Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #719
Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version

version graph

Package: firefox-esr; Maintainer for firefox-esr is (unknown); Source for firefox-esr is src:firefox-esr.

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Thu, 20 Oct 2022 04:32:01 UTC

Severity: normal

Found in version 91

Done: Mark Hindley <mark@hindley.org.uk>

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Mark Hindley <mark@hindley.org.uk>
Subject: bug#719: marked as done (Firefox-esr 91 have some vulnerabilities
 and apt-get can not delivery a newer version )
Message-ID: <handler.719.D719.166625442922569.ackdone@bugs.devuan.org>
References: <Y1EGKQTXJhLGNqp9@hindley.org.uk>
 <BN7PR03MB3827922AF3A9FB9D12A285A8E32A9@BN7PR03MB3827.namprd03.prod.outlook.com>
X-Devuan-PR-Message: closed 719
X-Devuan-PR-Package: firefox-esr
Reply-To: 719@bugs.devuan.org
Date: Thu, 20 Oct 2022 08:28:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1666254482-22576-0"

[Message part 1 (text/plain, inline)]
Your message dated Thu, 20 Oct 2022 09:26:17 +0100
with message-id <Y1EGKQTXJhLGNqp9@hindley.org.uk>
and subject line Re: bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
has caused the Devuan bug report #719,
regarding Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version 
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.devuan.org
immediately.)


-- 
719: https://bugs.devuan.org/cgi/bugreport.cgi?bug=719
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]
From: Alter Kim <alter-kim@hotmail.com>
To: "submit@bugs.devuan.org" <submit@bugs.devuan.org>
Subject: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
Date: Thu, 20 Oct 2022 04:29:10 +0000
[Message part 3 (text/plain, inline)]
Package: firefox-esr
Version: 91


 Hi !


 Since I read the firefox 91 have some serious bug/vuln issues


 I perform an update on my system


:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.


Ready to upgrade firefox

$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.


I notice the update only give me the 91.13.0esr version

 If I take a look on the site[1] the 91.13.0esr version is vulnerable



[1]https://www.debian.org/security/2022/dsa-5259


 Also I see in this other site more info:

https://security.gentoo.org/glsa/202209-27


References

    CVE-2022-40956
    CVE-2022-40957
    CVE-2022-40958
    CVE-2022-40959
    CVE-2022-40960
    CVE-2022-40962

Affected versions       
 < 105.0
 < 102.3.0

Unaffected versions     
 >= 105.0
 >= 102.3.0


An extra check in the sources.list

$ cat /etc/apt/sources.list
# Package repositories
deb http://deb.devuan.org/merged chimaera main
#deb http://deb.devuan.org/merged chimaera-updates main
#deb http://deb.devuan.org/merged chimaera-security main
#deb http://deb.devuan.org/merged chimaera-backports main




In resume the update system can not delivery a safe version or a newer version of firefox-esr



 Thanks in advance for your time and for the time you take to solve this issue


 Cheers


[Message part 4 (text/html, inline)]
[Message part 5 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: Alter Kim <alter-kim@hotmail.com>
Cc: 719-done@bugs.devuan.org
Subject: Re: bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
Date: Thu, 20 Oct 2022 09:26:17 +0100
Alter,

On Thu, Oct 20, 2022 at 07:09:19AM +0000, Alter Kim wrote:
>     Hi Mark;
>     Yes, I have the security in my source list.
> 
>     ( But Is need it to remove the # to make it works, if other user(s)
>    don't remove that character the update to new versions of firefox can
>    not be deliverd  )

Well, not really if it is commented out.

Anyway, I am glad it works as expected when security is enabled.

>     Can be possible to add the newest package of firefox to the deb
>    http://deb.devuan.org/merged chimaera main  ??,please

When Debian does the next stable point release, I expect that will happen.

Mark

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Fri Apr 4 11:41:05 2025;