https://www.mozilla.org/en-US/security/advisories/mfsa2021-38/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-39/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-40/ Fixes in 78.14, 91.1, and 92. Please bump.
What is happening? Why is this CVE not tended to after so long? I don't understand why Firefox is treated as a second class citizen when it comes to CVE related stabilization in Gentoo. Also, the 91.x ebuilds are not updated aligned with upstream. And it has been released for over a month, and yet is not bumped as a stable candidate along with 78.x (till it reaches EOL next month)
I don't get the feeling firefox CVEs are second-class citizens when they usually take three days up to a week at worst to be stabilized. That said, CVEs are fixed with literally every new release, so it's not completely unwarranted to snooze on the hundredth batch of bugs for one time. As for the next ESR, this happens every year - maintaining firefox ebuilds is a ton of work, and the maintainers prefer avoiding having to juggle two ESRs. So it's usually delayed until the last ESR goes EOL and/or all of the dependent packages are stabilized. Sometimes it even takes a tiny bit longer. Please practice some patience, and consider manually unmasking the packages if the security issues really concern you.
So, with security bugs we can usually wait until all fixed branches of a software are in the tree before stabilizing, but we also don't aggressively check older bugs for situations like these due to the high amount of manual checking involved/manpower/tooling etc. Maintainers usually have fixed versions in the tree quicker than this, but in this case I'll go ahead and file a stablereq for 78.14 (without moving anything around in this bug since we're still waiting on the other branch). Sorry about this.
Now need bumps to 78.15, 91.2, and 93. Holding off on assigning CVEs to this bug since Thunderbird advisories usually share CVEs and come out later. https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=373735ff5114385dbb5ebee7d0116bd5ab2dabce commit 373735ff5114385dbb5ebee7d0116bd5ab2dabce Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2021-10-07 11:13:18 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-10-07 11:13:18 +0000 www-client/firefox-bin: security cleanup Bug: https://bugs.gentoo.org/813498 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-client/firefox-bin/Manifest | 582 ---------------------- www-client/firefox-bin/firefox-bin-78.13.0.ebuild | 418 ---------------- www-client/firefox-bin/firefox-bin-78.14.0.ebuild | 418 ---------------- www-client/firefox-bin/firefox-bin-91.0.1.ebuild | 384 -------------- www-client/firefox-bin/firefox-bin-91.0.2.ebuild | 384 -------------- www-client/firefox-bin/firefox-bin-92.0-r1.ebuild | 383 -------------- www-client/firefox-bin/firefox-bin-92.0.1.ebuild | 383 -------------- 7 files changed, 2952 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18170dab3692674737a3643bb2f7907321272291 commit 18170dab3692674737a3643bb2f7907321272291 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2021-10-09 07:09:08 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-10-09 07:09:59 +0000 www-client/firefox: security cleanup Bug: https://bugs.gentoo.org/813498 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-client/firefox/Manifest | 589 -------------- www-client/firefox/firefox-78.13.0.ebuild | 1187 ----------------------------- www-client/firefox/firefox-78.14.0.ebuild | 1187 ----------------------------- www-client/firefox/firefox-91.0.1.ebuild | 1149 ---------------------------- www-client/firefox/firefox-91.0.2.ebuild | 1149 ---------------------------- www-client/firefox/firefox-92.0.1.ebuild | 1148 ---------------------------- www-client/firefox/firefox-92.0.ebuild | 1148 ---------------------------- 7 files changed, 7557 deletions(-)
But... I specifically stayed on 0/91 so I could have a smooth upgrade path to esr91 when it arrives. Now I would have to either - downgrade to esr78 then back up to esr91 - upgrade to 0/93 then back down to esr91 Neither of these sounds particularly good. Why remove 0/91 when it's going to be the next ESR?
My understanding is that 91-non-ESR and 91-ESR have diverged their development paths already before release. So in that regard they should be as compatible as 93 -> 91esr will be.
Thanks juippis!
(In reply to Joonas Niilola from comment #8) > My understanding is that 91-non-ESR and 91-ESR have diverged their > development paths already before release. So in that regard they should be > as compatible as 93 -> 91esr will be. Thanks for the explanation - I will move to 93 until the next ESR arrives.
These have been cleaned, but newer security bugs are open.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=57effa1a78ecfa61900fdedbc9401d0948141e99 commit 57effa1a78ecfa61900fdedbc9401d0948141e99 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-02-21 22:59:29 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-02-21 22:59:29 +0000 [ GLSA 202202-03 ] Mozilla Firefox: Multiple vulnerabilities Bug: https://bugs.gentoo.org/802768 Bug: https://bugs.gentoo.org/807947 Bug: https://bugs.gentoo.org/813498 Bug: https://bugs.gentoo.org/821385 Bug: https://bugs.gentoo.org/828538 Bug: https://bugs.gentoo.org/831039 Bug: https://bugs.gentoo.org/832992 Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202202-03.xml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+)
GLSA released, all done!
