Re: [SECURITY] [DSA 810-1] New Mozilla packages fix several vulnerabilities
Matthew Garrett <email@example.com> wrote:
> (From debian-security-announce)
> Martin Schulze <firstname.lastname@example.org> wrote:
>> Several problems have been discovered in Mozilla, the we browser of
>> the Mozilla suite. Since the usual praxis of backporting apparently
>> does not work for this package, this update is basically version
>> 1.7.10 with the version number rolled back, and hence still named
>> 1.7.8. The Common Vulnerabilities and Exposures project identifies
>> the following problems:
> Hmm. Is this really a good idea? I can see that the Mozilla developers
> give us no real option other than to ship a newer version, but if that's
> what we're doing then changing the version number back seems a bit odd.
I guess the reason for labeling this as 1.7.8 is stuff like this:
Depends: mozilla-mailnews (>= 2:1.7.8), mozilla-mailnews (<< 2:220.127.116.11)
Mozilla often breaks the extension ABI, which is why extensions'
dependencies are conservative, requiring rebuilding against new
mozilla for every new upstream.
Mozilla 1.7.10 is (supposed to be) ABI compatibel with 1.7.8,
and labeling this as "1.7.8" works around the need to recompile every
single extension package.
cu and- no idea whether "with the version number rolled back"
only refers to the Debian package version or the actual
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"