Package: firefox-esr Version: 78.15.0esr-1~deb11u1 Severity: normal Tags: security X-Debbugs-Cc: secur...@debian.org, Debian Security Team <t...@security.debian.org>
Dear Firefox maintainers, I note that Mozillas Security Advisory mfsa2021-49 [1] has been released on 2021-11-02 thus nearly two weeks ago and contains a big stash of security fixes ... but only for Firefox 91 (ESR). I have searched (but not for very long; I do not seem to have enough permissions in Mozilla's Bugzilla to see the respective tickets) if the CVE's mentioned in the MFSA also apply to FF 78 or if they are being fixed for FF 78 as well. But I couldn't find any information about it. Thus I suppose that at least some of those security problems also *do* apply to FF 78. This is the crucial question here. In case those CVE would also apply to FF 78 then the follow up question would naturally be: is there a release with fixes for FF 78 forthcoming? Is there an ETA for them? If the answers to those questions above are not really clear, then I'd like to suggest to consider the question to what degree FF 78 is still supported upstream? The motivation behind these questions is of course that I am a bit uneasy browsing the internet with a browser that has a lot of known open security problems. That's something that concerns a lot of Debian users. In case FF 78 would not be very much supported upstream then maybe it'd be good if Debian officially dropped security support for FF 78? Finally: I am aware that this ticket is based on a *lot* of unverified hypotheticals. Please pardon me that and please do not get too upset about it. I just wanted to raise a flag about the fact that there are *a lot* of CVEs fixed in a current FF 91 ESR release but no corresponding FF 78 release. Thanks a lot for maintaining FF! *t [1] https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/ -- Package-specific info: -- Addons package information -- System Information: Debian Release: 11.1 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads) Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firefox-esr depends on: ii debianutils 4.11.2 ii fontconfig 2.13.1-4.2 ii libatk1.0-0 2.36.0-2 ii libc6 2.31-13+deb11u2 ii libcairo-gobject2 1.16.0-5 ii libcairo2 1.16.0-5 ii libdbus-1-3 1.12.20-2 ii libdbus-glib-1-2 0.110-6 ii libevent-2.1-7 2.1.12-stable-1 ii libffi7 3.3-6 ii libfontconfig1 2.13.1-4.2 ii libfreetype6 2.10.4+dfsg-1 ii libgcc-s1 10.2.1-6 ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1 ii libglib2.0-0 2.66.8-1 ii libgtk-3-0 3.24.24-4 ii libnspr4 2:4.29-1 ii libnss3 2:3.61-1 ii libpango-1.0-0 1.46.2-3 ii libstdc++6 10.2.1-6 ii libvpx6 1.9.0-1 ii libx11-6 2:1.7.2-1 ii libx11-xcb1 2:1.7.2-1 ii libxcb-shm0 1.14-3 ii libxcb1 1.14-3 ii libxcomposite1 1:0.4.5-1 ii libxdamage1 1:1.1.5-2 ii libxext6 2:1.3.3-1.1 ii libxfixes3 1:5.0.3-2 ii libxrender1 1:0.9.10-1 ii procps 2:3.3.17-5 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages firefox-esr recommends: ii libavcodec58 7:4.3.3-0+deb11u1 Versions of packages firefox-esr suggests: ii fonts-lmodern 2.004.5-6.1 pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-7 ii libgssapi-krb5-2 1.18.3-6+deb11u1 ii libgtk2.0-0 2.24.33-2 ii pulseaudio 14.2-2 -- no debconf information
