On Sat, 30 Sep 2023 17:28:29 +0200 Klaus Singvogel <deb-user...@singvogel.net> wrote:
> hede wrote: > > Hi, > > > > does anyone know why CVE-2023-5217 (critical vp8 encoder bug) is rated as > > an "open unimportant issue" for firefox-esr? Currently it is not fixed in > > bookworm and newer [1]. Mozilla itself rates it as "critical" [2]. > > That's fixed in Debian Bullseye. > If I look into /usr/share/doc/firefox-esr/changelog.Debian.gz, I find this > entry on top: > > --------------------------------------------------------------------- > firefox-esr (115.3.1esr-1~deb11u1) bullseye-security; urgency=medium > > * New upstream release. > * Fix for mfsa2023-44, also known as CVE-2023-5217. > --------------------------------------------------------------------- Yeah, fixed in Bullseye and not in Bookworm and newer, that's what I criticised. But the Wanderer and Lee already had an explanation: Firefox in Bookworm and newer uses the system library (libvpx) which has fixes applied. hede