Re: Debian testing/unstable users: beware of Firefox critical CVEs
On 2024-03-24 Samuel Henrique wrote: > Hello everyone, > Given our current time_t transition happening, which means packages > are blocked from migrating to testing for weeks, and that unstable > updates have become harder to apply, two critical CVE fixes for > Firefox became impossible to get it through the official repositories: [...] > I hope this is useful to those who are not aware of the issue yet. Good morning, Thanks for the heads-up. For my personal use I have simply rebuilt the sid package on trixie. However trying fix these kind of issues by rebuilding locally obviously does not scale, I will probably upgrade to unstable in due course. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Re: Debian testing/unstable users: beware of Firefox critical CVEs
> On 24-03-2024 11:45 p.m., Samuel Henrique wrote: > > In a recent case, the issue was addressed by performing a > > testing-proposed-update of the package. This would allow firefox-esr to be > > fixed on testing before the transition is over, but it would not work for > > those > > installing the firefox package from unstable on a testing machine (since > > there's no firefox package on testing, just firefox-esr). > > So, is the plan to deliver firefox-esr via tpu (after alignment with the > Release Team)? I'm not involved in the Firefox packaging so I'm cc'ing Mike Hommey, who maintains Firefox, in case he has any plans. Regards, -- Samuel Henrique
Re: Debian testing/unstable users: beware of Firefox critical CVEs
Hi Samuel, On 24-03-2024 11:45 p.m., Samuel Henrique wrote: In a recent case, the issue was addressed by performing a testing-proposed-update of the package. This would allow firefox-esr to be fixed on testing before the transition is over, but it would not work for those installing the firefox package from unstable on a testing machine (since there's no firefox package on testing, just firefox-esr). So, is the plan to deliver firefox-esr via tpu (after alignment with the Release Team)? Paul OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Debian testing/unstable users: beware of Firefox critical CVEs
I moved to Mozilla's official packages for the time being since I didn't want to downgrade to ESR for now. Will resume with Debian's packages when the dust settles down. On 25.03.2024 ÖÖ 8:26, Leandro Cunha wrote: Hi, On Mon, Mar 25, 2024 at 2:18 AM Paul Wise wrote: On Sun, 2024-03-24 at 22:45 +, Samuel Henrique wrote: I'm sending this to d-devel because there should be a lot of testing and unstable users on this list. If you're not running firefox 124.0.1 or firefox-esr 115.9.1esr-1, you should find a way of upgrading to those versions. firefox-esr from bookworm-security is currently installable on trixie, but there is no solution from Debian for firefox 124.0.1 yet. -- bye, pabs https://wiki.debian.org/PaulWise I'm using it in testing, but I merged unstable packages (dependencies resolution) to get firefox-esr and it's working fine so far. I'm even typing this email in firefox-esr. What left something to be desired so far and I had to downgrade was Chromium 123 and downgrade to 122 present in tests (trixie). Chromium freezes the tab the person is accessing and I don't yet have detailed information about the problem, but 122 works fine.
Re: Debian testing/unstable users: beware of Firefox critical CVEs
Hi, On Mon, Mar 25, 2024 at 2:18 AM Paul Wise wrote: > > On Sun, 2024-03-24 at 22:45 +, Samuel Henrique wrote: > > > I'm sending this to d-devel because there should be a lot of testing and > > unstable users on this list. If you're not running firefox 124.0.1 or > > firefox-esr 115.9.1esr-1, you should find a way of upgrading to those > > versions. > > firefox-esr from bookworm-security is currently installable on trixie, > but there is no solution from Debian for firefox 124.0.1 yet. > > -- > bye, > pabs > > https://wiki.debian.org/PaulWise I'm using it in testing, but I merged unstable packages (dependencies resolution) to get firefox-esr and it's working fine so far. I'm even typing this email in firefox-esr. What left something to be desired so far and I had to downgrade was Chromium 123 and downgrade to 122 present in tests (trixie). Chromium freezes the tab the person is accessing and I don't yet have detailed information about the problem, but 122 works fine. -- Cheers, Leandro Cunha -BEGIN PGP PUBLIC KEY BLOCK- mQINBF/gQ8gBEADHVKgoWsUWNGVvR6sMhBPUdBUEH+QALpr1QYXhetBfRwaY0HWN pKgejHdxKO8H+kIhRMoh89CCKg3hAJ9LmOOTXkX7U5/Cya/zRMKk5zBD3rKIaugh 0XYT15Nz1jwL7TIDG25yPSloDtVgVXTep0ZzKsNYJjb4OAqa88cvUEJEhhqrldlR gpNbkixEh5ituO8pMShEBWqLs3yt4Hr1VFWnTIm4dl/JLBHpexzubDOw/mKCTpNd A1JGHTvce1wtJ2fMzCVzhEjd5pyjLZV/o8hVw2/ON/yXvpJuz0lV/hiW0M+cDcas sKftErtsZpRy3wwXdkBcJt6soYuqfCHwgMfL2iC6mPviE8xWAHMOmhdC3wDskZpb RcLfH5IMYajJAGRO/GCMcKKbq7WkEOeloivtg64xBlYuJf9aOcHKP/8R3EObiNp7 ubQAJtV3pEGD4mx1mhutFxDHB+CfnxE3dWvxZSV9y1n4UOzkDJ3kDx5Ee0MbRvJD w6aXKc6dhYREgh7hLDcMFz+3LcBiZDLxI3g+SHe3Bl61vdsnPno+0HhCzvB+fL4S eoy7Myfiunz9BrB2HPN+wNCT0YgV+Kv8QoDGzBwos5H1vUJSY4t59w6xoXAYUsAm hjAM8s+rUtG40mcUWePd8kZtgE9IV1eQ+Qt8/SNpSdRnUunmIGl3JjHvEwARAQAB tClMZWFuZHJvIEN1bmhhIDxsZWFuZHJvY3VuaGEwMTZAZ21haWwuY29tPokCTgQT AQoAOBYhBLT5oBCvKN3HzFEPK8LZ4zKUW9A8BQJf4EPIAhsDBQsJCAcCBhUKCQgL AgQWAgMBAh4BAheAAAoJEMLZ4zKUW9A8FjAQAKWYqiLpLUD+DLB+NSy3DI3rf9z3 k0vE7TLaEjdEM5CQWN+j4vBqMnAckdcARvSWPndTjp8K+mtFF4PyfhNbS64z/a7L F3DdhmX73n7LKFG8Ow9NZwcrkmPwH5WcP7mXTh6R+6/+OSL/K85NB8MLlxQTJOni julVax9JEZjwBaP2HLCu53Zq9gZcvJlXoAoTHyTxKdp8Mh8V+Qit26E78o9c6SQD Dq9eyMRG8hYCRfreDjKceRkYHjECySlk+VoI1ssVs07Dqvxg6qSyP4RnW+1+W74C s0yIyuC/eRJpMAf1PBQEOOrVcTfRfpN+go955t21yIAvT58vqotTM5eaqXYIQn/y sC4lThZai/ZBZHxl5Mbv42WkkYdjisLQOCALIMBpj5nq4oh2C+kvMupcuBKfERgV dguU51MzfQktKb6d5y777zYnDaFMQDD2IfiD/C7ln5A9LP/L54ixlA3uRmWx/yAx /m+Zusws98j4Eq/jw5T54XW655m6lMCTE9WXLJkgxrRcEonHSllbgRSsToEmWq0Z doxcnpagHdcGQzW+cu2VOGi1da73ZFmrn+ptJgc8cW2suO06IeArOi0TzIg7e65j Xp2DbJCpFrfzEuBb1u71WvB8V2MkAfJZx/uZJPCA936B4HT8YGPEMzlQRIHI2Y9C +DloyzlBLTS1EMKuuQINBF/gQ8gBEAC47o9u1Wm9jZ6RC+lfxEDEvVS7MmI5VzSy q04rFttWwbKix13pc65aDlk47LxWrb84N3Gnf1E/OTsLTXqC7u5JZ7YJkC6CsPbo D1sQkfCiJCFCTgf7dydEVt8ujS/Uu1kz86ufdRwaMRcvBZAORGdB58LEsLB65WN4 hLRYF7xvcxu6t7FGrIYereaxUAWLA2B/ZnCEdOY94w7s0uaPjHdf4lfHebuZ7T08 iG5ACDvKBjgaFArGfdNYWchXJgbOEg14bGj40/8LuBKQMZASiFSqLPZxoporK9FY xBw+D080dUWWD5g868TZ3pkM3DXO9bdq22IBKqKOep8CnuKgoDpUvA8dTEY/UDCn sdOlBUK/Y9zTGVmD/90cO/xkvkV78suqiBnwBSddPzVS0EuiWwrLGu8gaY4EyM/X 7khlbTcMgh4njzUCAE6Tq+TbXSxn86wuOybVY5Y+I99LNdsocI5SIn2nDh2IOi00 4dE/iwO2MatWIOLFBC7pw8Xv4UHZY+WIf3Y/6XjExpllhUkeB6BwZpTr1SXk+cug q5Dj5i4aGn2LrvQJ57terqUWYyDUBFgXTc4SPOzT5og8CavBgHfrQoFwSnRZ2oyX xtZhEDI5Pk2j1qTbOhXZ29po4rPNWHMq2HQgM0I+BqQndsoVdkPOFzS2wKkdXjCz bNYcyanusQARAQABiQI2BBgBCgAgFiEEtPmgEK8o3cfMUQ8rwtnjMpRb0DwFAl/g Q8gCGwwACgkQwtnjMpRb0Dzh6g//ZjXaWSzKmG5ZS6XJa/ZOokkE2hFOFusWX8Qa hEwLAnTFEy02dLfV54rKwmu2jHPDKLhE+iYtusvytueZAzVRyQahv0RE4BH8Emqw gQdBwyJ/L+QhUp/lMdJ6Hh/2ZSZmzU29U24vnY+U+haoB1fLnA3lXgOP59kMLGud lERR2Vluuc7TcpzvcaRWgrQRU2vSrrBBEp6y07iVKbRM/9yhE/aHJahLbhKh2Dk9 WJvHPnhYJY5yU+Y5vTl3BiW5+EuzMBdPUawOWKhqCq9dswn0GL1g/vlt/bdU/6DO jECQ6fssTAtDjRClXySsS3X0mh8y8qlGvMPB4anfvOy4+4nUV6IESdJftKn2SMGd CA3MaQ+S7frWn5v7GIWSC9vumCsiu1JTOugLmbVmu5m5nFsyllavm/k9LtOtswuF fHM/SlXLFuGBWU6XceqaM2dpP8i5jGz0vIGMhqoFNgXWGO1NhwR1rmeU1CMpnM5e Wue4h/+mJiuEzuZcmzOcwq3HGMUXO0jZDgLEmlnenO9czhrLuGZaMXGdwnIk0G3O +SqH36v7blnDh96RXpgaa+ifTHd0qKeoVXVwSq/9jNtHSQrI+NJcTpMhu73xtxhX UFPr/31+IFLWepC5GDwdu/gQm5E6ntGyxE2p2v76pcjz7SGdXjPFZjqekBveEJuW fNdY6Ns= =rdCA -END PGP PUBLIC KEY BLOCK-
Re: Debian testing/unstable users: beware of Firefox critical CVEs
On Sun, 2024-03-24 at 22:45 +, Samuel Henrique wrote: > I'm sending this to d-devel because there should be a lot of testing and > unstable users on this list. If you're not running firefox 124.0.1 or > firefox-esr 115.9.1esr-1, you should find a way of upgrading to those > versions. firefox-esr from bookworm-security is currently installable on trixie, but there is no solution from Debian for firefox 124.0.1 yet. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Debian testing/unstable users: beware of Firefox critical CVEs
Hello everyone, Given our current time_t transition happening, which means packages are blocked from migrating to testing for weeks, and that unstable updates have become harder to apply, two critical CVE fixes for Firefox became impossible to get it through the official repositories: https://security-tracker.debian.org/tracker/CVE-2024-29943 https://security-tracker.debian.org/tracker/CVE-2024-29944 https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/ The most serious one, CVE-2024-29943, is said to achieve remote code execution but it does not affect firefox-esr, only firefox. I'm sending this to d-devel because there should be a lot of testing and unstable users on this list. If you're not running firefox 124.0.1 or firefox-esr 115.9.1esr-1, you should find a way of upgrading to those versions. One valid workaround seems to be installing Firefox from Mozilla's repo: https://support.mozilla.org/en-US/kb/install-firefox-linux It might be a good time to remember that unstable and testing are not officially supported releases (as their name suggests), so issues like this do happen from time to time. In a recent case, the issue was addressed by performing a testing-proposed-update of the package. This would allow firefox-esr to be fixed on testing before the transition is over, but it would not work for those installing the firefox package from unstable on a testing machine (since there's no firefox package on testing, just firefox-esr). I hope this is useful to those who are not aware of the issue yet. Cheers, -- Samuel Henrique
