Re: [CVE-2019-17026] Firefox Security Advisory 2020-03
On 31/01/2020 08:10, Ola Lundqvist wrote:
> Hi
>
> I have added firefox-esr to dla-needed.txt file now.
>
> // Ola
>
> On Thu, 30 Jan 2020 at 01:06, Ben Hutchings <ben@decadent.org.uk> wrote:
>
>> On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote:
>>> Hi,
>>>
>>>> It seems urgent to me to correct a flaw exploited in firefox:
>>>> https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
>>>>
>>>> Here are the changes:
>>>>
>> https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch
>>>
>>> AFAIK this has already been addressed in jessie via DLA-2061-1[0]
>>> (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020.
>>
>> Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for
>> {stretch,buster}-security also references packages with an upstream
>> version 68.4.1esr.
>>
>> However DLA-2061-1 for jessie-security has a version of
>> 68.4.0esr-1~deb8u1.
>>
>> I think the wrong version was backported to jessie-security, leaving
>> this issue unfixed.
Ah, looks like I prepared the update when 68.4.0 came out and I didn't realise a
new version was released before the DSA. I'll update to 68.4.1 shortly.
Thanks,
Emilio
Reply to: