Hi, On 09/24/2016 12:51 AM, Mike Hommey wrote: > On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: >> Hi, >> >> 2016-09-20 23:43 GMT+02:00 Chris Lamb <la...@debian.org>: >>> Hello dear maintainer(s), >>> >>> the Debian LTS team would like to fix the security issues which are >>> currently open in the Wheezy version of firefox-esr: >>> https://security-tracker.debian.org/tracker/source-package/firefox-esr >>> >>> Would you like to take care of this yourself? >>> >>> If yes, please follow the workflow we have defined here: >>> https://wiki.debian.org/LTS/Development >>> >>> If that workflow is a burden to you, feel free to just prepare an >>> updated source package and send it to debian-lts@lists.debian.org >>> (via a debdiff, or with an URL pointing to the source package, >>> or even with a pointer to your packaging repository), and the members >>> of the LTS team will take care of the rest. Indicate clearly whether you >>> have tested the updated package or not. >>> >>> If you don't want to take care of this update, it's not a problem, we >>> will do our best with your package. Just let us know whether you would >>> like to review and/or test the updated package before it gets released. >>> >>> You can also opt-out from receiving future similar emails in your >>> answer and then the LTS Team will take care of firefox-esr updates >>> for the LTS releases. (In case we don't get any answer for months, >>> we may also take it as an opt-out, too.) >> >> I think Mike would like the LTS Team to prepare the future updates: >> >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: >>>> Hello Mike, >>>> >>>> Thank you for preparing the security update of firefox-esr. I have just >>>> sent a security announcement for your update in Wheezy to the >>>> debian-lts-announce mailing list. If you want to take care of this next >>>> time, please follow our guidelines which we have outlined at [1]. If >>>> this is a burden for you, no problem, we will do our best and take care >>>> of the rest. In this case we would like to ask you to send a short >>>> reminder to debian-lts, so that we can prepare the announcement in a >>>> timely manner. >>> >>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about >>> that. That these updates go through the same security-master doesn't >>> help making it obvious they are different. >>> >>> Anyways, I'd rather not have more work to do, so if can send >>> announcements, that works for me. Or you can deal with the backport >>> from back to back. >> ... >> >> I have added firefox-esr to lts-do-not-call and started preparing the update. > > Thanks.
I have prepared the update. Please see the diff to jessie-security's version attached. Changes: firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium . [ Mike Hommey ] * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, bz#1259537. Closes: #822715. * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ I ran browser benchmarks to stress test the package and also visited a few sites manually. I plan uploading the package around 21:00 UTC. Cheers, Balint
diff -Nru firefox-esr-45.4.0esr/debian/changelog firefox-esr-45.4.0esr/debian/changelog --- firefox-esr-45.4.0esr/debian/changelog 2016-09-21 00:29:05.000000000 +0200 +++ firefox-esr-45.4.0esr/debian/changelog 2016-09-24 01:09:02.000000000 +0200 @@ -1,5 +1,6 @@ -firefox-esr (45.4.0esr-1~deb8u1) stable-security; urgency=medium +firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium + [ Mike Hommey ] * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, @@ -17,9 +18,9 @@ Closes: #822715. * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) - -- Mike Hommey <gland...@debian.org> Wed, 21 Sep 2016 07:09:32 +0900 + -- Balint Reczey <bal...@balintreczey.hu> Sat, 24 Sep 2016 01:08:45 +0200 -firefox-esr (45.3.0esr-1~deb8u1) stable-security; urgency=medium +firefox-esr (45.3.0esr-1~deb7u1) oldstable-security; urgency=medium * New upstream release. * Fixes for mfsa2016-{62-65,67,70,72-73,76-80}, also known as: @@ -33,7 +34,7 @@ -- Mike Hommey <gland...@debian.org> Wed, 03 Aug 2016 06:33:48 +0900 -firefox-esr (45.2.0esr-1~deb8u1) stable-security; urgency=medium +firefox-esr (45.2.0esr-1~deb7u1) oldstable-security; urgency=medium * New upstream release. * Fixes for mfsa2016-{49-52,56,58}, also known as: diff -Nru firefox-esr-45.4.0esr/debian/control firefox-esr-45.4.0esr/debian/control --- firefox-esr-45.4.0esr/debian/control 2016-09-21 01:52:00.000000000 +0200 +++ firefox-esr-45.4.0esr/debian/control 2016-09-24 01:09:08.000000000 +0200 @@ -5,6 +5,8 @@ Uploaders: Mike Hommey <gland...@debian.org> Build-Depends: autotools-dev, debhelper (>= 7.2.3), + gcc-4.7, + g++-4.7, autoconf2.13, libx11-dev, libxt-dev, @@ -29,8 +31,8 @@ libffi-dev, libevent-dev (>= 1.4.1), mesa-common-dev, - libgstreamer1.0-dev, - libgstreamer-plugins-base1.0-dev, + libgstreamer0.10-dev, + libgstreamer-plugins-base0.10-dev, libpulse-dev, yasm (>= 1.1), zip, @@ -65,8 +67,8 @@ libgssapi-krb5-2 | libkrb53, libgnomeui-0, libcanberra0 -Recommends: gstreamer1.0-libav, - gstreamer1.0-plugins-good +Recommends: gstreamer0.10-ffmpeg, + gstreamer0.10-plugins-good Conflicts: j2re1.4, pango-graphite (<< 0.9.3), iceweasel (<< 45)