Devuan bug report logs -
#719
Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#719; Package firefox-esr.
(Thu, 20 Oct 2022 04:32:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Alter Kim <alter-kim@hotmail.com>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org.
(Thu, 20 Oct 2022 04:32:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: firefox-esr
Version: 91
Hi !
Since I read the firefox 91 have some serious bug/vuln issues
I perform an update on my system
:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.
Ready to upgrade firefox
$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.
I notice the update only give me the 91.13.0esr version
If I take a look on the site[1] the 91.13.0esr version is vulnerable
[1]https://www.debian.org/security/2022/dsa-5259
Also I see in this other site more info:
https://security.gentoo.org/glsa/202209-27
References
CVE-2022-40956
CVE-2022-40957
CVE-2022-40958
CVE-2022-40959
CVE-2022-40960
CVE-2022-40962
Affected versions
< 105.0
< 102.3.0
Unaffected versions
>= 105.0
>= 102.3.0
An extra check in the sources.list
$ cat /etc/apt/sources.list
# Package repositories
deb http://deb.devuan.org/merged chimaera main
#deb http://deb.devuan.org/merged chimaera-updates main
#deb http://deb.devuan.org/merged chimaera-security main
#deb http://deb.devuan.org/merged chimaera-backports main
In resume the update system can not delivery a safe version or a newer version of firefox-esr
Thanks in advance for your time and for the time you take to solve this issue
Cheers
[Message part 2 (text/html, inline)]
Information forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#719; Package firefox-esr.
(Thu, 20 Oct 2022 06:32:01 GMT) (full text, mbox, link).
Message #8 received at 719@bugs.devuan.org (full text, mbox, reply):
Alter,
On Thu, Oct 20, 2022 at 04:29:10AM +0000, Alter Kim wrote:
> Package: firefox-esr
> Version: 91
> Hi !
> Since I read the firefox 91 have some serious bug/vuln issues
>
> I perform an update on my system
> :~$sudo apt update
> Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
> Fetched 33.5 kB in 3s (9,913 B/s)
It looks as if you don't have security in your sources list.
Make sure /etc/apt/sources.list or a fragment in /etc/apt/sources.list.d/ contains
deb http://deb.devuan.org/merged chimaera-security main
Mark
Reply sent
to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility.
(Thu, 20 Oct 2022 08:28:02 GMT) (full text, mbox, link).
Notification sent
to Alter Kim <alter-kim@hotmail.com>:
bug acknowledged by developer.
(Thu, 20 Oct 2022 08:28:03 GMT) (full text, mbox, link).
Message #13 received at 719-done@bugs.devuan.org (full text, mbox, reply):
Alter,
On Thu, Oct 20, 2022 at 07:09:19AM +0000, Alter Kim wrote:
> Hi Mark;
> Yes, I have the security in my source list.
>
> ( But Is need it to remove the # to make it works, if other user(s)
> don't remove that character the update to new versions of firefox can
> not be deliverd )
Well, not really if it is commented out.
Anyway, I am glad it works as expected when security is enabled.
> Can be possible to add the newest package of firefox to the deb
> http://deb.devuan.org/merged chimaera main ??,please
When Debian does the next stable point release, I expect that will happen.
Mark
Send a report that this bug log contains spam.