Re: CVE-2023-5217 unimportant for firefox?

To: hede <debian452@der-he.de>
Cc: debian-user@lists.debian.org
Subject: Re: CVE-2023-5217 unimportant for firefox?
From: Klaus Singvogel <deb-user-ml@singvogel.net>
Date: Sat, 30 Sep 2023 17:28:29 +0200
Message-id: <[🔎] 20230930152829.GA6414@singvogel.net>
In-reply-to: <[🔎] 20230930132032.05a0e468@hpusdt5.der-he.de>
References: <[🔎] 20230930132032.05a0e468@hpusdt5.der-he.de>

hede wrote:
> Hi, 
> 
> does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an "open unimportant issue" for firefox-esr? Currently it is not fixed in bookworm and newer [1]. Mozilla itself rates it as "critical" [2].

That's fixed in Debian Bullseye.
If I look into /usr/share/doc/firefox-esr/changelog.Debian.gz, I find this entry on top:

---------------------------------------------------------------------
firefox-esr (115.3.1esr-1~deb11u1) bullseye-security; urgency=medium

  * New upstream release.
  * Fix for mfsa2023-44, also known as CVE-2023-5217.
---------------------------------------------------------------------

Best regards,
	Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Reply to:

Follow-Ups:
- Re: CVE-2023-5217 unimportant for firefox?
  - From: hede <debian452@der-he.de>

References:
- CVE-2023-5217 unimportant for firefox?
  - From: hede <debian452@der-he.de>

Prev by Date: Re: swap-fle on arm64, need to disable, how?
Next by Date: Debian will not boot any more, wrong UUID
Previous by thread: Re: CVE-2023-5217 unimportant for firefox?
Next by thread: Re: CVE-2023-5217 unimportant for firefox?
Index(es):
- Date
- Thread