Package: firefox-esr Version: 60.2.2esr-1~deb9u1 Severity: critical Tags: upstream Justification: causes serious data loss
Dear Maintainer, The recent update of firefox-esr from ESR v52.9.0 to ESR v60.2.2 leads to loss of user certificates (technically, to the loss of the private key) along with saved passwords. The issue appears to be related to the use of a master password along with the migration from key3.db to key4.db for private key storage. The first time firefox v60 starts (using a v52 profile) all certificates are properly preserved along with the use of a master password (as reported in about:preferences#privacy). However, closing that firefox instance and opening it again reports that the use of a master password is disabled. Private keys for user certificates and saved passwords are permanently lost at that point. Workaround: 1- Before starting firefox-esr v60, create a backup of your profile information at ~/.mozilla/firefox. 2- Start firefox-esr v60 for the first time. 3- Change master password. 4- Close firefox-esr v60. Unfortunately, users having this issue may notice this workaround once it is too late and they already lost important information. Notes: - Does not seem to be an extension issue (firefox-esr -safe-mode does not help). - Trying to read upgraded profile data with certutil yields messages which appear related to https://bugzilla.mozilla.org/show_bug.cgi?id=497672 : certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: could not authenticate to token NSS Certificate DB.: An I/O error occurred during security authorization. Kind regards, Ian Blanes -- Package-specific info: -- Addons package information -- System Information: Debian Release: 9.5 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firefox-esr depends on: ii debianutils 4.8.1.1 ii fontconfig 2.11.0-6.7+b1 ii libasound2 1.1.3-5 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u3 ii libcairo-gobject2 1.14.8-1 ii libcairo2 1.14.8-1 ii libdbus-1-3 1.10.26-0+deb9u1 ii libdbus-glib-1-2 0.108-2 ii libevent-2.0-5 2.0.21-stable-3 ii libffi6 3.2.1-6 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgcc1 1:6.3.0-18+deb9u1 ii libgdk-pixbuf2.0-0 2.36.5-2+deb9u2 ii libglib2.0-0 2.50.3-2 ii libgtk-3-0 3.22.11-1 ii libjsoncpp1 1.7.4-3 ii libpango-1.0-0 1.40.5-1 ii libstartup-notification0 0.12-4+b2 ii libstdc++6 6.3.0-18+deb9u1 ii libvpx4 1.6.1-3+deb9u1 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb-shm0 1.12-1 ii libxcb1 1.12-1 ii libxcomposite1 1:0.4.4-2 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1 ii procps 2:3.3.12-3+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages firefox-esr recommends: ii libavcodec57 7:3.2.12-1~deb9u1 Versions of packages firefox-esr suggests: ii fonts-lmodern 2.004.5-3 ii fonts-stix [otf-stix] 1.1.1-4 ii libcanberra0 0.30-3 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libgtk2.0-0 2.24.31-2 ii pulseaudio 10.0-1+deb9u1 -- no debconf information