Your message dated Thu, 11 Apr 2019 09:04:15 +0200 with message-id <2d4b9456-1d72-9e04-eed8-ef8d90786f9c@debian.org> and subject line Re: jessie+stretch: limitations in security support: misleading browser engine information has caused the Debian Bug report #864032, regarding jessie+stretch: limitations in security support: misleading browser engine information to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 864032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864032 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie+stretch: limitations in security support: misleading browser engine information
- From: Adrian Bunk <bunk@debian.org>
- Date: Sat, 03 Jun 2017 17:13:23 +0300
- Message-id: <149649920360.6633.7577657748691712338.reportbug@localhost>
Package: release-notes Severity: important 5.2.1. Security status of web browsers Debian 9 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdependencies make it impossible to update to newer upstream releases. Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Stretch, but not covered by security support. These browsers should not be used against untrusted websites. For general web browser use we recommend Firefox or Chromium. Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable. Firefox and Thunderbird will also be kept up-to-date by rebuilding the current ESR releases for stable. Note how from the headline to the sugested mitigation everything talks about web *browsers*. These browser engines are used in many places other than web browsers, and the documentation should cover the problem properly. As an example, Evolution in jessie (installed as part of GNOME) renders HTML emails with a browser engine with around 100 unfixed CVEs. The problem is not limited to this specific browser engine, there are several others and their reverse dependencies where users of Debian jessie or stretch are vulnerable to known CVEs. I do not know how to word that both technicall correct and without stating "do not run Debian on a desktop".
--- End Message ---
--- Begin Message ---
- To: 864032-done@bugs.debian.org, Adrian Bunk <bunk@debian.org>
- Subject: Re: jessie+stretch: limitations in security support: misleading browser engine information
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 11 Apr 2019 09:04:15 +0200
- Message-id: <2d4b9456-1d72-9e04-eed8-ef8d90786f9c@debian.org>
- In-reply-to: <149649920360.6633.7577657748691712338.reportbug@localhost>
- References: <149649920360.6633.7577657748691712338.reportbug@localhost> <149649920360.6633.7577657748691712338.reportbug@localhost>
Hi Adrian, On Sat, 03 Jun 2017 17:13:23 +0300 Adrian Bunk <bunk@debian.org> wrote: > Note how from the headline to the sugested mitigation everything > talks about web *browsers*. > > These browser engines are used in many places other than web browsers, > and the documentation should cover the problem properly. > > As an example, Evolution in jessie (installed as part of GNOME) > renders HTML emails with a browser engine with around 100 unfixed CVEs. > > The problem is not limited to this specific browser engine, > there are several others and their reverse dependencies where > users of Debian jessie or stretch are vulnerable to known CVEs. > > I do not know how to word that both technicall correct > and without stating "do not run Debian on a desktop". We have improved the text: https://salsa.debian.org/ddp-team/release-notes/commit/47a1428 PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---