Thanks a lot for the info Salvatore! I'll raise the severity of the issue
accordingly, so that it gets a more "prominent" place in the tickets
and so that other users will notice more easily the state this
problem's at.
*t
On Sat, 13 Nov 2021, Salvatore Bonaccorso wrote:
Hi Tomas,
On Sat, Nov 13, 2021 at 11:18:39AM +0100, Tomas Pospisek wrote:
Package: firefox-esr
Version: 78.15.0esr-1~deb11u1
Severity: normal
Tags: security
X-Debbugs-Cc: secur...@debian.org, Debian Security Team
<t...@security.debian.org>
Dear Firefox maintainers,
I note that Mozillas Security Advisory mfsa2021-49 [1] has been
released on 2021-11-02 thus nearly two weeks ago and contains a big
stash of security fixes ... but only for Firefox 91 (ESR).
I have searched (but not for very long; I do not seem to have
enough permissions in Mozilla's Bugzilla to see the respective
tickets) if the CVE's mentioned in the MFSA also apply to FF 78
or if they are being fixed for FF 78 as well. But I couldn't find
any information about it. Thus I suppose that at least some of
those security problems also *do* apply to FF 78. This is the
crucial question here.
In case those CVE would also apply to FF 78 then the follow up
question would naturally be: is there a release with fixes for FF 78
forthcoming? Is there an ETA for them?
If the answers to those questions above are not really clear, then
I'd like to suggest to consider the question to what degree FF 78 is
still supported upstream?
The motivation behind these questions is of course that I am a bit
uneasy browsing the internet with a browser that has a lot of known
open security problems. That's something that concerns a lot of
Debian users.
In case FF 78 would not be very much supported upstream then maybe
it'd be good if Debian officially dropped security support for
FF 78?
Finally: I am aware that this ticket is based on a *lot* of
unverified hypotheticals. Please pardon me that and please do not
get too upset about it. I just wanted to raise a flag about the
fact that there are *a lot* of CVEs fixed in a current FF 91 ESR
release but no corresponding FF 78 release.
Trying to keep the answer short: Firefox 78.15.0 ESR was the last one
in the 78 series, upstream support mvoed to ESR 91.
https://www.mozilla.org/en-US/firefox/78.15.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/
For Debian this means, the next DSA for firefox (which would be
actually in the works), will be based on the 91 series.
The update is delayed, because the toolchain is not yet ready, there
are updates needed for rustc, which in turns needs llvm update as
well.
As such the issues are currently tracked as:
https://security-tracker.debian.org/tracker/source-package/firefox-esr
And (usually Moritz) will release updates once they are ready.
Hope this helps,
Regards,
Salvatore
