Hello everyone, Given our current time_t transition happening, which means packages are blocked from migrating to testing for weeks, and that unstable updates have become harder to apply, two critical CVE fixes for Firefox became impossible to get it through the official repositories: https://security-tracker.debian.org/tracker/CVE-2024-29943 https://security-tracker.debian.org/tracker/CVE-2024-29944 https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
The most serious one, CVE-2024-29943, is said to achieve remote code execution but it does not affect firefox-esr, only firefox. I'm sending this to d-devel because there should be a lot of testing and unstable users on this list. If you're not running firefox 124.0.1 or firefox-esr 115.9.1esr-1, you should find a way of upgrading to those versions. One valid workaround seems to be installing Firefox from Mozilla's repo: https://support.mozilla.org/en-US/kb/install-firefox-linux It might be a good time to remember that unstable and testing are not officially supported releases (as their name suggests), so issues like this do happen from time to time. In a recent case, the issue was addressed by performing a testing-proposed-update of the package. This would allow firefox-esr to be fixed on testing before the transition is over, but it would not work for those installing the firefox package from unstable on a testing machine (since there's no firefox package on testing, just firefox-esr). I hope this is useful to those who are not aware of the issue yet. Cheers, -- Samuel Henrique <samueloph>
