Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 808929 - www-client/firefox-91.0.1: security stabilization
Summary: www-client/firefox-91.0.1: security stabilization
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 808927
  Show dependency tree
 
Reported: 2021-08-18 20:02 UTC by John Helmert III
Modified: 2021-08-19 12:03 UTC (History)
0 users

See Also:
Package list:
www-client/firefox-91.0.1 *
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-18 20:02:17 UTC
Please stabilize, thanks!
Comment 1 NATTkA bot gentoo-dev 2021-08-18 20:04:23 UTC
Sanity check failed:

> www-client/firefox-91.0.1
>   depend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
>   depend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
>   rdepend amd64 stable profile default/linux/amd64/17.1 (35 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
>   rdepend amd64 dev profile default/linux/amd64/17.1/no-multilib/systemd (1 total)
>     >=dev-libs/nspr-4.32
>     >=dev-libs/nss-3.68
Comment 2 Thomas Deutschmann gentoo-dev 2021-08-18 22:04:45 UTC
We do not stabilize non-ESR version.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-18 23:35:22 UTC
(In reply to Thomas Deutschmann from comment #2)
> We do not stabilize non-ESR version.

91.0.1 is an ESR release, isn't it?

https://www.mozilla.org/en-US/firefox/91.0.1esr/releasenotes/

If the vulnerability doesn't affect <91, then I suppose we don't need stabilization (since vulnerability only affected unstable versions), but is that the case?
Comment 4 Aditya Som 2021-08-19 05:41:50 UTC
(In reply to Thomas Deutschmann from comment #2)
> We do not stabilize non-ESR version.

Firefox-91.0 is ESR. Which makes it eligible of stabilization succeeding 78.x .
Comment 5 Tee KOBAYASHI 2021-08-19 07:09:23 UTC
While 91 is now ESR, it seems that 78 ESR is still supported: https://wiki.mozilla.org/Release_Management/Calendar
Comment 6 Thomas Deutschmann gentoo-dev 2021-08-19 12:03:44 UTC
For the users:

Don't get confused by the fact that upstream is currently having two products with the same version (91.x). They are different branches: ESR and non-ESR

These branches have already started to slightly diverge. A firefox built from 91.0.1 tarball is not identical with a firefox 91.0.1 built from ESR tarball and would in addition receive different runtime settings from Mozilla's Normandy service if used.

While upstream has released a new ESR branch (91.x) this month, we do not have this version yet in Gentoo repository:

In Gentoo repository we currently have

> $ eshowkw www-client/firefox
> Keywords for www-client/firefox:
>           |                             |   u         |
>           | a   a     p s   a   r       |   n         |
>           | m   r h   p p   l i i m m s | e u s       | r
>           | d a m p p c a x p a s 6 i 3 | a s l       | e
>           | 6 r 6 p p 6 r 8 h 6 c 8 p 9 | p e o       | p
>           | 4 m 4 a c 4 c 6 a 4 v k s 0 | i d t       | o
> ----------+-----------------------------+-------------+-------
>   78.12.0 | + o + o o ~ o + o o o o o o | 7 # 0/esr78 | gentoo
>   78.13.0 | + o + o o ~ o + o o o o o o | 7 o         | gentoo
> ----------+-----------------------------+-------------+-------
> [I]90.0.2 | ~ o ~ o o ~ o ~ o o o o o o | 7 o 0/90    | gentoo
> ----------+-----------------------------+-------------+-------
>      91.0 | ~ o ~ o o ~ o ~ o o o o o o | 7 # 0/91    | gentoo
>    91.0.1 | ~ o ~ o o ~ o ~ o o o o o o | 7 o         | gentoo

BTW: 78.x ESR is still supported for the next two months.

Regarding this security bug: The vulnerability CVE-2021-29991 is about a vulnerability in HTTP/3 implementation _which is not present_ in 0/esr78 slot which is the only stable www-client/firefox version in Gentoo repository.

So I am closing this again as INVALID because there is nothing to stabilize for us here (=invalid call) which is reflected by the bug state "INVALID". :)