1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Debian testing/unstable users: beware of Firefox critical CVEs

    From Samuel Henrique@21:1/5 to All on Mon Mar 25 00:10:01 2024
    Hello everyone,

    Given our current time_t transition happening, which means packages are blocked from migrating to testing for weeks, and that unstable updates have become harder to apply, two critical CVE fixes for Firefox became impossible to get it through the official repositories: https://security-tracker.debian.org/tracker/CVE-2024-29943 https://security-tracker.debian.org/tracker/CVE-2024-29944 https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/

    The most serious one, CVE-2024-29943, is said to achieve remote code execution but it does not affect firefox-esr, only firefox.

    I'm sending this to d-devel because there should be a lot of testing and unstable users on this list. If you're not running firefox 124.0.1 or firefox-esr 115.9.1esr-1, you should find a way of upgrading to those versions.

    One valid workaround seems to be installing Firefox from Mozilla's repo: https://support.mozilla.org/en-US/kb/install-firefox-linux

    It might be a good time to remember that unstable and testing are not officially supported releases (as their name suggests), so issues like this do happen from time to time.

    In a recent case, the issue was addressed by performing a testing-proposed-update of the package. This would allow firefox-esr to be fixed on testing before the transition is over, but it would not work for those installing the firefox package from unstable on a testing machine (since there's no firefox package on testing, just firefox-esr).

    I hope this is useful to those who are not aware of the issue yet.

    Cheers,

    --
    Samuel Henrique <samueloph>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Gevers@21:1/5 to Samuel Henrique on Mon Mar 25 19:50:01 2024
    To: debian-devel@lists.debian.org

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------02sJtaH0YxJVNz63AtI0pXSL
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    SGkgU2FtdWVsLA0KDQpPbiAyNC0wMy0yMDI0IDExOjQ1IHAubS4sIFNhbXVlbCBIZW5yaXF1 ZSB3cm90ZToNCj4gSW4gYSByZWNlbnQgY2FzZSwgdGhlIGlzc3VlIHdhcyBhZGRyZXNzZWQg YnkgcGVyZm9ybWluZyBhDQo+IHRlc3RpbmctcHJvcG9zZWQtdXBkYXRlIG9mIHRoZSBwYWNr YWdlLiBUaGlzIHdvdWxkIGFsbG93IGZpcmVmb3gtZXNyIHRvIGJlDQo+IGZpeGVkIG9uIHRl c3RpbmcgYmVmb3JlIHRoZSB0cmFuc2l0aW9uIGlzIG92ZXIsIGJ1dCBpdCB3b3VsZCBub3Qg d29yayBmb3IgdGhvc2UNCj4gaW5zdGFsbGluZyB0aGUgZmlyZWZveCBwYWNrYWdlIGZyb20g dW5zdGFibGUgb24gYSB0ZXN0aW5nIG1hY2hpbmUgKHNpbmNlDQo+IHRoZXJlJ3Mgbm8gZmly ZWZveCBwYWNrYWdlIG9uIHRlc3RpbmcsIGp1c3QgZmlyZWZveC1lc3IpLg0KDQpTbywgaXMg dGhlIHBsYW4gdG8gZGVsaXZlciBmaXJlZm94LWVzciB2aWEgdHB1IChhZnRlciBhbGlnbm1l bnQgd2l0aCB0aGUgDQpSZWxlYXNlIFRlYW0pPw0KDQpQYXVsDQo=

    --------------02sJtaH0YxJVNz63AtI0pXSL--

    -----BEGIN PGP SIGNATURE-----

    wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmYBxd0FAwAAAAAACgkQnFyZ6wW9dQqF fQgAsT04EmR+DVF85I5FFckDzAyIo47AVaeAZgmmLCi5XondbnIEQ1ylMXFaKZVlBTKtifhwcQ8A ypPL0AX7JPM2ClaJuJWr/QJqdxSlkolgWfv85IFj30RPMHWtTcStxfxJdLgNm7Og8nwD9SmDZrGB 13/08SqENFsK1VVDix17zw9PqTdlPHsgKKr/02KkijcxgS72NCpN4ScMPlu7WDojwCuzcJLYf0Sy cuONUKiZl/kKU2D7rjfk8X4/LPU8+V0iD24dGay6vZypE0SAQM7vBK63qPWgnMUjBU86L7dzFirG 2xl4ReTmGQkV+dsuOiDaRjIn5h3y9NZuiIhB8iiN2A==
    =IxiI
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Samuel Henrique@21:1/5 to All on Tue Mar 26 01:20:01 2024
    On 24-03-2024 11:45 p.m., Samuel Henrique wrote:
    In a recent case, the issue was addressed by performing a testing-proposed-update of the package. This would allow firefox-esr to be fixed on testing before the transition is over, but it would not work for those
    installing the firefox package from unstable on a testing machine (since there's no firefox package on testing, just firefox-esr).

    So, is the plan to deliver firefox-esr via tpu (after alignment with the Release Team)?

    I'm not involved in the Firefox packaging so I'm cc'ing Mike Hommey, who maintains Firefox, in case he has any plans.

    Regards,


    --
    Samuel Henrique <samueloph>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas Metzler@21:1/5 to samueloph@debian.org on Tue Mar 26 07:50:01 2024
    On 2024-03-24 Samuel Henrique <samueloph@debian.org> wrote:
    Hello everyone,

    Given our current time_t transition happening, which means packages
    are blocked from migrating to testing for weeks, and that unstable
    updates have become harder to apply, two critical CVE fixes for
    Firefox became impossible to get it through the official repositories:
    [...]
    I hope this is useful to those who are not aware of the issue yet.

    Good morning,

    Thanks for the heads-up. For my personal use I have simply rebuilt the
    sid package on trixie. However trying fix these kind of issues by
    rebuilding locally obviously does not scale, I will probably upgrade to unstable in due course.

    cu Andreas
    --
    `What a good friend you are to him, Dr. Maturin. His other friends are
    so grateful to you.'
    `I sew his ears on from time to time, sure'

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)