[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-gnuzilla] Unpatched security flaws in IceCat
From: |
Mark H Weaver |
Subject: |
[Bug-gnuzilla] Unpatched security flaws in IceCat |
Date: |
Wed, 12 Aug 2015 12:48:13 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Since the last GNU IceCat release, there have been 12 security
advisories from Mozilla addressing 18 CVEs and associated releases of
Firefox ESR 38.1.1 (on August 6) and ESR 38.2 (yesterday).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4478,
CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482,
CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487,
CVE-2015-4488, CVE-2015-4489, CVE-2015-4491, CVE-2015-4492,
CVE-2015-4493, CVE-2015-4495
There have been no new releases on the ESR 31 branch, so I guess that
Mozilla is no longer supporting it, or at least not in a timely fashion.
We are therefore in urgent need of either:
1. GNU IceCat 38.2.
2. Backports of these fixes to GNU IceCat 31.8.
I've already backported the fix for CVE-2015-4495, which was included in
Firefox ESR 38.1.1, here:
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/icecat-CVE-2015-4495.patch
Now I'm faced with the prospect of backporting a large pile of fixes,
several of which are labelled "critical", from Firefox 38 to 31, or else
running a browser with published remote execution vulnerabilities for
some unknown number of days. This is not good.
So, when can we expect GNU IceCat 38.2 to be released?
Mark
- [Bug-gnuzilla] Unpatched security flaws in IceCat,
Mark H Weaver <=