Re: Firefox and Debian Testing: Getting Security Updates?

To: debian-user@lists.debian.org
Subject: Re: Firefox and Debian Testing: Getting Security Updates?
From: Ralph Katz <ralph.katz@rcn.com>
Date: Wed, 17 Aug 2005 09:04:39 -0400
Message-id: <[🔎] 430335E7.70900@rcn.com>
In-reply-to: <4CphR-BR-17@gated-at.bofh.it>
References: <4CphR-BR-17@gated-at.bofh.it>

On 08/17/2005 02:10 AM, a.list.address@gmail.com wrote:
> I'm a happy user of Testing, but I'm a bit concerned about getting
> updates to Firefox in a timely manner.  The current version in Testing
> is 1.0.4-2, which has recently-announced vulnerabilities in it.  The
> vulns (I don't like typing that word :) have been fixed in the version
> in Sarge, 1.0.4-2sarge1.  They've been fixed in Unstable as well, in
> 1.0.6-2.
> 
> But when will this version come to Testing?  A quick look at the
> changelog for the package shows that 1.0.5-1, which fixes some
> security issues, was uploaded to Unstable on July 16th with an urgency
> level of high, but four days later 1.0.6-1 was uploaded with an
> urgency of low.  Ten days later, on July 30th, 1.0.6-2 was uploaded
> with an urgency of medium.  But here it is over two weeks later, and
> Testing is still stuck on 1.0.4-2.
> 
> I looked in the bug tracker, but I couldn't find any good bug to
> prevent these newer versions from moving to Testing.
> 
> Now, I'm far from an expert, and I'm still fairly new to Debian (less
> than a year), but it seems like something needs to change.  I don't
> want to run Unstable on my computer, but I don't want to be stuck with
> vulnerable browsers either.
> 
> I could upgrade Firefox to the version that's in unstable, but there
> are two problems:
> 
>  1) This is a poor long-term solution, having to manually upgrade
> packages and their dependencies to fix security problems;
> 
> 2) I can't even do that in this case, because Firefox 1.0.6-2 depends
> on libxinerama1, which depends on libc6 >=2.3.5, but Testing is still
> on libc6 2.3.2.
> 
> This is simply a mess.  Actually, now that I think about it, I suppose
> the reason 1.0.6-2 hasn't moved into Testing is because of the
> dependency problem of libxinerama1 and libc6.  But who knows when the
> new version of libc6 will get into Testing?  It may be a very long
> time.  In the meantime, are we Testing users supposed to keep using a
> vulnerable version of Firefox?
> 
> I know Testing is not supported for security updates, but for
> high-profile packages like Firefox with high-profile vulns, don't we
> need a solution for this problem?  And upgrading to Unstable is not a
> solution; there's a reason I and others use Testing instead of
> Unstable.

You could safely install the backport 1.06 from Kevin McCarty.  See his
message to this list at
http://lists.debian.org/debian-user/2005/08/msg00467.html .

It's still working just fine for me on sarge.

Regards,
Ralph

P.S. Please also read the related threads mentioned by the other replies.

Reply to:

Prev by Date: Re: Deb packages dependent tree
Next by Date: Re: WINE
Previous by thread: Re: Firefox and Debian Testing: Getting Security Updates?
Next by thread: Re: can't connect with putty <SOLVED>
Index(es):
- Date
- Thread