Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #719
Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version

version graph

Package: firefox-esr; Maintainer for firefox-esr is (unknown); Source for firefox-esr is src:firefox-esr.

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Thu, 20 Oct 2022 04:32:01 UTC

Severity: normal

Found in version 91

Done: Mark Hindley <mark@hindley.org.uk>

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Alter Kim <alter-kim@hotmail.com>
Subject: bug#719 closed by Mark Hindley <mark@hindley.org.uk> (Re:
 bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not
 delivery a newer version)
Message-ID: <handler.719.D719.166625442922569.notifdone@bugs.devuan.org>
References: <Y1EGKQTXJhLGNqp9@hindley.org.uk>
 <BN7PR03MB3827922AF3A9FB9D12A285A8E32A9@BN7PR03MB3827.namprd03.prod.outlook.com>
X-Devuan-PR-Message: they-closed 719
X-Devuan-PR-Package: firefox-esr
Reply-To: 719@bugs.devuan.org
Date: Thu, 20 Oct 2022 08:28:03 +0000
Content-Type: multipart/mixed; boundary="----------=_1666254483-22576-1"

[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your bug report
which was filed against the firefox-esr package:

#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version 

It has been closed by Mark Hindley <mark@hindley.org.uk>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.


-- 
719: https://bugs.devuan.org/cgi/bugreport.cgi?bug=719
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems

[Message part 2 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: Alter Kim <alter-kim@hotmail.com>
Cc: 719-done@bugs.devuan.org
Subject: Re: bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
Date: Thu, 20 Oct 2022 09:26:17 +0100
Alter,

On Thu, Oct 20, 2022 at 07:09:19AM +0000, Alter Kim wrote:
>     Hi Mark;
>     Yes, I have the security in my source list.
> 
>     ( But Is need it to remove the # to make it works, if other user(s)
>    don't remove that character the update to new versions of firefox can
>    not be deliverd  )

Well, not really if it is commented out.

Anyway, I am glad it works as expected when security is enabled.

>     Can be possible to add the newest package of firefox to the deb
>    http://deb.devuan.org/merged chimaera main  ??,please

When Debian does the next stable point release, I expect that will happen.

Mark
[Message part 3 (message/rfc822, inline)]
From: Alter Kim <alter-kim@hotmail.com>
To: "submit@bugs.devuan.org" <submit@bugs.devuan.org>
Subject: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version
Date: Thu, 20 Oct 2022 04:29:10 +0000
[Message part 4 (text/plain, inline)]
Package: firefox-esr
Version: 91


 Hi !


 Since I read the firefox 91 have some serious bug/vuln issues


 I perform an update on my system


:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.


Ready to upgrade firefox

$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.


I notice the update only give me the 91.13.0esr version

 If I take a look on the site[1] the 91.13.0esr version is vulnerable



[1]https://www.debian.org/security/2022/dsa-5259


 Also I see in this other site more info:

https://security.gentoo.org/glsa/202209-27


References

    CVE-2022-40956
    CVE-2022-40957
    CVE-2022-40958
    CVE-2022-40959
    CVE-2022-40960
    CVE-2022-40962

Affected versions       
 < 105.0
 < 102.3.0

Unaffected versions     
 >= 105.0
 >= 102.3.0


An extra check in the sources.list

$ cat /etc/apt/sources.list
# Package repositories
deb http://deb.devuan.org/merged chimaera main
#deb http://deb.devuan.org/merged chimaera-updates main
#deb http://deb.devuan.org/merged chimaera-security main
#deb http://deb.devuan.org/merged chimaera-backports main




In resume the update system can not delivery a safe version or a newer version of firefox-esr



 Thanks in advance for your time and for the time you take to solve this issue


 Cheers


[Message part 5 (text/html, inline)]

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sat Jun 29 06:08:30 2024;