On 2015-11-14 04:56, Mark H Weaver wrote:
David Hedlund <[email protected]> writes:
On 2015-11-13 20:26, Mark H Weaver wrote:
David Hedlund <[email protected]> writes:
Have this been fixed in IceCat 38.3.0?
-------- Forwarded Message --------
From: Mark H Weaver <[email protected]>
To: bug-gnuzilla <[email protected]>
Date: Wed, 12 Aug 2015 12:48:13 -0400
Subject: [Bug-gnuzilla] Unpatched security
flaws in IceCat
Since the last GNU IceCat release, there have been 12 security
advisories from Mozilla addressing 18 CVEs and associated releases of
Firefox ESR 38.1.1 (on August 6) and ESR 38.2 (yesterday).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4478,
CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482,
CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487,
CVE-2015-4488, CVE-2015-4489, CVE-2015-4491, CVE-2015-4492,
CVE-2015-4493, CVE-2015-4495
Yes, IceCat 38.3.0 should address the vulnerabilities listed above.
However, now there is another batch of security updates in upstream
Firefox 38.4.0, released on November 3, and we are still waiting for the
associated IceCat 38.4.0 update. For details, see:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
Mark
Can you please investigate this?
I'm sorry, but I don't have time. Mozilla announced that the
vulnerabilities above were fixed in Firefox ESR 38.2.0, and given our
lack of resources and the overwhelming complexity of the code, we have
no practical choice but to trust them.
Mark
That is all I need to know, thank you! I will remove this from my bug
tracker now.
--
http://gnuzilla.gnu.org
