:: Re: [devuan-dev] bug#719: Firefox-e…
Góra strony
Delete this message
Reply to this message
Autor: Antonio Rendina
Data:  
Dla: devuan-dev
Temat: Re: [devuan-dev] bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
Hi Alter,

as you can see in the output of the following command, firefox 91 is
part of the main distribution. You should enable the security updates to
get the new firefox:

# apt-cache show firefox-esr
Package: firefox-esr
Version: 102.4.0esr-1~deb11u1
Installed-Size: 220256
Maintainer: Maintainers of Mozilla-related packages
<team+pkg-mozilla@???>
Architecture: amd64
Provides: gnome-www-browser, www-browser
Depends: libasound2 (>= 1.0.16), libatk1.0-0 (>= 1.12.4), libc6 (>=
2.30), libcairo-gobject2 (>= 1.10.0), libcairo2 (>= 1.10.0), libdbus-1-3
(>= 1.9.14), libdbus-glib-1-2 (>= 0.78), libevent-2.1-7 (>=
2.1.8-stable), libffi7 (>= 3.3~20180313), libfontconfig1 (>= 2.12.6),
libfreetype6 (>= 2.10.1), libgcc-s1 (>= 4.0), libgdk-pixbuf-2.0-0 (>=
2.22.0), libglib2.0-0 (>= 2.37.3), libgtk-3-0 (>= 3.13.7),
libpango-1.0-0 (>= 1.14.0), libstdc++6 (>= 9), libvpx6 (>= 1.8.0),
libx11-6, libx11-xcb1 (>= 2:1.7.2), libxcb-shm0, libxcb1, libxcomposite1
(>= 1:0.4.5), libxdamage1 (>= 1:1.1), libxext6, libxfixes3, libxrandr2
(>= 2:1.4.0), libxtst6, zlib1g (>= 1:1.2.11.dfsg), fontconfig, procps,
debianutils (>= 1.16)
Breaks: xul-ext-torbutton
Recommends: libavcodec59 | libavcodec-extra59 | libavcodec58 |
libavcodec-extra58 | libavcodec57 | libavcodec-extra57 | libavcodec56 |
libavcodec-extra56 | libavcodec55 | libavcodec-extra55 | libavcodec54 |
libavcodec-extra54 | libavcodec53 | libavcodec-extra53
Description-en: Mozilla Firefox web browser - Extended Support Release (ESR)
Firefox ESR is a powerful, extensible web browser with support for modern
web application technologies.
Description-md5: 88ee196fd829d9218a763b4d498a6f6a
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 |
libkrb53, libcanberra0, pulseaudio
Section: web
Priority: optional
Filename:
pool/DEBIAN-SECURITY/updates/main/f/firefox-esr/firefox-esr_102.4.0esr-1~deb11u1_amd64.deb
Size: 59947360
SHA256: 22fdda4bd485b4af7d1b9fd93e6da6c00ab6e4f0c35020b71ce224151436ae85

Package: firefox-esr
Version: 91.13.0esr-1~deb11u1
Installed-Size: 212318
Maintainer: Maintainers of Mozilla-related packages
<team+pkg-mozilla@???>
Architecture: amd64
Provides: gnome-www-browser, www-browser
Depends: libatk1.0-0 (>= 1.12.4), libc6 (>= 2.30), libcairo-gobject2 (>=
1.10.0), libcairo2 (>= 1.10.0), libdbus-1-3 (>= 1.9.14),
libdbus-glib-1-2 (>= 0.78), libevent-2.1-7 (>= 2.1.8-stable), libffi7
(>= 3.3~20180313), libfontconfig1 (>= 2.12.6), libfreetype6 (>= 2.10.1),
libgcc-s1 (>= 4.0), libgdk-pixbuf-2.0-0 (>= 2.22.0), libglib2.0-0 (>=
2.37.3), libgtk-3-0 (>= 3.9.14), libpango-1.0-0 (>= 1.14.0), libstdc++6
(>= 9), libvpx6 (>= 1.8.0), libx11-6, libx11-xcb1 (>= 2:1.7.2),
libxcb-shm0, libxcb1, libxcomposite1 (>= 1:0.4.5), libxdamage1 (>=
1:1.1), libxext6, libxfixes3, libxrender1, zlib1g (>= 1:1.2.11.dfsg),
fontconfig, procps, debianutils (>= 1.16)
Breaks: xul-ext-torbutton
Recommends: libavcodec58 | libavcodec-extra58 | libavcodec57 |
libavcodec-extra57 | libavcodec56 | libavcodec-extra56 | libavcodec55 |
libavcodec-extra55 | libavcodec54 | libavcodec-extra54 | libavcodec53 |
libavcodec-extra53
Description-en: Mozilla Firefox web browser - Extended Support Release (ESR)
Firefox ESR is a powerful, extensible web browser with support for modern
web application technologies.
Description-md5: 88ee196fd829d9218a763b4d498a6f6a
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 |
libkrb53, libcanberra0, pulseaudio
Tag: implemented-in::c++, interface::graphical, interface::x11,
network::client, privacy::non-free-addons, privacy::non-free-service,
protocol::ftp, protocol::http, role::program, scope::application,
suite::mozilla, uitoolkit::gtk, use::browsing, web::browser,
works-with-format::html, x11::application
Section: web
Priority: optional
Filename:
pool/DEBIAN/main/f/firefox-esr/firefox-esr_91.13.0esr-1~deb11u1_amd64.deb
Size: 58441116
MD5sum: 52b9ee27e89ec41f9c59cce83fbe903a
SHA256: 49bafc7e12bb04f274bd842f595db6d4776757d8c538d5c7620c9d7bdbbc5c92


Il 20/10/22 06:29, Alter Kim ha scritto:
> Package: firefox-esr
> Version: 91
>
>
>  Hi !
>
>
>  Since I read the firefox 91 have some serious bug/vuln issues
>
>  I perform an update on my system
>
>
> :~$sudo apt update
> Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
> Fetched 33.5 kB in 3s (9,913 B/s)
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> 80 packages can be upgraded. Run 'apt list --upgradable' to see them.
>
>
> Ready to upgrade firefox
>
> $ sudo apt-get install firefox-esr
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
> firefox-esr set to manually installed.
>
>
> I notice the update only give me the 91.13.0esr version
>
>  If I take a look on the site[1] the 91.13.0esr version is vulnerable
>
>
>
> [1]https://www.debian.org/security/2022/dsa-5259
>
>
>  Also I see in this other site more info:
>
> https://security.gentoo.org/glsa/202209-27
>
>
> References
>
>     CVE-2022-40956
>     CVE-2022-40957
>     CVE-2022-40958
>     CVE-2022-40959
>     CVE-2022-40960
>     CVE-2022-40962
>
> /Affected versions       /
>  < 105.0
>  < 102.3.0
>
> /Unaffected versions     /
>  >= 105.0
>  >= 102.3.0
>
>
> An extra check in the sources.list
>
> $ cat /etc/apt/sources.list
> # Package repositories
> deb http://deb.devuan.org/merged chimaera main
> #deb http://deb.devuan.org/merged chimaera-updates main
> #deb http://deb.devuan.org/merged chimaera-security main
> #deb http://deb.devuan.org/merged chimaera-backports main
>
>
>
>
> In resume the update system can not delivery a safe version or a newer
> version of firefox-esr
>
>
>
>  Thanks in advance for your time and for the time you take to solve
> this issue
>
>
>  Cheers
>
>
> _______________________________________________
> devuan-dev internal mailing list
> devuan-dev@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev