Hi I have added firefox-esr to dla-needed.txt file now.
// Ola On Thu, 30 Jan 2020 at 01:06, Ben Hutchings <b...@decadent.org.uk> wrote: > On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote: > > Hi, > > > > > It seems urgent to me to correct a flaw exploited in firefox: > > > https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ > > > > > > Here are the changes: > > > > https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch > > > > AFAIK this has already been addressed in jessie via DLA-2061-1[0] > > (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020. > > Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for > {stretch,buster}-security also references packages with an upstream > version 68.4.1esr. > > However DLA-2061-1 for jessie-security has a version of > 68.4.0esr-1~deb8u1. > > I think the wrong version was backported to jessie-security, leaving > this issue unfixed. > > Ben. > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-17026 > > > -- > Ben Hutchings > For every complex problem > there is a solution that is simple, neat, and wrong. > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
