On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote:
> Hi,
>
> > It seems urgent to me to correct a flaw exploited in firefox:
> > https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
> >
> > Here are the changes:
> > https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch
>
> AFAIK this has already been addressed in jessie via DLA-2061-1[0]
> (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020.
Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for
{stretch,buster}-security also references packages with an upstream
version 68.4.1esr.
However DLA-2061-1 for jessie-security has a version of
68.4.0esr-1~deb8u1.
I think the wrong version was backported to jessie-security, leaving
this issue unfixed.
Ben.
> [0] https://security-tracker.debian.org/tracker/CVE-2019-17026
>
--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.