Great, thanks! On Fri, 31 Jan 2020 at 17:36, Emilio Pozuelo Monfort <po...@debian.org> wrote:
> On 31/01/2020 08:10, Ola Lundqvist wrote: > > Hi > > > > I have added firefox-esr to dla-needed.txt file now. > > > > // Ola > > > > On Thu, 30 Jan 2020 at 01:06, Ben Hutchings <b...@decadent.org.uk> wrote: > > > >> On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote: > >>> Hi, > >>> > >>>> It seems urgent to me to correct a flaw exploited in firefox: > >>>> https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ > >>>> > >>>> Here are the changes: > >>>> > >> > https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch > >>> > >>> AFAIK this has already been addressed in jessie via DLA-2061-1[0] > >>> (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020. > >> > >> Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for > >> {stretch,buster}-security also references packages with an upstream > >> version 68.4.1esr. > >> > >> However DLA-2061-1 for jessie-security has a version of > >> 68.4.0esr-1~deb8u1. > >> > >> I think the wrong version was backported to jessie-security, leaving > >> this issue unfixed. > > Ah, looks like I prepared the update when 68.4.0 came out and I didn't > realise a > new version was released before the DSA. I'll update to 68.4.1 shortly. > > Thanks, > Emilio > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------