[SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
I'm running Etch, and use Iceweasel. I'm concerned about this security
advisory. It says that the Etch release notes said that the Mozilla
products would have to be stopped prior to the end of the Etch support
period. I don't see this.
In fact, the Lenny release notes only mention the possibility of the
need to stop support at some time in the future, they make no mention of
it having happened. I've copied in the relavent section from the
release note below.
Debian Security Advisory DSA-1751-1 firstname.lastname@example.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 22, 2009 http://www.debian.org/security/faq
Package : xulrunner
Vulnerability : several
Problem-Type : remote
CVE ID : CVE-2009-0771 CVE-2009-0772 CVE-2009-0773 CVE-2009-0774
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:
For the stable distribution (lenny), these problems have been fixed
in version 220.127.116.11-0lenny1.
As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
For the unstable distribution (sid), these problems have been fixed in
We recommend that you upgrade your xulrunner packages.
Here's the Lenny release note section:
5.6. Security status of Mozilla products
The Mozilla programs firefox, thunderbird, and sunbird (rebranded
in Debian to iceweasel, icedove, and iceowl, respectively), are
important tools for many users. Unfortunately the upstream
security policy is to urge users to update to new upstream
versions, which conflicts with Debian's policy of not shipping
large functional changes in security updates. We cannot predict
it today, but during the lifetime of lenny the Debian Security
Team may come to a point where supporting Mozilla products is no
longer feasible and announce the end of security support for
Mozilla products. You should take this into account when
deploying Mozilla and consider alternatives available in Debian
if the absence of security support would pose a problem for you.
iceape, the unbranded version of the seamonkey internet suite has
been removed from lenny (with the exception of a few internal
Did anyone hear that Iceweasel has stopped getting security updates in