The current stable version of Firefox in the portage tree is vulnerable to CVE-2015-4498: https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/ Reproducible: Always Steps to Reproduce: 1. On a system configured for stable packages only with Firefox installed, you will have www-client/firefox-38.2.0 Expected Results: 38.2.1 should be stabilized.
There is another security flaw that is more serious (listed as critical) that these same versions of Firefox fix: CVE-2015-4497: Use-after-free when resizing canvas element during restyling https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ Should I adjust this bug's CVE Alias and name to reflect the more serious of the two vulnerabilities since they both have the same fix (update to 38.2.1 and 40.0.3), or is this note sufficient, or should I file another bug about the other CVE? Sorry, I'm not very familiar with the Gentoo policies about this. Should we raise the importance on the bug to reflect the severity of the other issue?
*** Bug 559090 has been marked as a duplicate of this bug. ***
firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now. ATs, Please stabilize 38.2.1 at your leisure. www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86" www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"
Err, sorry -- s/38.2.0/38.2.1/ (In reply to Ian Stakenvicius from comment #3) > firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now. > > ATs, Please stabilize 38.2.1 at your leisure. > > > www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86" > > www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86" Err, sorry -- s/38.2.0/38.2.1/
amd64 stable
x86 stable
Stable for HPPA PPC64.
38.3.0 was done in 561246
Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06 by GLSA coordinator Yury German (BlueKnight).