On 9/30/23, hede <debian...@der-he.de> wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2].
At the bottom of the page of your [1] is the note src:firefox, src:firefox-esr and src:thunderbird use the system libvpx starting in bookworm and above. For older releases still needs the fixes in src:firefox-esr and src:thunderbird. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053182#22 Date: Fri, 29 Sep 2023 14:58:43 +0000 We believe that the bug you reported is fixed in the latest version of libvpx, which is due to be installed in the Debian FTP archive. But I'm just guessing that the firefox security tracker page hasn't been updated yet. Regards Lee > [1] https://security-tracker.debian.org/tracker/source-package/firefox-esr > [2] https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/ > > hede