Re: [SECURITY] [DSA 5113-1] firefox-esr security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 5113-1] firefox-esr security update
From: Friedhelm Waitzmann <fach220408.fwnsp@xoxy.net>
Date: Fri, 15 Apr 2022 04:41:50 +0200
Message-id: <[🔎] 20220415024115.GA16564@kugelfisch.zuhause.test>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 939a407a-cdea-be66-7357-f53eba36e8ed@elstel.org>
References: <20220406171121.GA16045@seger.debian.org> <[🔎] 20220408115131.GK14078@kugelfisch.zuhause.test> <[🔎] slrnt53uol.11a0.jmm@inutil.org> <[🔎] 20220414125029.l5jbf3x7hostof5b@mail.dotplex.com> <[🔎] 20220414125239.xqndljubu25eb5n2@mail.dotplex.com> <[🔎] 939a407a-cdea-be66-7357-f53eba36e8ed@elstel.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Elmar Stellnberger on Thursday., 2022-04-14T18:51:01+0200:

Where can I get this from for buster and architecture i386?<http://security.debian.org/debian-security/dists/buster/updates/main/binary-i386/Packages.xz>does not have it.
 Friedhelm, how have you taken notice about this issue?
Was the file really not there or do you think you have forgotten totype firefox-esr instead of firefox or something the like?


Yes, for i386 it is really not there:

$ apt-cache policy firefox-esr
firefox-esr:
 Candidate: 78.15.0esr-1~deb10u1
 Version table:
    91.8.0esr-1~deb11u1 50
        50 http://apt-cache.zuhause.test:3142/debian-security bullseye-security/main i386 Packages
    78.15.0esr-1~deb11u1 50
        50 http://apt-cache.zuhause.test:3142/debian bullseye/main i386 Packages
    78.15.0esr-1~deb10u1 500
       500 http://apt-cache.zuhause.test:3142/debian-security buster/updates/main i386 Packages
    78.14.0esr-1~deb10u1 500
       500 http://apt-cache.zuhause.test:3142/debian buster/main i386 Packages
    78.12.0esr-1 50
        50 file:/media/root/Debian 11.0.0 i386 1/debian bullseye/main i386 Packages

On apt-cache.zuhause.test I run an apt-cacher-ng that mapshttp://apt-cache.zuhause.test:3142/debian to


http://deb.debian.org/debian/
http://ftp.de.debian.org/debian/
http://ftp2.de.debian.org/debian/
http://ftp.debian.org/debian/

, which are considered to be equal, andhttp://apt-cache.zuhause.test:3142/debian-security to


http://security.debian.org/debian-security
http://deb.debian.org/debian-security

, which are considered to be equal.

At present I have pinned to priority 50 all package versionsbelonging to any release whose codename matches »bullseye*« witha rule in /etc/apt/preferences. When I am ready to upgrade tobullseye, I will remove that rule.

So the newest firefox-esr in buster for i386 is78.15.0esr-1~deb10u1, and that is broken.

Package        : firefox-esr
CVE ID         : CVE-2022-1097  CVE-2022-1196  CVE-2022-24713
                 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285
                 CVE-2022-28286 CVE-2022-28289

Multiple security issues have been found in the MozillaFirefox web browser,

[…]

For the oldstable distribution (buster), these problems havebeen fixed in version 91.8.0esr-1~deb10u1.

[…]

We recommend that you upgrade your firefox-esr packages.


At me it apparently has really kept an old unfixed version.


Exactly.

The message says fixed for oldstable, not mentioning that the fix hasnot yet been achieved for i386 and that it was only applied to amd64.


Yes, so it is.


Regards,
Friedhelm.

My OpenPGP key:

- -----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFoCvhgBCADnymmMgAzxsUqP9GPSK+QJATL4w/C8KS7ghUdu7TT4mdEfMfgI
BteRnqWJvLzlBFlQRBEXQphxfgtAdTAZDdAlcyXkcA19Sb0Z09/oQgPe4vp99Cnp
kq2GPOxSk6YQrfs4FF6p4lsQUz0TKONSztZGo4VSyT1G+LpsSxm7Q1YUzpO4j5fy
XfPMB/TdhpJbKlE4yVldwVdt4+Gc8oTeohVkZZtVx9bplmaVLaj35HrRTupj75IS
tooF5dTVLQVhQYKqDCd2DKiZiUuKt6K9ZtrpmjnWaWRayKmJdJ14R8/Q7VfSyXOx
fLb4DNDz4FNUPOvHdXYjhsTz1U6v1kaddMXdABEBAAG0E0ZyaWVkaGVsbSBXYWl0
em1hbm6JAWAEEwEKAEoCGwECHgECF4ALCw0JCgwICwcEAwIIFQoJCAsDAgEFFgMC
AQACGQEFCQuP3SgWIQRGyPH+W3hgUPhyflPQtV81ksAM7QUCYbLp7wAKCRDQtV81
ksAM7cr5B/wO1khGTl3dAh46DY2jxe3jTfPvicbQgZQVwOhhP2FPKIFC8dYVCEHk
oYQapW47YXufw/Qw71GILfMtZemiUJpHwa/thCPtP3clE53ZqsEdArHDX2ZYm3Ol
qDTxMuilQCDfGuatg6MVQ8SlUbhcGIGyr4O4cPeDe0kmUOQhp8wKTXkmhq3Yml5+
2XRu69TZUNsQh3TPi50hR+RB0YjI+KTBKYSanAYM44Bj6mti6+06UkRVMaFxLVzS
BAEyTf/SBaKkJq4cKe+gCzcc/Gg8jrxKVcQRPdUxOlvWUiYT5FYRaFuklgDW4B+g
23FdO6RkE0Z+g/oLeAYSqj/JMfjv77bFtBlmYWNoMjIwNDA4LmZ3bnNwQHhveHku
bmV0iQFdBBMBCgBHFiEERsjx/lt4YFD4cn5T0LVfNZLADO0FAmJQFg8CGwEFCQuP
3SgLCw0JCgwICwcEAwIIFQoJCAsDAgEFFgMCAQACHgECF4AACgkQ0LVfNZLADO2V
ygf9HQWjolhnGRNWG5845lh2uTrm/5q19+hKwnQHx7HApZia09kXp7QpxTCmSmnq
skWto08U/iT1sPqFTOojOZAM6e4zr7kz/VJksJx8lswUkTRyGXqGEQoQ7bZvd6XR
Yu0ZKfNNZhvjfPzzwyp+85lWWIaNA0cQyIa6BRzlNhgCbyLhksy4GDkzoBPxhNOp
mboohSVOnLjrUbQpfKCDJtAaNps95+4gv2t8JPtyFcZW9qKWFRIdJJvamc3lp4Il
JwzXRElB1htSHQb4SA2VN9M6ALdnfZXXT+H8UKKek+joE8Xm15FX83E5pmrE/8lp
imVg0s0BAUd0DxVj6zj4SI9yhrkBDQRaAsK/AQgAyBEE1hjgZ6F33GPSkfxsFqsN
L5lQrRTQtx5GKPt5UnIKK00TAevGoI8VDftuP6Fpp9kFJ+HSAiW3M+8S70H3UnbW
8AFofSd28AUvnnhP4ATwRcVm35+HYUge4lKiy5bEvDS9bALJqlW9sHBUF+gebrmh
0CgvD0sQSUE4PLAuHFUJG8/fezReXGB2MSVAbu8NXHdlJ6vPr5ERlg7A0JFR9Knx
s8PoI/1hd73mwGld9/Xo3xByDbJ7Uejjt3HpNZf9eOq3XPp02dpKsOQEB2QxxPHI
TcBH8IBZY78BJHq9UD4g3fD904oIvs38BzvX/WAMO9W0k1ZLfF1zyR0+QXQweQAR
AQABiQJEBBgBAgAPAhsCBQJcRWq9BQkU+H0OASnAXSAEGQECAAYFAloCwr8ACgkQ
gEIvCiHZTet1zwf/TUmPpwnBgoA6AXILI5R/NvZit30mbExa6byBOK9vEbGS8pSu
L/GN5tzTmyJoGbLNc24h8w6FwcoxE0xJSUJKp7nO95NWD/kO5n8alJZN9ph8I2yt
Cl3dhzZKw8+j+WBwTrKLdDP5lfarI0gz6+N1UtFH4U+tUCq56DQqu46xyTS5ASeM
iO/8Ykej9LiObZv9QYwnKkhM8y+Dw9dkPfIsqt47uE4j4czpJ4qv8236oV/luR44
8cCud5G7ZGxBj6DSnitZM2lbq5yTlIZ3EEvu/I9dE/vsPaWQmGeo6S03FJ8+S6Xn
eP8mgYWl9YGJTjDvUg3FU9fXfHzCuFtZ/1YZvAkQ0LVfNZLADO2zEggAi3myJcVA
yiftlZSkTrId9LNeQtXCw7tkJcuaGIC/FWJQhVofcp2CuEAm26w9xRN39Tp7pi2r
fta/xykj0iYNjmqgi7MWK6pZOY/LCTEOMfYiWX4LCJ89f51y2TTmWwgfWXxFVe8y
lyRMC1N2CXEd5xsEKA1ZI5vF3ikjVkMBAtLGiSxcyBi8YbcDFG4/fTBNpeEvXZ6n
CusDDYCArwFiQi4mRtDbZXBZIBVE+jwYlzw0bz3EeqkPFMJ/pvuWeQ5R9LSuVYhh
aVieqoLXmK6uwQLoJOFx67KX+BoEPpkVa/FmDhfpguQrKz5/Eq1Lhy8P28EAhLSG
Ar1XuxedRos/pLkBDQRaAsFpAQgAm4sZiVbFI6YpR3yDFpe7qOkkWmlk+7MT8cAa
j5Ltm+mXqf7ZHDNeX9mzMNBZeoUBCztp0n/N0Iu5T7MmEJV/rrJa0N8ezjY9kDTX
xUmLRmXTM/AM7Jg6dsIOf/lrd2TAagUkf/nYS9Sxx7/MvWESis3uYw8aqpuXjS0t
FgaG3umvTfvgI2SamuZTkdt9KmoqKCFcf5qjNk7PeY0REVYUp0/mfyPDo7s33yOm
P0x9wy6zeZ4OKAsSETvARj8WafUT7vikVuZEtfiLolT741y2VtvyBICooLsVZ6Pf
MMle4newVhbZeJAjUTdxoE4T+B1vMICsbNw2/zsYtM/9KKvWpwARAQABiQElBBgB
AgAPAhsMBQJcRWqNBQkU+H5mAAoJENC1XzWSwAztix8IAN+/SZI+fr6AkLuC0X+0
FxpsSD3n89XQja+nTrVTODu2c1BDi0bXOMwcOyRqnnZ1F/tKieVQsfpvZoumF7Wi
fs9O3Mlt9Tw1b+g7tfnTj3a9GP6AiYzt/Zde2YGhbZ+65AOwka8DegWm+R6JuLds
y6oERH1BzGytG/c6pKY17XiMnXTdjwvN+YuSJ89eqA90KzoIOVCx9kWVagxzWh6u
WioiuAStwrUmZ+KOFhQbmXtEO+fUHf+G9J5DtlKFLHjz4Qy88z0jdGvE0Yf3r46q
d8mzOSlOX9N2LWTR+bFuN9DYeoQmDyibEM5W9dNH4Fn8F8wKyMgX33bz/ougs6+m
re0=
=Dl6i
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEzf8af16GP0HJOpBzgEIvCiHZTesFAmJY2pQACgkQgEIvCiHZ
TeubLQf/RnOFOBnPZBe2BsKMIcUEILq2sfbGSejB4HuV0qEiJkiywhVqkFtWvjaj
54FWY9WEwJktC/MfOFLUy2/aqr4oN95hnx2+IVIeyZB7VLuL57rT1B36Q9tLqIo8
9TDoshfTc9spLujXsZmAt9Pc0yiz88dilExkhuocAUNgUAGt6hvZ6wmZm7UI4jtn
aV1vf5xTi5YpbIBuyd7Vu+sToCANAZJNiNWwptTtVSiqnpo5CvJrrnNJqzI8CMki
7tL8CGqlaQApEtm3kE6um/Kg+7cH5SZcPyioTRp1ibe+7uBJNzyaMr03EwkACuN9
LzsBlrbMOkqZE+o6IvZaP2rHfJKW6w==
=MIKv
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: [SECURITY] [DSA 5113-1] firefox-esr security update
  - From: Friedhelm Waitzmann <fach220408.fwnsp@xoxy.net>
- Re: [SECURITY] [DSA 5113-1] firefox-esr security update
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: [SECURITY] [DSA 5113-1] firefox-esr security update
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: [SECURITY] [DSA 5113-1] firefox-esr security update
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: [SECURITY] [DSA 5113-1] firefox-esr security update
  - From: Elmar Stellnberger <estellnb@elstel.org>

Prev by Date: Re: [SECURITY] [DSA 5113-1] firefox-esr security update
Next by Date: Re: amd64 running on Intel Celeron and Pentium? (was: [SECURITY] [DSA 5113-1] firefox-esr security update)
Previous by thread: Re: [SECURITY] [DSA 5113-1] firefox-esr security update
Next by thread: Re: [SECURITY] [DSA 5113-1] firefox-esr security update
Index(es):
- Date
- Thread