Hi Tomas, On Sat, Nov 13, 2021 at 11:18:39AM +0100, Tomas Pospisek wrote: > Package: firefox-esr > Version: 78.15.0esr-1~deb11u1 > Severity: normal > Tags: security > X-Debbugs-Cc: secur...@debian.org, Debian Security Team > <t...@security.debian.org> > > Dear Firefox maintainers, > > I note that Mozillas Security Advisory mfsa2021-49 [1] has been > released on 2021-11-02 thus nearly two weeks ago and contains a big > stash of security fixes ... but only for Firefox 91 (ESR). > > I have searched (but not for very long; I do not seem to have > enough permissions in Mozilla's Bugzilla to see the respective > tickets) if the CVE's mentioned in the MFSA also apply to FF 78 > or if they are being fixed for FF 78 as well. But I couldn't find > any information about it. Thus I suppose that at least some of > those security problems also *do* apply to FF 78. This is the > crucial question here. > > In case those CVE would also apply to FF 78 then the follow up > question would naturally be: is there a release with fixes for FF 78 > forthcoming? Is there an ETA for them? > > If the answers to those questions above are not really clear, then > I'd like to suggest to consider the question to what degree FF 78 is > still supported upstream? > > The motivation behind these questions is of course that I am a bit > uneasy browsing the internet with a browser that has a lot of known > open security problems. That's something that concerns a lot of > Debian users. > > In case FF 78 would not be very much supported upstream then maybe > it'd be good if Debian officially dropped security support for > FF 78? > > Finally: I am aware that this ticket is based on a *lot* of > unverified hypotheticals. Please pardon me that and please do not > get too upset about it. I just wanted to raise a flag about the > fact that there are *a lot* of CVEs fixed in a current FF 91 ESR > release but no corresponding FF 78 release.
Trying to keep the answer short: Firefox 78.15.0 ESR was the last one in the 78 series, upstream support mvoed to ESR 91. https://www.mozilla.org/en-US/firefox/78.15.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/ For Debian this means, the next DSA for firefox (which would be actually in the works), will be based on the 91 series. The update is delayed, because the toolchain is not yet ready, there are updates needed for rustc, which in turns needs llvm update as well. As such the issues are currently tracked as: https://security-tracker.debian.org/tracker/source-package/firefox-esr And (usually Moritz) will release updates once they are ready. Hope this helps, Regards, Salvatore
