On 31/01/2020 08:10, Ola Lundqvist wrote: > Hi > > I have added firefox-esr to dla-needed.txt file now. > > // Ola > > On Thu, 30 Jan 2020 at 01:06, Ben Hutchings <b...@decadent.org.uk> wrote: > >> On Sun, 2020-01-26 at 16:17 +0100, Hugo Lefeuvre wrote: >>> Hi, >>> >>>> It seems urgent to me to correct a flaw exploited in firefox: >>>> https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ >>>> >>>> Here are the changes: >>>> >> https://raw.githubusercontent.com/HacKurx/public-sharing/master/firefox-68.4.0-1_js_src_jit_MIR.h.patch >>> >>> AFAIK this has already been addressed in jessie via DLA-2061-1[0] >>> (firefox-esr) and DLA-2071-1 (thunderbird) on Jan, 09 2020. >> >> Upstream says this was fixed in 68.4.1esr, and DSA-4600-1 for >> {stretch,buster}-security also references packages with an upstream >> version 68.4.1esr. >> >> However DLA-2061-1 for jessie-security has a version of >> 68.4.0esr-1~deb8u1. >> >> I think the wrong version was backported to jessie-security, leaving >> this issue unfixed.
Ah, looks like I prepared the update when 68.4.0 came out and I didn't realise a new version was released before the DSA. I'll update to 68.4.1 shortly. Thanks, Emilio
