Re: CVE-2016-2839 / Firefox-ESR
On Wed, Aug 17, 2016 at 09:00:30AM +0100, Chris Lamb wrote:
> Hi Brian,
> > 45.3.0esr-1~deb7u1 in wheezy is vulnerable.
> > 45.3.0esr-1~deb8u1 in jessie is vulnerable.
> > 45.3.0esr-1 in sid and stretch is not vulnerable.
> > Which makes me wonder if Wheezy and Jessie versions have been fixed, but
> > not marked as such
> Good spot.
> CVE-2016-2839 is marked as fixed in the changelog of 45.3.0esr-1~deb7u1.
> Mike, as author of that changelog entry, can you comment here?
All 45.3.0esr-1* versions are fixed, but this only actually affects when
playing videos with ffmpeg 0.10 installed. *not* ffmpeg 1.0, *not*
libav. So for most practical purposes, wheezy and jessie are not
/really/ affected as long as only packages from wheezy and jessie are