| Summary: | www-client/firefox-91.0.1: security stabilization | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | John Helmert III <ajak> |
| Component: | Stabilization | Assignee: | Mozilla Gentoo Team <mozilla> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | Flags: | nattka:
sanity-check-
|
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: |
www-client/firefox-91.0.1 *
|
Runtime testing required: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 808927 | ||
|
Description
John Helmert III
2021-08-18 20:02:17 UTC
Sanity check failed:
> www-client/firefox-91.0.1
> depend amd64 stable profile default/linux/amd64/17.1 (35 total)
> >=dev-libs/nspr-4.32
> >=dev-libs/nss-3.68
> depend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total)
> >=dev-libs/nspr-4.32
> >=dev-libs/nss-3.68
> rdepend amd64 stable profile default/linux/amd64/17.1 (35 total)
> >=dev-libs/nspr-4.32
> >=dev-libs/nss-3.68
> rdepend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total)
> >=dev-libs/nspr-4.32
> >=dev-libs/nss-3.68
We do not stabilize non-ESR version. (In reply to Thomas Deutschmann from comment #2) > We do not stabilize non-ESR version. 91.0.1 is an ESR release, isn't it? https://www.mozilla.org/en-US/firefox/91.0.1esr/releasenotes/ If the vulnerability doesn't affect <91, then I suppose we don't need stabilization (since vulnerability only affected unstable versions), but is that the case? (In reply to Thomas Deutschmann from comment #2) > We do not stabilize non-ESR version. Firefox-91.0 is ESR. Which makes it eligible of stabilization succeeding 78.x . While 91 is now ESR, it seems that 78 ESR is still supported: https://wiki.mozilla.org/Release_Management/Calendar For the users:
Don't get confused by the fact that upstream is currently having two products with the same version (91.x). They are different branches: ESR and non-ESR
These branches have already started to slightly diverge. A firefox built from 91.0.1 tarball is not identical with a firefox 91.0.1 built from ESR tarball and would in addition receive different runtime settings from Mozilla's Normandy service if used.
While upstream has released a new ESR branch (91.x) this month, we do not have this version yet in Gentoo repository:
In Gentoo repository we currently have
> $ eshowkw www-client/firefox
> Keywords for www-client/firefox:
> | | u |
> | a a p s a r | n |
> | m r h p p l i i m m s | e u s | r
> | d a m p p c a x p a s 6 i 3 | a s l | e
> | 6 r 6 p p 6 r 8 h 6 c 8 p 9 | p e o | p
> | 4 m 4 a c 4 c 6 a 4 v k s 0 | i d t | o
> ----------+-----------------------------+-------------+-------
> 78.12.0 | + o + o o ~ o + o o o o o o | 7 # 0/esr78 | gentoo
> 78.13.0 | + o + o o ~ o + o o o o o o | 7 o | gentoo
> ----------+-----------------------------+-------------+-------
> [I]90.0.2 | ~ o ~ o o ~ o ~ o o o o o o | 7 o 0/90 | gentoo
> ----------+-----------------------------+-------------+-------
> 91.0 | ~ o ~ o o ~ o ~ o o o o o o | 7 # 0/91 | gentoo
> 91.0.1 | ~ o ~ o o ~ o ~ o o o o o o | 7 o | gentoo
BTW: 78.x ESR is still supported for the next two months.
Regarding this security bug: The vulnerability CVE-2021-29991 is about a vulnerability in HTTP/3 implementation _which is not present_ in 0/esr78 slot which is the only stable www-client/firefox version in Gentoo repository.
So I am closing this again as INVALID because there is nothing to stabilize for us here (=invalid call) which is reflected by the bug state "INVALID". :)
|