Disclaimer, I'm not a security expert, but a couple of thoughts:
We have rewritten 52.x code in Rust, and we have removed features. If there are security vulnerabilities in the 52.x versions of that code, nobody is going to tell Mozilla. In that sense, it's unlikely that Mozilla will ever have the list of known vulnerabilities in your patched 52.x code base.
Some security fixes we made might be executed by writing components in Rust. Just assuming that Rust and the modern compiler toolchain it requires is part of your problem, you won't be able to port these fixes.
My personal take is that you may be able to apply a lot of the patches that have CVEs, but that's likely not going to get you a code base that is similarily secure as the one we're working on.
Axel Am 13.04.19 um 00:43 schrieb Charles Robertson:
Hi, I know this sounds like a strange questions. However, we have a very large customer who is using our old OS which the last successful build of Firefox ESR was 52.9. But because of the massive updates to FF 60 we have been unable to get FF 60+ to build on that old OS. This customer has demanded we provide an updated Firefox for this old OS so I am asking if it would be possible to patch FF 52.9esr with the security updates since 60 was released? Thanks, Cheers Charles Robertson Firefox Maintainer - SUSE
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
