontconfig, procps, debianutils (>= 1.16)
Breaks: xul-ext-torbutton
Recommends: libavcodec58 | libavcodec-extra58 | libavcodec57 |
libavcodec-extra57 | libavcodec56 | libavcodec-extra56 | libavcodec55 |
libavcodec-extra55 | libavcodec54 | libavcodec-extra54 | libavcodec53 |
libavcodec-extra53
Description-en: Mozilla Firefox web browser - Extended Support Release (ESR)
Firefox ESR is a powerful, extensible web browser with support for modern
web application technologies.
Description-md5: 88ee196fd829d9218a763b4d498a6f6a
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 |
libkrb53, libcanberra0, pulseaudio
Tag: implemented-in::c++, interface::graphical, interface::x11,
network::client, privacy::non-free-addons, privacy::non-free-service,
protocol::ftp, protocol::http, role::program, scope::application,
suite::mozilla, uitoolkit::gtk, use::browsing, web::browser,
works-with-format::html, x11::application
Section: web
Priority: optional
Filename:
pool/DEBIAN/main/f/firefox-esr/firefox-esr_91.13.0esr-1~deb11u1_amd64.deb
Size: 58441116
MD5sum: 52b9ee27e89ec41f9c59cce83fbe903a
SHA256: 49bafc7e12bb04f274bd842f595db6d4776757d8c538d5c7620c9d7bdbbc5c92


Il 20/10/22 06:29, Alter Kim ha scritto:
> Package: firefox-esr
> Version: 91
>
>
>  Hi !
>
>
>  Since I read the firefox 91 have some serious bug/vuln issues
>
>  I perform an update on my system
>
>
> :~$sudo apt update
> Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
> Fetched 33.5 kB in 3s (9,913 B/s)
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> 80 packages can be upgraded. Run 'apt list --upgradable' to see them.
>
>
> Ready to upgrade firefox
>
> $ sudo apt-get install firefox-esr
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
> firefox-esr set to manually installed.
>
>
> I notice the update only give me the 91.13.0esr version
>
>  If I take a look on the site[1] the 91.13.0esr version is vulnerable
>
>
>
> [1]https://www.debian.org/security/2022/dsa-5259
>
>
>  Also I see in this other site more info:
>
> https://security.gentoo.org/glsa/202209-27
>
>
> References
>
>     CVE-2022-40956
>     CVE-2022-40957
>     CVE-2022-40958
>     CVE-2022-40959
>     CVE-2022-40960
>     CVE-2022-40962
>
> /Affected versions       /
>  < 105.0
>  < 102.3.0
>
> /Unaffected versions     /
>  >= 105.0
>  >= 102.3.0
>
>
> An extra check in the sources.list
>
> $ cat /etc/apt/sources.list
> # Package repositories
> deb http://deb.devuan.org/merged chimaera main
> #deb http://deb.devuan.org/merged chimaera-updates main
> #deb http://deb.devuan.org/merged chimaera-security main
> #deb http://deb.devuan.org/merged chimaera-backports main
>
>
>
>
> In resume the update system can not delivery a safe version or a newer
> version of firefox-esr
>
>
>
>  Thanks in advance for your time and for the time you take to solve
> this issue
>
>
>  Cheers
>
>
> _______________________________________________
> devuan-dev internal mailing list
> devuan-dev@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev