Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
On Mon, Mar 23, 2009 at 07:57:11PM +0200, Andrei Popescu wrote: On Sun,22.Mar.09, 18:35:21, wrote: Hello all, I'm running Etch, and use Iceweasel. I'm concerned about this security advisory. It says that the Etch release notes said that the Mozilla products would have to be stopped prior to the end of the Etch support period. I don't see this. Here it is: http://www.debian.org/releases/oldstable/i386/release-notes/ch-information.en.html#s-mozilla-security That, again, is just like in Lenny, where they say that, at some point in the future, security support may be dropped. They still do the security support for Lenny, but they didn't announce dropping it for Etch. For how long have I been running a (knowingly) insecure Iceweasel? I'm glad I use a different user for it. Doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
On Tue,24.Mar.09, 10:05:06, Douglas A. Tutty wrote: For how long have I been running a (knowingly) insecure Iceweasel? It seems to me as you haven't. I searched through my archive of debian-security-announce and I don't see any other related message. Did you try searching the archives of debian-security? This subject might have come up. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
On Sun, Mar 22, 2009 at 5:35 PM, debian-security-annou...@lists.debian.orgwrote: Did anyone hear that Iceweasel has stopped getting security updates in Etch? The closest I could come in a few minutes of Googling was this announcement from Mozilla: http://www.mozilla.com/en-US/firefox/all-older.html This terminated support for Firefox 2 in mid-December 2008. This is not to say that Debian terminated support on the same date, however. I can't find any official announcement from the project stating that Firefox 2 support has ended. -- Chris
Re: [SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
On Sun,22.Mar.09, 18:35:21, wrote: Hello all, I'm running Etch, and use Iceweasel. I'm concerned about this security advisory. It says that the Etch release notes said that the Mozilla products would have to be stopped prior to the end of the Etch support period. I don't see this. Here it is: http://www.debian.org/releases/oldstable/i386/release-notes/ch-information.en.html#s-mozilla-security Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
[SECURITY] [DSA 1751-1] New xulrunner packages fix several vulnerabilities
Hello all, I'm running Etch, and use Iceweasel. I'm concerned about this security advisory. It says that the Etch release notes said that the Mozilla products would have to be stopped prior to the end of the Etch support period. I don't see this. In fact, the Lenny release notes only mention the possibility of the need to stop support at some time in the future, they make no mention of it having happened. I've copied in the relavent section from the release note below. Debian Security Advisory DSA-1751-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff March 22, 2009http://www.debian.org/security/faq - Package: xulrunner Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2009-0771 CVE-2009-0772 CVE-2009-0773 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems: snip For the stable distribution (lenny), these problems have been fixed in version 1.9.0.7-0lenny1. As indicated in the Etch release notes, security support for the Mozilla products in the oldstable distribution needed to be stopped before the end of the regular Etch security maintenance life cycle. You are strongly encouraged to upgrade to stable or switch to a still supported browser. For the unstable distribution (sid), these problems have been fixed in version 1.9.0.7-1. We recommend that you upgrade your xulrunner packages. Upgrade instructions - snip --- Here's the Lenny release note section: 5.6.??Security status of Mozilla products The Mozilla programs firefox, thunderbird, and sunbird (rebranded in Debian to iceweasel, icedove, and iceowl, respectively), are important tools for many users. Unfortunately the upstream security policy is to urge users to update to new upstream versions, which conflicts with Debian's policy of not shipping ?? large functional changes in security updates. We cannot predict it today, but during the lifetime of lenny the Debian Security Team may come to a point where supporting Mozilla products is no longer feasible and announce the end of security support for Mozilla products. You should take this into account when deploying Mozilla and consider alternatives available in Debian if the absence of security support would pose a problem for you. iceape, the unbranded version of the seamonkey internet suite has ?? been removed from lenny (with the exception of a few internal library packages). Did anyone hear that Iceweasel has stopped getting security updates in Etch? Doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org