Hi, julien lepiller <jul...@lepiller.eu> writes:
> Le 2016-12-15 02:00, Mark H Weaver a écrit : >> Yesterday, Mozilla released Firefox ESR 45.6 and announced several CVEs >> fixed by it: >> >> https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/ >> >> I'm pleased to announce that Guix users of IceCat have had early access >> all of these fixes. >> >> Since November 30 (commit 9689e71d2f2b5e766415a40d5f5ab267768d217d), >> we've had fixes for CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, >> CVE-2016-9900, CVE-2016-9904, and 4 out of 11 patches for >> CVE-2016-9893. >> >> Since December 3 (commit 5bdec7d634ce0058801cd212e9e4ea56e914ca0c), >> we've had the fixes that were later announced as CVE-2016-9901, >> CVE-2016-9902, CVE-2016-9905, and another patch for CVE-2016-9893. >> >> On December 10 (commit 56c394ee4397015d6144dab002ee43fc7e32a331), I >> cherry-picked the remaining fixes from the not-yet-released Firefox >> ESR 45.6: CVE-2016-9895, and the final six patches for CVE-2016-9893. >> >> Mark > > Impressive, thank you! > > I'm a bit curious though, how did you get these patches? Were they > already advertised as vulnerability fixes at the time you applied > them? Were they already publicly-available? I cherry-picked them from the mozilla-esr45 mercurial repository. They were not yet advertised as vulnerability fixes. Often they are only labeled with a mozilla bug number, and the relevant bug reports are not publicly accessible. However, in practice most of the bug fixes applied to that branch are potentially exploitable. Mark