Package: firefox-esr Version: 60.2.0esr-1~deb9u2 Severity: Important The recent security upgrade from 52.9.0esr-1~deb9u1 silently disabled all the xul-ext-* packages I had installed. I first noticed when ads started appearing. Checking the extensions page on the about:addons page showed no extensions enabled. I have the following installed
$ dpkg-query -W | grep xul-ext xul-ext-https-everywhere 5.2.8-1 xul-ext-ublock-origin 1.10.4+dfsg-1 xul-ext-useragentswitcher 0.7.3-3 xul-ext-y-u-no-validate 2013052407-3 On the legacy extensions page, I only saw three of the above four, all disabled because they "do not meet current Firefox standards". The ublock-origin extension was not even mentioned at all. I consider this *silent* disabling of the few browser extensions that I had explicitly installed on my system to improve my browsing experience a serious regression. It removes security improving functionality and exposes me to additional intrusions. It also makes it more cumbersome to access certain sites that insist on me logging in with IE. I'm not particularly pleased. A Breaks: for all the Debian packaged extensions that no longer "meet current Firefox standards" for the suite that is targetted by the security upgrade (stable/stretch) would have been really nice. It would have at least given me a clue before installation and I would have had a choice whether to go ahead with the upgrade or stick with a possibly vulnerable version. # I'm off now trying to find replacements. Not very happy with the # "Access to your data for all websites" (because it can access *my* # input as well) but it seems that's as good as it gets. Would like it # for there to be a permission that only requires access to the content # of the web page visited (w/o access to my input). Hope this helps, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join
