Re: CVE-2023-5217 unimportant for firefox?

To: Klaus Singvogel <deb-user-ml@singvogel.net>
Cc: debian-user@lists.debian.org
Subject: Re: CVE-2023-5217 unimportant for firefox?
From: hede <debian452@der-he.de>
Date: Sat, 30 Sep 2023 19:33:28 +0200
Message-id: <[🔎] 20230930193328.67eaaee6@hpusdt5.der-he.de>
In-reply-to: <[🔎] 20230930152829.GA6414@singvogel.net>
References: <[🔎] 20230930132032.05a0e468@hpusdt5.der-he.de> <[🔎] 20230930152829.GA6414@singvogel.net>

On Sat, 30 Sep 2023 17:28:29 +0200 Klaus Singvogel <deb-user-ml@singvogel.net> wrote:

> hede wrote:
> > Hi, 
> > 
> > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an "open unimportant issue" for firefox-esr? Currently it is not fixed in bookworm and newer [1]. Mozilla itself rates it as "critical" [2].  
> 
> That's fixed in Debian Bullseye.
> If I look into /usr/share/doc/firefox-esr/changelog.Debian.gz, I find this entry on top:
> 
> ---------------------------------------------------------------------
> firefox-esr (115.3.1esr-1~deb11u1) bullseye-security; urgency=medium
> 
>   * New upstream release.
>   * Fix for mfsa2023-44, also known as CVE-2023-5217.
> ---------------------------------------------------------------------

Yeah, fixed in Bullseye and not in Bookworm and newer, that's what I criticised. 

But the Wanderer and Lee already had an explanation: Firefox in Bookworm and newer uses the system library (libvpx) which has fixes applied. 

hede

Reply to:

References:
- CVE-2023-5217 unimportant for firefox?
  - From: hede <debian452@der-he.de>
- Re: CVE-2023-5217 unimportant for firefox?
  - From: Klaus Singvogel <deb-user-ml@singvogel.net>

Prev by Date: Re: swap-fle on arm64, need to disable, how?
Next by Date: Re: swap-fle on arm64, need to disable, how?
Previous by thread: Re: CVE-2023-5217 unimportant for firefox?
Next by thread: Debian will not boot any more, wrong UUID
Index(es):
- Date
- Thread