[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [CVE-2019-17026] Firefox Security Advisory 2020-03

On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote:
> Hi,
> > It seems urgent to me to correct a flaw exploited in firefox:
> > https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
> > 
> > Here are the changes:
> > https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch
> AFAIK this has already been addressed in jessie via DLA-2061-1[0]
> (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020.

Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for
{stretch,buster}-security also references packages with an upstream
version 68.4.1esr.

However DLA-2061-1 for jessie-security has a version of

I think the wrong version was backported to jessie-security, leaving
this issue unfixed.


> [0] https://security-tracker.debian.org/tracker/CVE-2019-17026
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: