Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 813498 (CVE-2021-38491) - <www-client/firefox-{78.15.0,93.0} <www-client/firefox-bin-{78.15.0,93.0}: multiple vulnerabilities
Summary: <www-client/firefox-{78.15.0,93.0} <www-client/firefox-bin-{78.15.0,93.0}: m...
Alias: CVE-2021-38491
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa?]
Depends on: 814605
Blocks: CVE-2021-38493, CVE-2021-38495
  Show dependency tree
Reported: 2021-09-17 22:02 UTC by John Helmert III
Modified: 2021-12-13 06:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Aditya Som 2021-09-24 08:20:28 UTC
What is happening? Why is this CVE not tended to after so long? I don't understand why Firefox is treated as a second class citizen when it comes to CVE related stabilization in Gentoo. Also, the 91.x ebuilds are not updated aligned with upstream. And it has been released for over a month, and yet is not bumped as a stable candidate along with 78.x (till it reaches EOL next month)
Comment 2 Esteve Varela Colominas 2021-09-24 13:37:25 UTC
I don't get the feeling firefox CVEs are second-class citizens when they usually take three days up to a week at worst to be stabilized. That said, CVEs are fixed with literally every new release, so it's not completely unwarranted to snooze on the hundredth batch of bugs for one time.

As for the next ESR, this happens every year - maintaining firefox ebuilds is a ton of work, and the maintainers prefer avoiding having to juggle two ESRs. So it's usually delayed until the last ESR goes EOL and/or all of the dependent packages are stabilized. Sometimes it even takes a tiny bit longer.

Please practice some patience, and consider manually unmasking the packages if the security issues really concern you.
Comment 3 John Helmert III gentoo-dev Security 2021-09-24 14:24:20 UTC
So, with security bugs we can usually wait until all fixed branches of a software are in the tree before stabilizing, but we also don't aggressively check older bugs for situations like these due to the high amount of manual checking involved/manpower/tooling etc. Maintainers usually have fixed versions in the tree quicker than this, but in this case I'll go ahead and file a stablereq for 78.14 (without moving anything around in this bug since we're still waiting on the other branch).

Sorry about this.
Comment 4 John Helmert III gentoo-dev Security 2021-10-06 18:47:10 UTC
Now need bumps to 78.15, 91.2, and 93. Holding off on assigning CVEs to this bug since Thunderbird advisories usually share CVEs and come out later.
Comment 5 Larry the Git Cow gentoo-dev 2021-10-07 11:15:25 UTC
The bug has been referenced in the following commit(s):

commit 373735ff5114385dbb5ebee7d0116bd5ab2dabce
Author:     Joonas Niilola <>
AuthorDate: 2021-10-07 11:13:18 +0000
Commit:     Joonas Niilola <>
CommitDate: 2021-10-07 11:13:18 +0000

    www-client/firefox-bin: security cleanup
    Signed-off-by: Joonas Niilola <>

 www-client/firefox-bin/Manifest                   | 582 ----------------------
 www-client/firefox-bin/firefox-bin-78.13.0.ebuild | 418 ----------------
 www-client/firefox-bin/firefox-bin-78.14.0.ebuild | 418 ----------------
 www-client/firefox-bin/firefox-bin-91.0.1.ebuild  | 384 --------------
 www-client/firefox-bin/firefox-bin-91.0.2.ebuild  | 384 --------------
 www-client/firefox-bin/firefox-bin-92.0-r1.ebuild | 383 --------------
 www-client/firefox-bin/firefox-bin-92.0.1.ebuild  | 383 --------------
 7 files changed, 2952 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2021-10-09 07:10:06 UTC
The bug has been referenced in the following commit(s):

commit 18170dab3692674737a3643bb2f7907321272291
Author:     Joonas Niilola <>
AuthorDate: 2021-10-09 07:09:08 +0000
Commit:     Joonas Niilola <>
CommitDate: 2021-10-09 07:09:59 +0000

    www-client/firefox: security cleanup
    Signed-off-by: Joonas Niilola <>

 www-client/firefox/Manifest               |  589 --------------
 www-client/firefox/firefox-78.13.0.ebuild | 1187 -----------------------------
 www-client/firefox/firefox-78.14.0.ebuild | 1187 -----------------------------
 www-client/firefox/firefox-91.0.1.ebuild  | 1149 ----------------------------
 www-client/firefox/firefox-91.0.2.ebuild  | 1149 ----------------------------
 www-client/firefox/firefox-92.0.1.ebuild  | 1148 ----------------------------
 www-client/firefox/firefox-92.0.ebuild    | 1148 ----------------------------
 7 files changed, 7557 deletions(-)
Comment 7 Benn Snyder 2021-10-09 15:30:34 UTC
But... I specifically stayed on 0/91 so I could have a smooth upgrade path to esr91 when it arrives.  Now I would have to either

- downgrade to esr78 then back up to esr91
- upgrade to 0/93 then back down to esr91

Neither of these sounds particularly good.  Why remove 0/91 when it's going to be the next ESR?
Comment 8 Joonas Niilola gentoo-dev 2021-10-09 17:48:47 UTC
My understanding is that 91-non-ESR and 91-ESR have diverged their development paths already before release. So in that regard they should be as compatible as 93 -> 91esr will be.
Comment 9 John Helmert III gentoo-dev Security 2021-10-09 19:53:39 UTC
Thanks juippis!
Comment 10 Benn Snyder 2021-10-10 20:48:43 UTC
(In reply to Joonas Niilola from comment #8)
> My understanding is that 91-non-ESR and 91-ESR have diverged their
> development paths already before release. So in that regard they should be
> as compatible as 93 -> 91esr will be.

Thanks for the explanation - I will move to 93 until the next ESR arrives.
Comment 11 Joonas Niilola gentoo-dev 2021-12-13 06:36:18 UTC
These have been cleaned, but newer security bugs are open.