[SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities

To: debian-user@lists.debian.org
Subject: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
Date: Sun, 22 Mar 2009 18:35:21 -0400
Message-id: <[🔎] 20090322223521.GA6658@blitz.hooton>
Mail-followup-to: debian-user@lists.debian.org

Hello all,

I'm running Etch, and use Iceweasel.  I'm concerned about this security
advisory.  It says that the Etch release notes said that the Mozilla
products would have to be stopped prior to the end of the Etch support
period.  I don't see this.

In fact, the Lenny release notes only mention the possibility of the
need to stop support at some time in the future, they make no mention of
it having happened.  I've copied in the relavent section from the
release note below.


Debian Security Advisory DSA-1751-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
March 22, 2009                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : xulrunner
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no

CVE ID         : CVE-2009-0771 CVE-2009-0772 CVE-2009-0773 CVE-2009-0774
CVE-2009-0775 CVE-2009-0776

Several remote vulnerabilities have been discovered in Xulrunner, a 
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:

<snip>

For the stable distribution (lenny), these problems have been fixed
in version 1.9.0.7-0lenny1.

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.7-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

<snip>

---

Here's the Lenny release note section:


5.6. Security status of Mozilla products

    The Mozilla programs firefox, thunderbird, and sunbird (rebranded
    in Debian to iceweasel, icedove, and iceowl, respectively), are
    important tools for many users. Unfortunately the upstream
    security policy is to urge users to update to new upstream
    versions, which conflicts with Debian's policy of not shipping
    large functional changes in security updates. We cannot predict
    it today, but during the lifetime of lenny the Debian Security
    Team may come to a point where supporting Mozilla products is no
    longer feasible and announce the end of security support for
    Mozilla products. You should take this into account when
    deploying Mozilla and consider alternatives available in Debian
    if the absence of security support would pose a problem for you.

    iceape, the unbranded version of the seamonkey internet suite has
    been removed from lenny (with the exception of a few internal
    library packages).


Did anyone hear that Iceweasel has stopped getting security updates in
Etch?

Doug.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
  - From: "Christofer C. Bell" <christofer.c.bell@gmail.com>
- Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
  - From: Andrei Popescu <andreimpopescu@gmail.com>

Prev by Date: Re: setuid script
Next by Date: Re: Streaming Video from a Debian box
Previous by thread: Re: Still Almost Impossible to Upgrade (Solved, well, not really)
Next by thread: Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
Index(es):
- Date
- Thread