[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 5113-1] firefox-esr security update

On 14.04.22 14:52, Elmar Stellnberger wrote:
   I am also running Debian 10 on my Asus eeePC (Pentium M). I
am mainly using it as a dictionary. Although I am performing
security updates quite regularly I have not run into this
issue. Having updated just now I am with Firefox
78.15.0-esr-1~deb10u1 and with
** gcc 4:8.3.0-1 being offered by

  I have looked at the build log of QCoan in the OBS and it is using
gcc-8-8.3.0-6. That is even newer than what got installed by the updates. I would thus believe that the gcc bug is still there that prevents some Firefox version from building, but that I simply have not noticed this issue via the normal upgrade process.
  Another explanation would of course be that the two errors are unrelated.

> Where can I get this from for buster and architecture i386?
> <http://security.debian.org/debian-security/dists/buster/updates/main/binary-i386/Packages.xz>
> does not have it.

  Friedhelm, how have you taken notice about this issue?
Was the file really not there or do you think you have forgotten to type firefox-esr instead of firefox or something the like?

> Package        : firefox-esr
> CVE ID : CVE-2022-1097 CVE-2022-1196 CVE-2022-24713 CVE-2022-28281 > CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289
> Multiple security issues have been found in the Mozilla Firefox web
> browser, which could potentially result in the execution of arbitrary
> code, information disclosure or spoofing.
> For the oldstable distribution (buster), these problems have been fixed
> in version 91.8.0esr-1~deb10u1.
> For the stable distribution (bullseye), these problems have been fixed in
> version 91.8.0esr-1~deb11u1.
> We recommend that you upgrade your firefox-esr packages.

 At me it apparently has really kept an old unfixed version.
The message says fixed for oldstable, not mentioning that the fix has not yet been achieved for i386 and that it was only applied to amd64.

Reply to: