hede wrote: > Hi, > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as an > "open unimportant issue" for firefox-esr? Currently it is not fixed in > bookworm and newer [1]. Mozilla itself rates it as "critical" [2].
That's fixed in Debian Bullseye. If I look into /usr/share/doc/firefox-esr/changelog.Debian.gz, I find this entry on top: --------------------------------------------------------------------- firefox-esr (115.3.1esr-1~deb11u1) bullseye-security; urgency=medium * New upstream release. * Fix for mfsa2023-44, also known as CVE-2023-5217. --------------------------------------------------------------------- Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27