Debian testing/unstable users: beware of Firefox critical CVEs
Hello everyone,
Given our current time_t transition happening, which means packages are blocked
from migrating to testing for weeks, and that unstable updates have become
harder to apply, two critical CVE fixes for Firefox became impossible to get it
through the official repositories:
https://security-tracker.debian.org/tracker/CVE-2024-29943
https://security-tracker.debian.org/tracker/CVE-2024-29944
https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
The most serious one, CVE-2024-29943, is said to achieve remote code execution
but it does not affect firefox-esr, only firefox.
I'm sending this to d-devel because there should be a lot of testing and
unstable users on this list. If you're not running firefox 124.0.1 or
firefox-esr 115.9.1esr-1, you should find a way of upgrading to those versions.
One valid workaround seems to be installing Firefox from Mozilla's repo:
https://support.mozilla.org/en-US/kb/install-firefox-linux
It might be a good time to remember that unstable and testing are not
officially supported releases (as their name suggests), so issues like this do
happen from time to time.
In a recent case, the issue was addressed by performing a
testing-proposed-update of the package. This would allow firefox-esr to be
fixed on testing before the transition is over, but it would not work for those
installing the firefox package from unstable on a testing machine (since
there's no firefox package on testing, just firefox-esr).
I hope this is useful to those who are not aware of the issue yet.
Cheers,
--
Samuel Henrique <samueloph>
Reply to: