I have an amd64 Gentoo system. It has Firefox 38.8.0 installed on it, but glsa-check doesn't indicate that it's vulnerable. test@localhost ~ $ glsa-check -l [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. test@localhost ~ $ The latest GLSA for Firefox, is https://security.gentoo.org/glsa/201605-06 , which indicates: "Unaffected versions >= 38.7.0" This leaves out: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.2 https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.3 https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.4 Just because there weren't any 38.x updates, that doesn't mean 38.8 isn't affected by those. 38.x is EOL.
(In reply to Will Dormann from comment #0) > The latest GLSA for Firefox, is https://security.gentoo.org/glsa/201605-06 , > which indicates: > > "Unaffected versions >= 38.7.0" > This only says that the issues described in this specific advisory are fixed by that version; it does not speak for any future updates like the ones you list. Mozilla bugs always take a while to squash, when the advisory is out, old versions will eventually be marked as vulnerable as well.
