Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #719
Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version

version graph

Package: firefox-esr; Maintainer for firefox-esr is (unknown); Source for firefox-esr is src:firefox-esr.

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Thu, 20 Oct 2022 04:32:01 UTC

Severity: normal

Found in version 91

Done: Mark Hindley <mark@hindley.org.uk>

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#719: Firefox-esr 91 have some vulnerabilities and apt-get can not delivery a newer version 
Reply-To: Alter Kim <alter-kim@hotmail.com>, 719@bugs.devuan.org
Resent-From: Alter Kim <alter-kim@hotmail.com>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: devuan-dev@lists.dyne.org
X-Loop: owner@bugs.devuan.org
Resent-Date: Thu, 20 Oct 2022 04:32:01 +0000
Resent-Message-ID: <handler.719.B.166624021026511@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 719
X-Devuan-PR-Package: firefox-esr
X-Devuan-PR-Keywords: 
Received: via spool by submit@bugs.devuan.org id=B.166624021026511
          (code B); Thu, 20 Oct 2022 04:32:01 +0000
Received: (at submit) by bugs.devuan.org; 20 Oct 2022 04:30:10 +0000
Delivered-To: devuanbugs@dyne.org
Received: from mail.dyne.org [141.95.83.167]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Thu, 20 Oct 2022 04:30:10 +0000 (UTC)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12olkn2043.outbound.protection.outlook.com [40.92.21.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.dyne.org (Postfix) with ESMTPS id A89A8740A17
	for <submit@bugs.devuan.org>; Thu, 20 Oct 2022 06:29:12 +0200 (CEST)
Authentication-Results: mx1.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=hotmail.com header.i=@hotmail.com header.a=rsa-sha256 header.s=selector1 header.b=QdsMxHy9;
	dkim-atps=neutral
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=BUWLz7aw0YNKl6EAVgT2IyyD0NjPV2LHRUUxbttXQP2ZweVuc1ZGpf+U2GJgnf8m+Pc/L1bSGe4GJL6ewtemRblGF0otPQ3+Go+r9iz/3pJw1drIfuqCtgVx6cshEq0/YJFPfcZok/JKaC3WohIrVie2vZhKSh/ASQtfYwK0uKttGUloyVHt0J1w/fEZZ6D0euvuhhS1P4Sce3kLA/EGAhq91JxVxOQSX7gGS3M0uqS4NJd2MvpskNAhnMnyCEkPxecMwdCq1ntL8awPnJ1pkz/jNuCds1+MVJJNguJg/GuKF3qEy6iY8aaSbe5E69+WfDOxUJ1+o7pHdPZutLHiTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=4pr0Jf+o60+aQQrgT7ucteYcD0S5QO9bOCTvB31vIr0=;
 b=JgeMhijFPt0VN8AU9IGpKyvWSZxD3FKuCfu6tj4TcDAY01CWQQ7ZfSegXl1ECJbWi1bu1AYuPYXN44fDHWTYcsSIZn/B+iWv39hrBlLJ0F4d3IATkebtpHql7PpL2n67Hjt+eGUPEo2dGhnZAg5+N+mGFLZzGce4c6r+SJJs9yggOYxPz7rdxuYQWMXqLxqAdGvYkBtBKfLQIt8+WKgIecB+dI2g3JBx4CMd0wJkAAOk8IpNq+ve9RLep6Df3pmDsrxTVmIgUX26ih/fGfL13fBN9z4OZB6RlNGylrusrrKjGlmfpbM4Z70acZRCGlSBzyJpPjqXkcFsuJttj/po6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=4pr0Jf+o60+aQQrgT7ucteYcD0S5QO9bOCTvB31vIr0=;
 b=QdsMxHy9PVKFnjOR57U+8eGw7dxHFexJ65K5fqswwhZ9Z/9uOBF1vMk4oxaiT7abHZdyrGtO2HBdPSEsnTXwgU92cUGTEQBa7Qgi96VG22qFHB5lGMPRB6agf5JFqbGdCekyKkIkLNxkxGeFhjACKsMt1m3y+3ZRVIVfc+szGUhn3uVIDFJPAKEF1Ov+jJuhjyHA91EEjuUkfa1iZk2IIhaFE2226uA91/WNcmJ42LU0dZF4/S1CGBf+yyte66BBS7ZIY99UIyYQVeEJofPgpg+NyIbe2s21ddYdCq6bXdQ0M7VrtwNV4I9PBpGjOIgdoKrwANZSV17FngN31+vcSA==
Received: from BN7PR03MB3827.namprd03.prod.outlook.com (2603:10b6:408:23::13)
 by SA0PR03MB5658.namprd03.prod.outlook.com (2603:10b6:806:c0::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.35; Thu, 20 Oct
 2022 04:29:11 +0000
Received: from BN7PR03MB3827.namprd03.prod.outlook.com
 ([fe80::15e5:7528:c86e:f488]) by BN7PR03MB3827.namprd03.prod.outlook.com
 ([fe80::15e5:7528:c86e:f488%6]) with mapi id 15.20.5723.026; Thu, 20 Oct 2022
 04:29:11 +0000
From: Alter Kim <alter-kim@hotmail.com>
To: "submit@bugs.devuan.org" <submit@bugs.devuan.org>
Thread-Topic: Firefox-esr 91 have some vulnerabilities and apt-get can not
 delivery a newer version 
Thread-Index: AQHY5DmCIGUDGMEBGUmBcTRt+Hk9Hw==
Date: Thu, 20 Oct 2022 04:29:10 +0000
Message-ID:
 <BN7PR03MB3827922AF3A9FB9D12A285A8E32A9@BN7PR03MB3827.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [pck77fgVDd+hiKpguLRNlHxpEuKk5+mi]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN7PR03MB3827:EE_|SA0PR03MB5658:EE_
x-ms-office365-filtering-correlation-id: bccbd5ed-6a8d-402f-a312-08dab253a2c9
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 H153VJDT2BoUT8TPCBrDojiEZmQO4pndAoksbO1nXcY6VrobwHL7SA+JNFc0t/hyhD1fMQwx+zfwTksqv7J2v1Mcv/oVu21CGixGcnZcaZFIYbGe9DxB6Iw4U7v+V5V1LCFak3ohdaS94ElUxpS8R6txAX8eqkeq+HQ1lQHSVpsCQ48l+ajrl4hfV15w2CEjL1i/gHBb9hX47HW6ZMv/B5ou3NXkgXdJ0b9HUgXNDmM109CNjWaXruprIz4iuklwoo4Gtwbv9T6A5RzqqdXbQNdWvUU4/gCXAaNElIFuedWxAMwMTS+nAk0r9xwiB9Oc6BJvmqKkfadGfT8b9OLdSzL/9qWEjL8awiyMevyB9DNdsKeO5Zayxeyk8cpDEObhDpMffXor8BoQ183aTDURo3IM1Qo7z9yQWvYUUR1OigX3yZcvSLd9Nedtt1BCeqeIrr6V7HXRxiWgdLDeohIzQW/GRqk7laaY6WNKSkZUjbweykqMXBUyFPzbcfxyMp+Hr/R0x6X9MLxR2xt1CEcKbzKDS9Jh1fnJtcD89tuXegj4+k7VN+w9tx7IWGtNASf+F3c4MKmRSPPMmjtsk+7jJtDfLKIeqY2LKNnQFpPUl2kEEsB2Qq6FuV2Q19ddCdMD
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 PBsfRIiC6+Fumid3jxm4/clHSRMvwPqW40WkAGZOTcawTGn/fH+eNo5lBkea7lX949dWJ4fFCE/sxFulFflLmExETGEd6e+G8SNDJRtDkM07Y5ILrx81j/7w3jsu1kUigs5+0i4qL0IFsC57jFlczCOoTZmWWlDwU1JgnxARAuPiPmyFuHn1ccqTc8EAb8yh2fM5EmksYJcCFn8Qxk2O85xG4q2CGyT9jd8sr/zo3EL/wAm7t1RpAGRevPA9ubTEGhZln+VF6o0IcbtvQVD2Lf93g0TgoZmtKV9i+ASt0CuKlOM3XgwKjAn6QS/y1LjsvMDkvd+rECJDMcNAWvTR2jEEXy8vbWUxlx/2cUKtJ1BKBzYlJslFtpx9u0/Wu+jpYMCw9KtsSrV+8sf2JMjPne7LC/j2UTM2iZF2hUxXDseOh1R0+Bzca9+kYg3RM4sq9Tv/U39EbjsvZMrbK1NqXyGrAK0w8w7sFVTHP44kv7rEBZRVxuOiL6OaoB51UPokGD1CAWWK8IjvzBCmKEppcmiwe3R7xPrehEpXezLqlD2ZGiA9BTKVScOBtUEW3hQqZs5zvROEsDwZFhdvFiuWgCgPT6xWju5BM0HSlAFcuLiRUa5UkNzFJQN4n6baoa4VX/DwLAcZjnVUSFQOgTnljh4djNUtsDO+HRbM8UO76IGI9oHbrdHm3fX+5o9rSsUYDvIE3XK8EMEqmNk1ZZxd+q6nVg3gyOpI/7WEE2x/rKPWsgUXWoac/9OVO3NvYy/Fu0vJf2oO/acfQuAji3U3I98L4XlC+ikqjuQJxljBRRlL8T+YGRYrcOhu2HwQkpC6WEpFIH+CtcZ+zbCur6PIW/gEj7ojqYlu5dmSYn+NRaq0rmwQJZpA1ogNJ6NFSGZ1hraIfPm8m+TxE8X+DHmVpeiEajPnhLrEyxAOT5A0Udozk9RAMXnlfGXeRpzAzUTros85QviJlClFOG0tadWWYqrglDrVbCWWYCGaqGQSO0uHbEucFYmFCzILwmTyoHzjyPb5D8yu7Fs9m9aAuYVNWwMIJnbPDiSVeUE2HY4qdHLbLYCGr0DcwGjcJkkKMys0bFXPHBdiS4SUgVdbDjDAcNWdbs+SriXXy8KPo5Qa099XAl+Mjtv82zk3XFwI5l5DnDQT7GgPyDRRYZet4o5Ubfh5eXT/Z5TCPPmHY8JJ4rlGAJ7RH4LyT0yylIHr7CkPN2+hunsloq6z6EcYsp6BfHbZ+GIDXQ0LGaU6MBnc2Hu/GTWBTRNiqO+JjS3yaVit
Content-Type: multipart/alternative;
	boundary="_000_BN7PR03MB3827922AF3A9FB9D12A285A8E32A9BN7PR03MB3827namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-685f7.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR03MB3827.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: bccbd5ed-6a8d-402f-a312-08dab253a2c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2022 04:29:10.9343
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5658
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,URIBL_CSS_A autolearn=disabled
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mail.dyne.org

[Message part 1 (text/plain, inline)]
Package: firefox-esr
Version: 91


 Hi !


 Since I read the firefox 91 have some serious bug/vuln issues


 I perform an update on my system


:~$sudo apt update
Get:1 http://deb.devuan.org/merged chimaera InRelease [33.5 kB]
Fetched 33.5 kB in 3s (9,913 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
80 packages can be upgraded. Run 'apt list --upgradable' to see them.


Ready to upgrade firefox

$ sudo apt-get install firefox-esr
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
firefox-esr is already the newest version (91.13.0esr-1~deb11u1).
firefox-esr set to manually installed.


I notice the update only give me the 91.13.0esr version

 If I take a look on the site[1] the 91.13.0esr version is vulnerable



[1]https://www.debian.org/security/2022/dsa-5259


 Also I see in this other site more info:

https://security.gentoo.org/glsa/202209-27


References

    CVE-2022-40956
    CVE-2022-40957
    CVE-2022-40958
    CVE-2022-40959
    CVE-2022-40960
    CVE-2022-40962

Affected versions       
 < 105.0
 < 102.3.0

Unaffected versions     
 >= 105.0
 >= 102.3.0


An extra check in the sources.list

$ cat /etc/apt/sources.list
# Package repositories
deb http://deb.devuan.org/merged chimaera main
#deb http://deb.devuan.org/merged chimaera-updates main
#deb http://deb.devuan.org/merged chimaera-security main
#deb http://deb.devuan.org/merged chimaera-backports main




In resume the update system can not delivery a safe version or a newer version of firefox-esr



 Thanks in advance for your time and for the time you take to solve this issue


 Cheers


[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sat Jun 29 06:16:03 2024;