Have this been fixed in IceCat 38.3.0?
-------- Forwarded Message --------
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from spool.mail.gandi.net (mspool1-d.mgt.gandi.net
[10.0.21.131]) by nmboxes47-d.mgt.gandi.net (Postfix) with ESMTP id
71FD74077B for <[email protected]>; Wed, 12 Aug 2015 18:48:40 +0200
(CEST)
Received: from mfilter15-d.gandi.net (mfilter15-d.gandi.net
[217.70.178.143]) by spool.mail.gandi.net (Postfix) with ESMTP id
6F9BE22649F for <[email protected]>; Wed, 12 Aug 2015 18:48:40 +0200
(CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter15-d.gandi.net
Received: from spool.mail.gandi.net ([IPv6:::ffff:10.0.21.131]) by
mfilter15-d.gandi.net (mfilter15-d.gandi.net [::ffff:10.0.15.180])
(amavisd-new, port 10024) with ESMTP id inhpW0-I8qEE for
<[email protected]>; Wed, 12 Aug 2015 18:48:39 +0200 (CEST)
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
by spool.mail.gandi.net (Postfix) with ESMTPS id E74FD2263A7 for
<[email protected]>; Wed, 12 Aug 2015 18:48:38 +0200 (CEST)
Received: from localhost ([::1]:39527 helo=lists.gnu.org) by
lists.gnu.org with esmtp (Exim 4.71) (envelope-from
<[email protected]>) id 1ZPZCf-0006Rv-Qk
for [email protected]; Wed, 12 Aug 2015 12:48:37 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57523) by
lists.gnu.org with esmtp (Exim 4.71) (envelope-from <[email protected]>) id
1ZPZCT-0006Er-Ra for [email protected]; Wed, 12 Aug 2015 12:48:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim
4.71) (envelope-from <[email protected]>) id 1ZPZCQ-0002nJ-3T for
[email protected]; Wed, 12 Aug 2015 12:48:25 -0400
Received: from world.peace.net ([50.252.239.5]:60378) by eggs.gnu.org
with esmtp (Exim 4.71) (envelope-from <[email protected]>) id
1ZPZCQ-0002n4-0s for [email protected]; Wed, 12 Aug 2015 12:48:22 -0400
Received: from [10.1.10.104] (helo=jojen) by world.peace.net with
esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from
<[email protected]>) id 1ZPZCI-0007GG-NI; Wed, 12 Aug 2015 12:48:14 -0400
From: Mark H Weaver <[email protected]>
To: bug-gnuzilla <[email protected]>
References: <1436846949.21008.3.camel@thinkpad>
Date: Wed, 12 Aug 2015 12:48:13 -0400
In-Reply-To: <1436846949.21008.3.camel@thinkpad> ("Rubén Rodríguez"'s
message of "Mon, 13 Jul 2015 23:09:09 -0500")
Message-ID: <[email protected]>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 50.252.239.5
Subject: [Bug-gnuzilla] Unpatched security flaws in IceCat
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "GNUzilla discussion and bug reports." <bug-gnuzilla.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnuzilla>,
<mailto:[email protected]?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnuzilla>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnuzilla>,
<mailto:[email protected]?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: [email protected]
Sender: [email protected]
Since the last GNU IceCat release, there have been 12 security
advisories from Mozilla addressing 18 CVEs and associated releases of
Firefox ESR 38.1.1 (on August 6) and ESR 38.2 (yesterday).
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
CVE-2015-4473, CVE-2015-4474, CVE-2015-4475, CVE-2015-4478,
CVE-2015-4479, CVE-2015-4480, CVE-2015-4481, CVE-2015-4482,
CVE-2015-4484, CVE-2015-4485, CVE-2015-4486, CVE-2015-4487,
CVE-2015-4488, CVE-2015-4489, CVE-2015-4491, CVE-2015-4492,
CVE-2015-4493, CVE-2015-4495
There have been no new releases on the ESR 31 branch, so I guess that
Mozilla is no longer supporting it, or at least not in a timely fashion.
We are therefore in urgent need of either:
1. GNU IceCat 38.2.
2. Backports of these fixes to GNU IceCat 31.8.
I've already backported the fix for CVE-2015-4495, which was included in
Firefox ESR 38.1.1, here:
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/patches/icecat-CVE-2015-4495.patch
Now I'm faced with the prospect of backporting a large pile of fixes,
several of which are labelled "critical", from Firefox 38 to 31, or else
running a browser with published remote execution vulnerabilities for
some unknown number of days. This is not good.
So, when can we expect GNU IceCat 38.2 to be released?
Mark
--
http://gnuzilla.gnu.org
--
http://gnuzilla.gnu.org
