[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#683428: release-notes: security status of web browsers in wheezy

On Tue, Jul 31, 2012 at 08:38:55PM +0200, Julien Cristau wrote:
> Package: release-notes
> Severity: important
> Tags: wheezy help
> X-Debbugs-Cc: team@security.debian.org, webkit@packages.debian.org, chromium-browser@packages.debian.org, iceweasel@packages.debian.org
> The squeeze release notes had a 'security status of web browsers'
> (http://www.debian.org/releases/squeeze/amd64/release-notes/ch-information.en.html#browser-security),
> which we need to update for wheezy.  Probably not pretending that
> webkitgtk is supported this time.

Proposed text:

Debian 7.0 includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of
vulnerabilities and partial lack of upstream support in the form of
long term branches make it very difficult to support these browsers
with backported security fixes. Additionally, library interdepencies
make it impossible to update to newer upstream releases. As such,
browsers built upon the webkit, qtwebkit and khtml engines are included in
Wheezy, but not covered by security support. These browsers should 
not be used against untrusted websites.

For general web browser use we recommend browsers building on the
Mozilla xulrunner engine (Iceweasel and Iceape). Xulrunner has had a
history of good backportability for older releases over the previous
release cycles.

Guiseppe, what are your plans for Chromium in Wheezy? Are you optimistic 
to keep up with security triage and shall we include an additional
recommendation for Chromium?

Julien, this release note addebdum, should also "fix" the RC bug #649625


Reply to: